Edit tour

Windows Analysis Report
Odin3_v3.14.4.exe

Overview

General Information

Sample Name:	Odin3_v3.14.4.exe
Analysis ID:	1295782
MD5:	50860de40988969f3ea3f308c6143e1d
SHA1:	d96eb6e79510799ea5da1e580748d7fe72cfbbd0
SHA256:	aa17ccf37d52c816bcea6e54dbdd6daf90fe2ac984641d01034ade77ff9dcb41
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

Odin3_v3.14.4.exe (PID: 7164 cmdline: C:\Users\user\Desktop\Odin3_v3.14.4.exe MD5: 50860DE40988969F3EA3F308C6143E1D)

cleanup

Joe Sandbox Signatures

• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Odin3_v3.14.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Odin3_v3.14.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\tool\odin\Odin3\Odin3Downloader\Release\Odin3 v3.07.pdb source: Odin3_v3.14.4.exe

Source: Odin3_v3.14.4.exe	String found in binary or memory: http://mobilerndhub.sec.samsung.net/hub/site/odin/
Source: Odin3_v3.14.4.exe, 00000000.00000003.332616574.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mobilerndhub.sec.samsung.net/hub/site/odin/2KWWS
Source: Odin3_v3.14.4.exe	String found in binary or memory: http://www.heaventools.comDVarFileInfo$

Source: Odin3_v3.14.4.exe, 00000000.00000002.332764710.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_78d4df43-c

Source: Odin3_v3.14.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Odin3_v3.14.4.exe, 00000000.00000000.319935240.000000000141C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOdin.exe@ vs Odin3_v3.14.4.exe
Source: Odin3_v3.14.4.exe	Binary or memory string: OriginalFilenameOdin.exe@ vs Odin3_v3.14.4.exe

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012231B6	0_2_012231B6
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_0117B1A0	0_2_0117B1A0
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012FD0F0	0_2_012FD0F0
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_011F1B03	0_2_011F1B03
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_0130E36A	0_2_0130E36A
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_01179380	0_2_01179380
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_011A6270	0_2_011A6270
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012F7A8A	0_2_012F7A8A
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_011A4AB0	0_2_011A4AB0
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_01178C00	0_2_01178C00
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_011EEF92	0_2_011EEF92
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_011A57A0	0_2_011A57A0
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_01178E50	0_2_01178E50
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_011A2690	0_2_011A2690
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012F7EE8	0_2_012F7EE8
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_013166CB	0_2_013166CB

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Code function: String function: 012EA0A3 appears 49 times

Source: Odin3_v3.14.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Code function: 0_2_011AB1A7 FindResourceW,LoadResource,LockResource,FreeResource,

0_2_011AB1A7

Source: Odin3_v3.14.4.exe

Binary string: Your device will be changed with the pit in CSC file.Added!!Added!!Removed!!HARDWARE\DEVICEMAP\SERIALCOMM\Device\ssudmdm\Device\sscdmdm\Device\ssaemdm\Device\ssadmdmAdded!!HARDWARE\DEVICEMAP\SERIALCOMMmdmOdin3 v%.2fOdin3Odin engine v(ID:%.4f)..Odin3 One Click DownloadockError. Fail to open .ock FileOne Click Downloader Mode

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Window detected: Number of UI elements: 114

Source: Odin3_v3.14.4.exe

Static file information: File size 3167744 > 1048576

Source: Odin3_v3.14.4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Odin3_v3.14.4.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ec400

Source: Odin3_v3.14.4.exe

Static PE information: More than 200 imports for USER32.dll

Source: Odin3_v3.14.4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Odin3_v3.14.4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Odin3_v3.14.4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Odin3_v3.14.4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Odin3_v3.14.4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Odin3_v3.14.4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Odin3_v3.14.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Odin3_v3.14.4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\tool\odin\Odin3\Odin3Downloader\Release\Odin3 v3.07.pdb source: Odin3_v3.14.4.exe

Source: Odin3_v3.14.4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Odin3_v3.14.4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Odin3_v3.14.4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Odin3_v3.14.4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Odin3_v3.14.4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012EA1C6 push ecx; ret		0_2_012EA1D9
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012EA06C push ecx; ret		0_2_012EA07F

Source: Odin3_v3.14.4.exe

Static PE information: section name: .giats

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Code function: 0_2_012F9B20 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_012F9B20

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Code function: 0_2_01306D3B mov eax, dword ptr fs:[00000030h]

0_2_01306D3B

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Code function: 0_2_011A7E59 OutputDebugStringA,GetLastError,

0_2_011A7E59

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012E9840 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_012E9840
Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe	Code function: 0_2_012F9B20 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_012F9B20

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Code function: 0_2_011B3AAE __EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW,

0_2_011B3AAE

Source: C:\Users\user\Desktop\Odin3_v3.14.4.exe

Code function: 0_2_012EA464 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_012EA464

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Odin3_v3.14.4.exe	0%	ReversingLabs
Odin3_v3.14.4.exe	1%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.heaventools.comDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mobilerndhub.sec.samsung.net/hub/site/odin/	Odin3_v3.14.4.exe	false		high
http://mobilerndhub.sec.samsung.net/hub/site/odin/2KWWS	Odin3_v3.14.4.exe, 00000000.00000003.332616574.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.heaventools.comDVarFileInfo$	Odin3_v3.14.4.exe	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1295782
Start date and time:	2023-08-23 11:57:33 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Odin3_v3.14.4.exe
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 96.5%) Quality average: 82.6% Quality standard deviation: 24.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.70242694091181
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Odin3_v3.14.4.exe
File size:	3'167'744 bytes
MD5:	50860de40988969f3ea3f308c6143e1d
SHA1:	d96eb6e79510799ea5da1e580748d7fe72cfbbd0
SHA256:	aa17ccf37d52c816bcea6e54dbdd6daf90fe2ac984641d01034ade77ff9dcb41
SHA512:	1d39abc1ca1a9ac5826a9bf673daaf29340306066f20b63171bd7afc9e1f8d754a425fa04f0f40417cc6f36e7f2428d7b6c72f3f4dfe8cb036ce1248cdf9188a
SSDEEP:	49152:31o1D7iKzUfjpNG4h7iuxTc7RDpK7WkAbJa5nUmCmIZDgNWT30UNJqu1ZOWX:GnCG4h7FiRA7WkAbJ0rCmIZDjNJp
TLSH:	FBE59E21BDB18527C46303328D6EF67D316DBD742B3481C763CB3A5C29386E15A3A6A7
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........s.U...U...U.... ..O.... ....... ..t.......S.......W...\...T...\...Z...\...v...U...I...n...O...n...q...n.../.......j.......T..

File Icon


Icon Hash:	43717171600d0e93

Static PE Info

General

Entrypoint:	0x5a9802
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5CEF2BF9 [Thu May 30 01:03:53 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	14c06894a37b2888d36fca7a856b1a8e

Entrypoint Preview

Instruction
call 00007F82785057E2h
jmp 00007F8278504A13h
cmp ecx, dword ptr [0065EFF4h]
jne 00007F8278504B85h
ret
jmp 00007F8278504BD1h
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 0061B7F4h
je 00007F8278504B8Ch
push 0000000Ch
push esi
call 00007F8278504D8Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [005EE27Ch]
push dword ptr [ebp+08h]
call dword ptr [005EE280h]
push C0000409h
call dword ptr [005EE314h]
push eax
call dword ptr [005EE278h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F8278505C4Dh
test eax, eax
je 00007F8278504B87h
push 00000002h
pop ecx
int 29h
mov dword ptr [0066C688h], eax
mov dword ptr [0066C684h], ecx
mov dword ptr [0066C680h], edx
mov dword ptr [0066C67Ch], ebx
mov dword ptr [0066C678h], esi
mov dword ptr [0066C674h], edi
mov word ptr [0066C6A0h], ss
mov word ptr [0066C694h], cs
mov word ptr [0066C670h], ds
mov word ptr [0066C66Ch], es
mov word ptr [0066C668h], fs
mov word ptr [00000000h], gs

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x259ba0	0x510	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25a0b0	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2dc000	0x613d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x33e000	0x23e4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x237770	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x23783c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2377e0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1ee000	0x9fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ec28e	0x1ec400	False	0.5180944284852718	data	6.570654961052046	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1ee000	0x6f74a	0x6f800	False	0.3195351912836323	data	5.190376910413196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25e000	0x60ab0	0x9000	False	0.22526041666666666	data	4.8967827172816385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x2bf000	0x1acd8	0x1ae00	False	0.2956031976744186	data	4.22824025239692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.giats	0x2da000	0x10	0x200	False	0.05078125	data	0.15517757530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x2db000	0x9	0x200	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2dc000	0x613d0	0x61400	False	0.25187279080976865	data	6.9018234624540336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x33e000	0x23e4c	0x24000	False	0.4288262261284722	data	6.497307823269171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x2dcfd0	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x2dcfd0	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x2dcfd4	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x2dcfd4	0x2	data	Korean	South Korea	5.0
RT_CURSOR	0x2dcfd8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.4805194805194805
RT_CURSOR	0x2dcfd8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.4805194805194805
RT_CURSOR	0x2dd10c	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Korean	North Korea	0.7
RT_CURSOR	0x2dd10c	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Korean	South Korea	0.7
RT_CURSOR	0x2dd1c0	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	North Korea	0.36363636363636365
RT_CURSOR	0x2dd1c0	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	South Korea	0.36363636363636365
RT_CURSOR	0x2dd2f4	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.35714285714285715
RT_CURSOR	0x2dd2f4	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.35714285714285715
RT_CURSOR	0x2dd428	0x134	data	Korean	North Korea	0.37337662337662336
RT_CURSOR	0x2dd428	0x134	data	Korean	South Korea	0.37337662337662336
RT_CURSOR	0x2dd55c	0x134	data	Korean	North Korea	0.37662337662337664
RT_CURSOR	0x2dd55c	0x134	data	Korean	South Korea	0.37662337662337664
RT_CURSOR	0x2dd690	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.36688311688311687
RT_CURSOR	0x2dd690	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.36688311688311687
RT_CURSOR	0x2dd7c4	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.37662337662337664
RT_CURSOR	0x2dd7c4	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.37662337662337664
RT_CURSOR	0x2dd8f8	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.36688311688311687
RT_CURSOR	0x2dd8f8	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.36688311688311687
RT_CURSOR	0x2dda2c	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.38636363636363635
RT_CURSOR	0x2dda2c	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.38636363636363635
RT_CURSOR	0x2ddb60	0x134	data	Korean	North Korea	0.44155844155844154
RT_CURSOR	0x2ddb60	0x134	data	Korean	South Korea	0.44155844155844154
RT_CURSOR	0x2ddc94	0x134	data	Korean	North Korea	0.4155844155844156
RT_CURSOR	0x2ddc94	0x134	data	Korean	South Korea	0.4155844155844156
RT_CURSOR	0x2dddc8	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	North Korea	0.5422077922077922
RT_CURSOR	0x2dddc8	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	South Korea	0.5422077922077922
RT_CURSOR	0x2ddefc	0x134	data	Korean	North Korea	0.2662337662337662
RT_CURSOR	0x2ddefc	0x134	data	Korean	South Korea	0.2662337662337662
RT_CURSOR	0x2de030	0x134	data	Korean	North Korea	0.2824675324675325
RT_CURSOR	0x2de030	0x134	data	Korean	South Korea	0.2824675324675325
RT_CURSOR	0x2de164	0x134	data	Korean	North Korea	0.3246753246753247
RT_CURSOR	0x2de164	0x134	data	Korean	South Korea	0.3246753246753247
RT_BITMAP	0x2de298	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 7176	Korean	North Korea	0.10809312638580931
RT_BITMAP	0x2de298	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 7176	Korean	South Korea	0.10809312638580931
RT_BITMAP	0x2dfec8	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 7176	Korean	North Korea	0.016352549889135256
RT_BITMAP	0x2dfec8	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 7176	Korean	South Korea	0.016352549889135256
RT_BITMAP	0x2e1af8	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 7176	Korean	North Korea	0.016352549889135256
RT_BITMAP	0x2e1af8	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 7176	Korean	South Korea	0.016352549889135256
RT_BITMAP	0x2e3728	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	North Korea	0.010137795275590552
RT_BITMAP	0x2e3728	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	South Korea	0.010137795275590552
RT_BITMAP	0x2e8688	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	North Korea	0.02312992125984252
RT_BITMAP	0x2e8688	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	South Korea	0.02312992125984252
RT_BITMAP	0x2ed5e8	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	North Korea	0.02357283464566929
RT_BITMAP	0x2ed5e8	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	South Korea	0.02357283464566929
RT_BITMAP	0x2f2548	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	North Korea	0.023622047244094488
RT_BITMAP	0x2f2548	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 20280	Korean	South Korea	0.023622047244094488
RT_BITMAP	0x2f74a8	0x2d268	Device independent bitmap graphic, 856 x 72 x 24, image size 0	Korean	North Korea	0.23900160055370506
RT_BITMAP	0x2f74a8	0x2d268	Device independent bitmap graphic, 856 x 72 x 24, image size 0	Korean	South Korea	0.23900160055370506
RT_BITMAP	0x324710	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 0	Korean	North Korea	0.01524390243902439
RT_BITMAP	0x324710	0x1c30	Device independent bitmap graphic, 103 x 23 x 24, image size 0	Korean	South Korea	0.01524390243902439
RT_BITMAP	0x326340	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 0	Korean	North Korea	0.009694881889763779
RT_BITMAP	0x326340	0x4f60	Device independent bitmap graphic, 103 x 65 x 24, image size 0	Korean	South Korea	0.009694881889763779
RT_BITMAP	0x32b2a0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Korean	North Korea	0.44565217391304346
RT_BITMAP	0x32b2a0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Korean	South Korea	0.44565217391304346
RT_BITMAP	0x32b358	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Korean	North Korea	0.37962962962962965
RT_BITMAP	0x32b358	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Korean	South Korea	0.37962962962962965
RT_ICON	0x32b49c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Korean	North Korea	0.56636460554371
RT_ICON	0x32b49c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Korean	South Korea	0.56636460554371
RT_ICON	0x32c344	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Korean	North Korea	0.7143501805054152
RT_ICON	0x32c344	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Korean	South Korea	0.7143501805054152
RT_ICON	0x32cbec	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Korean	North Korea	0.6011560693641619
RT_ICON	0x32cbec	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Korean	South Korea	0.6011560693641619
RT_ICON	0x32d154	0x7ca0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Korean	North Korea	1.0005015045135406
RT_ICON	0x32d154	0x7ca0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Korean	South Korea	1.0005015045135406
RT_ICON	0x334df4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Korean	North Korea	0.466701244813278
RT_ICON	0x334df4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Korean	South Korea	0.466701244813278
RT_ICON	0x33739c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Korean	North Korea	0.5044559099437148
RT_ICON	0x33739c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Korean	South Korea	0.5044559099437148
RT_ICON	0x338444	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Korean	North Korea	0.7109929078014184
RT_ICON	0x338444	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Korean	South Korea	0.7109929078014184
RT_DIALOG	0x3388ac	0x1e4	data	Korean	North Korea	0.5619834710743802
RT_DIALOG	0x3388ac	0x1e4	data	Korean	South Korea	0.5619834710743802
RT_DIALOG	0x338a90	0x2a18	data	Korean	North Korea	0.18216406829992576
RT_DIALOG	0x338a90	0x2a18	data	Korean	South Korea	0.18216406829992576
RT_DIALOG	0x33b4a8	0xd8	data	Korean	North Korea	0.6990740740740741
RT_DIALOG	0x33b4a8	0xd8	data	Korean	South Korea	0.6990740740740741
RT_DIALOG	0x33b580	0xf4	data	Korean	North Korea	0.680327868852459
RT_DIALOG	0x33b580	0xf4	data	Korean	South Korea	0.680327868852459
RT_DIALOG	0x33b674	0x34	data	Korean	North Korea	0.8653846153846154
RT_DIALOG	0x33b674	0x34	data	Korean	South Korea	0.8653846153846154
RT_STRING	0x33b6a8	0x238	data	Korean	North Korea	0.4665492957746479
RT_STRING	0x33b6a8	0x238	data	Korean	South Korea	0.4665492957746479
RT_STRING	0x33b8e0	0xd4	data	Korean	North Korea	0.4716981132075472
RT_STRING	0x33b8e0	0xd4	data	Korean	South Korea	0.4716981132075472
RT_STRING	0x33b9b4	0x68	data	Korean	North Korea	0.8365384615384616
RT_STRING	0x33b9b4	0x68	data	Korean	South Korea	0.8365384615384616
RT_STRING	0x33ba1c	0x2e	data	Korean	North Korea	0.6086956521739131
RT_STRING	0x33ba1c	0x2e	data	Korean	South Korea	0.6086956521739131
RT_STRING	0x33ba4c	0xe8	data	Korean	North Korea	0.75
RT_STRING	0x33ba4c	0xe8	data	Korean	South Korea	0.75
RT_STRING	0x33bb34	0x312	data	Korean	North Korea	0.5954198473282443
RT_STRING	0x33bb34	0x312	data	Korean	South Korea	0.5954198473282443
RT_STRING	0x33be48	0x1a8	data	Korean	North Korea	0.4080188679245283
RT_STRING	0x33be48	0x1a8	data	Korean	South Korea	0.4080188679245283
RT_STRING	0x33bff0	0x1d2	data	Korean	North Korea	0.5815450643776824
RT_STRING	0x33bff0	0x1d2	data	Korean	South Korea	0.5815450643776824
RT_STRING	0x33c1c4	0x68	data	Korean	North Korea	0.8076923076923077
RT_STRING	0x33c1c4	0x68	data	Korean	South Korea	0.8076923076923077
RT_STRING	0x33c22c	0x6e	data	Korean	North Korea	0.6272727272727273
RT_STRING	0x33c22c	0x6e	data	Korean	South Korea	0.6272727272727273
RT_STRING	0x33c29c	0xb0	data	Korean	North Korea	0.7102272727272727
RT_STRING	0x33c29c	0xb0	data	Korean	South Korea	0.7102272727272727
RT_STRING	0x33c34c	0x302	AmigaOS bitmap font "X\271", fc_YSize 4294953157, 9414 elements, 2nd "\310\262\344\262.", 3rd "I"	Korean	North Korea	0.512987012987013
RT_STRING	0x33c34c	0x302	AmigaOS bitmap font "X\271", fc_YSize 4294953157, 9414 elements, 2nd "\310\262\344\262.", 3rd "I"	Korean	South Korea	0.512987012987013
RT_STRING	0x33c650	0x174	AmigaOS bitmap font "X\271", fc_YSize 4294958530, 9414 elements, 2nd " ", 3rd	Korean	North Korea	0.5672043010752689
RT_STRING	0x33c650	0x174	AmigaOS bitmap font "X\271", fc_YSize 4294958530, 9414 elements, 2nd " ", 3rd	Korean	South Korea	0.5672043010752689
RT_STRING	0x33c7c4	0x24	data	Korean	North Korea	0.4722222222222222
RT_STRING	0x33c7c4	0x24	data	Korean	South Korea	0.4722222222222222
RT_STRING	0x33c7e8	0x294	data	Korean	North Korea	0.5696969696969697
RT_STRING	0x33c7e8	0x294	data	Korean	South Korea	0.5696969696969697
RT_ACCELERATOR	0x33ca7c	0x38	data	Korean	North Korea	0.8571428571428571
RT_ACCELERATOR	0x33ca7c	0x38	data	Korean	South Korea	0.8571428571428571
RT_GROUP_CURSOR	0x33cab4	0x22	Lotus unknown worksheet or configuration, revision 0x2	Korean	North Korea	1.0294117647058822
RT_GROUP_CURSOR	0x33cab4	0x22	Lotus unknown worksheet or configuration, revision 0x2	Korean	South Korea	1.0294117647058822
RT_GROUP_CURSOR	0x33cad8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cad8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33caec	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33caec	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb00	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb00	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb14	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb14	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb28	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb28	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb3c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb3c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb50	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb50	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb64	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb64	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb78	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb78	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cb8c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cb8c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cba0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cba0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cbb4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cbb4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cbc8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cbc8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x33cbdc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x33cbdc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_ICON	0x33cbf0	0x68	data	Korean	North Korea	0.7019230769230769
RT_GROUP_ICON	0x33cbf0	0x68	data	Korean	South Korea	0.7019230769230769
RT_VERSION	0x33cc58	0x3f4	data	Korean	North Korea	0.48122529644268774
RT_VERSION	0x33cc58	0x3f4	data	Korean	South Korea	0.48122529644268774
RT_MANIFEST	0x33d04c	0x31c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (736), with CRLF line terminators	English	United States	0.5238693467336684
None	0x33d368	0x5c	data	Korean	North Korea	0.45652173913043476
None	0x33d368	0x5c	data	Korean	South Korea	0.45652173913043476

Imports

DLL	Import
KERNEL32.dll	IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, IsValidLocale, SetFilePointerEx, GetConsoleCP, ReadConsoleW, GetConsoleMode, GetACP, ExitProcess, GetOEMCP, VirtualQuery, GetSystemInfo, HeapQueryInformation, GetCommandLineW, GetCommandLineA, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, PeekNamedPipe, GetFileType, GetDriveTypeW, RtlUnwind, InterlockedPushEntrySList, GetCPInfo, GetStringTypeW, LCMapStringW, OutputDebugStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, SetEnvironmentVariableA, GetStartupInfoW, IsDebuggerPresent, GetSystemTimeAsFileTime, WaitForSingleObjectEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetUserDefaultLCID, SearchPathW, GetProfileIntW, GetTempPathW, GetTempFileNameW, VerifyVersionInfoW, VerSetConditionMask, FindResourceExW, GetWindowsDirectoryW, SetErrorMode, GetCurrentDirectoryW, VirtualProtect, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetLocaleInfoW, CompareStringW, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSection, GlobalGetAtomNameW, GlobalFlags, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetFileTime, GetFileSizeEx, GetFileAttributesExW, GetFileAttributesW, FileTimeToLocalFileTime, GetThreadLocale, lstrcmpiW, GetCurrentProcess, DuplicateHandle, UnlockFile, SetFilePointer, SetEndOfFile, LockFile, GetVolumeInformationW, GetFullPathNameW, GetFileSize, FlushFileBuffers, FindFirstFileW, FindClose, DeleteFileW, GetCurrentProcessId, WritePrivateProfileStringW, GetPrivateProfileIntW, lstrcmpA, GetVersionExW, SuspendThread, SetThreadPriority, SetEvent, CopyFileW, FormatMessageW, MulDiv, LocalFree, GlobalSize, GlobalAlloc, GlobalFindAtomW, GlobalAddAtomW, lstrcmpW, GlobalDeleteAtom, LoadLibraryExW, FreeLibrary, GetSystemDirectoryW, GetCurrentThreadId, EncodePointer, LoadLibraryA, LoadLibraryW, GlobalFree, GlobalUnlock, GlobalLock, GetProcAddress, GetModuleHandleW, GetModuleHandleA, FreeResource, OutputDebugStringA, GetCurrentThread, QueryPerformanceFrequency, QueryPerformanceCounter, SetLastError, ReadFile, ClearCommError, GetOverlappedResult, WriteFile, SetCommState, GetCommState, SetCommTimeouts, PurgeComm, SetupComm, SetCommMask, CreateFileW, CloseHandle, CreateEventW, ResetEvent, WaitForSingleObject, WaitCommEvent, WaitForMultipleObjects, GetProcessHeap, DecodePointer, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, HeapFree, GetModuleFileNameW, ResumeThread, WideCharToMultiByte, VirtualFree, VirtualAlloc, GetPrivateProfileStringW, lstrcpyW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetLastError, GetTickCount, Sleep, GetExitCodeThread, MultiByteToWideChar, SizeofResource, FindResourceW, LoadResource, LockResource, SetStdHandle, WriteConsoleW
USER32.dll	SetTimer, DeleteMenu, WindowFromPoint, ReleaseCapture, SetCapture, WaitMessage, LoadImageW, DestroyIcon, TrackMouseEvent, GetAsyncKeyState, LoadCursorW, GetSysColorBrush, CopyImage, IntersectRect, RealChildWindowFromPoint, CharUpperW, FillRect, ClientToScreen, GetWindowDC, TabbedTextOutW, GrayStringW, DrawTextExW, DrawTextW, SystemParametersInfoW, InflateRect, GetMenuItemInfoW, DestroyMenu, LoadMenuW, GetWindowThreadProcessId, SetCursor, ShowOwnedPopups, MapDialogRect, SetWindowContextHelpId, PostQuitMessage, GetCursorPos, GetMessageW, OffsetRect, SetRectEmpty, SendDlgItemMessageA, RemoveMenu, InsertMenuW, GetMenuState, GetMenuStringW, SetMenuItemInfoW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, IsDialogMessageW, SetWindowTextW, CheckDlgButton, GetDlgItemTextW, SetDlgItemTextW, MoveWindow, ShowWindow, GetMonitorInfoW, MonitorFromWindow, WinHelpW, GetScrollInfo, SetScrollInfo, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, GetWindow, GetLastActivePopup, GetTopWindow, GetClassNameW, GetClassLongW, SetWindowLongW, PtInRect, EqualRect, GetSysColor, MapWindowPoints, ScreenToClient, MessageBoxW, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, RemovePropW, GetPropW, SetPropW, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, RedrawWindow, ValidateRect, EndPaint, BeginPaint, KillTimer, CharNextW, CopyAcceleratorTableW, EnableWindow, PostMessageW, SendMessageW, LoadIconW, LoadBitmapW, SetForegroundWindow, GetForegroundWindow, TrackPopupMenu, GetMenuItemCount, GetMenuItemID, GetSubMenu, SetMenu, GetMenu, GetCapture, GetKeyState, GetFocus, SetFocus, GetDlgCtrlID, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, InvalidateRgn, SetRect, IsRectEmpty, GetNextDlgGroupItem, MessageBeep, IsClipboardFormatAvailable, CreatePopupMenu, GetMenuDefaultItem, DrawFocusRect, DrawIconEx, GetIconInfo, EnableScrollBar, HideCaret, InvertRect, SetWindowPlacement, GetWindowPlacement, NotifyWinEvent, SetLayeredWindowAttributes, EnumDisplayMonitors, SetClassLongW, SetWindowRgn, SetParent, OpenClipboard, CloseClipboard, GetSystemMenu, AppendMenuW, LoadAcceleratorsW, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, TranslateAcceleratorW, GetWindowRect, wsprintfW, PeekMessageW, TranslateMessage, DispatchMessageW, InvalidateRect, UpdateWindow, UnregisterClassW, IsWindow, DestroyWindow, CreateDialogIndirectParamW, EndDialog, GetDlgItem, GetNextDlgTabItem, GetActiveWindow, IsWindowEnabled, SetActiveWindow, GetWindowLongW, GetDesktopWindow, GetParent, GetKeyNameTextW, MapVirtualKeyW, GetDC, ReleaseDC, CopyRect, RegisterWindowMessageW, UpdateLayeredWindow, GetMessagePos, GetMessageTime, DefWindowProcW, CallWindowProcW, RegisterClassW, GetClassInfoW, GetClassInfoExW, CreateWindowExW, IsMenu, IsChild, SetWindowPos, MonitorFromPoint, GetComboBoxInfo, PostThreadMessageW, GetKeyboardLayout, IsCharLowerW, MapVirtualKeyExW, ToUnicodeEx, GetKeyboardState, CreateAcceleratorTableW, DestroyAcceleratorTable, LockWindowUpdate, SetMenuDefaultItem, GetDoubleClickTime, ModifyMenuW, CharUpperBuffW, GetUpdateRect, DrawMenuBar, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, SubtractRect, CreateMenu, GetWindowRgn, DestroyCursor, UnionRect, RegisterClipboardFormatW, ReuseDDElParam, UnpackDDElParam, InsertMenuItemW, FrameRect, CopyIcon, SetCursorPos, BringWindowToTop, IsZoomed, DrawFrameControl, DrawEdge, DrawStateW, SetClipboardData, EmptyClipboard
GDI32.dll	CreateRectRgn, CreateSolidBrush, Escape, ExcludeClipRect, GetClipBox, GetObjectType, GetPixel, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextAlign, MoveToEx, TextOutW, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, GetTextMetricsW, CreatePatternBrush, GetMapMode, SetRectRgn, DPtoLP, GetBkColor, GetTextColor, GetRgnBox, EnumFontFamiliesExW, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, CreateCompatibleBitmap, CreateDIBitmap, EnumFontFamiliesW, GetTextCharsetInfo, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, CreateRoundRectRgn, LPtoDP, Rectangle, OffsetRgn, RoundRect, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, ExtFloodFill, SetPaletteEntries, SetPixelV, GetWindowOrgEx, GetViewportOrgEx, GetTextFaceW, CreatePen, CreateHatchBrush, ExtTextOutW, GetTextExtentPoint32W, CreateCompatibleDC, BitBlt, DeleteDC, GetDeviceCaps, CreateDCW, CopyMetaFileW, CreateBitmap, GetObjectW, SetTextColor, SetBkColor, CreateRectRgnIndirect, GetStockObject, CreateFontIndirectW, CombineRgn, PatBlt, DeleteObject
MSIMG32.dll	TransparentBlt, AlphaBlend
WINSPOOL.DRV	ClosePrinter, OpenPrinterW, DocumentPropertiesW
ADVAPI32.dll	RegDeleteKeyW, RegEnumKeyExW, RegQueryValueW, RegEnumKeyW, RegSetValueExW, RegDeleteValueW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW, RegEnumValueW
SHELL32.dll	DragAcceptFiles, DragQueryFileW, ShellExecuteW, SHGetFileInfoW, SHAppBarMessage, SHBrowseForFolderW, DragFinish, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetPathFromIDListW
COMCTL32.dll	InitCommonControlsEx
SHLWAPI.dll	PathFindFileNameW, PathRemoveFileSpecW, PathIsUNCW, StrFormatKBSizeW, PathStripToRootW, PathFindExtensionW
UxTheme.dll	GetCurrentThemeName, GetThemeSysColor, DrawThemeText, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, GetThemeColor, IsAppThemed, IsThemeBackgroundPartiallyTransparent, GetWindowTheme, GetThemePartSize
ole32.dll	OleIsCurrentClipboard, OleGetClipboard, CoLockObjectExternal, RegisterDragDrop, RevokeDragDrop, CoRevokeClassObject, CoRegisterMessageFilter, OleLockRunning, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleFlushClipboard, OleUninitialize, OleInitialize, CoFreeUnusedLibraries, CreateStreamOnHGlobal, CreateILockBytesOnHGlobal, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CoGetClassObject, CoDisconnectObject, CoInitializeEx, CoInitialize, CoCreateInstance, CLSIDFromProgID, CLSIDFromString, CoCreateGuid, CoUninitialize, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, DoDragDrop
OLEAUT32.dll	VarBstrFromDate, VariantCopy, VariantTimeToSystemTime, SystemTimeToVariantTime, SysStringLen, OleCreateFontIndirect, LoadTypeLib, SysAllocString, SysFreeString, VariantChangeType, VariantClear, VariantInit, SysAllocStringLen, SafeArrayDestroy
oledlg.dll	OleUIBusyW
OLEACC.dll	LresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
gdiplus.dll	GdipSetInterpolationMode, GdipDrawImageRectI, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipFree, GdipCreateFromHDC, GdipAlloc, GdiplusShutdown, GdipCreateBitmapFromScan0
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext
WINMM.dll	PlaySoundW

Exports

Name	Ordinal	Address
LZ4_compress	1	0x466ae0
LZ4_compressBound	2	0x461770
LZ4_compress_continue	3	0x466bc0
LZ4_compress_default	4	0x462670
LZ4_compress_destSize	5	0x462c80
LZ4_compress_fast	6	0x462620
LZ4_compress_fast_continue	7	0x462e90
LZ4_compress_fast_extState	8	0x4617b0
LZ4_compress_limitedOutput	9	0x462670
LZ4_compress_limitedOutput_continue	10	0x466ba0
LZ4_compress_limitedOutput_withState	11	0x466b30
LZ4_compress_withState	12	0x466b50
LZ4_create	13	0x466c70
LZ4_createStream	14	0x462cd0
LZ4_createStreamDecode	15	0x464a70
LZ4_decompress_fast	16	0x464810
LZ4_decompress_fast_continue	17	0x4651b0
LZ4_decompress_fast_usingDict	18	0x466270
LZ4_decompress_fast_withPrefix64k	19	0x464810
LZ4_decompress_safe	20	0x464200
LZ4_decompress_safe_continue	21	0x464ab0
LZ4_decompress_safe_partial	22	0x464500
LZ4_decompress_safe_usingDict	23	0x4657a0
LZ4_decompress_safe_withPrefix64k	24	0x466cf0
LZ4_freeStream	25	0x462d20
LZ4_freeStreamDecode	26	0x462d20
LZ4_loadDict	27	0x462d40
LZ4_resetStream	28	0x462d00
LZ4_resetStreamState	29	0x466c30
LZ4_saveDict	30	0x4641b0
LZ4_setStreamDecode	31	0x464a80
LZ4_sizeofState	32	0x4617a0
LZ4_sizeofStreamState	33	0x4617a0
LZ4_slideInputBuffer	34	0x466ca0
LZ4_uncompress	35	0x466c10
LZ4_uncompress_unknownOutputSize	36	0x466c20
LZ4_versionNumber	37	0x461750
LZ4_versionString	38	0x461760

Possible Origin

Language of compilation system	Country where language is spoken	Map
Korean	North Korea
Korean	South Korea
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• Odin3_v3.14.4.exe

Click to jump to process

Memory Usage

• Odin3_v3.14.4.exe

Click to jump to process

System Behavior

Analysis Process: Odin3_v3.14.4.exePID: 7164, Parent PID: 3520

Function Logs

General

Target ID:	0
Start time:	11:58:35
Start date:	23/08/2023
Path:	C:\Users\user\Desktop\Odin3_v3.14.4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Odin3_v3.14.4.exe
Imagebase:	0x1140000
File size:	3'167'744 bytes
MD5 hash:	50860DE40988969F3EA3F308C6143E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: Odin3_v3.14.4.exePID: 7164, Parent PID: 3520COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	909
Total number of Limit Nodes:	54

Executed Functions

Function 011AB1A7 Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E011AB1A7(intOrPtr __ecx, WCHAR* _a4) {
				intOrPtr _v8;
				void* __esi;
				void* __ebp;
				void* _t6;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				struct HINSTANCE__* _t15;
				void* _t19;
				void* _t22;

				_push(__ecx);
				_t19 = 0;
				_v8 = __ecx;
				_t22 = 0;
				if(_a4 == 0) {
					L4:
					_push(_t19); // executed
					_t6 = E011B266A(_v8); // executed
					_t13 = _t6;
					if(_t19 != 0 && _t22 != 0) {
						FreeResource(_t22);
					}
					_t7 = _t13;
				} else {
					_t15 =  *(E011B72B6(0) + 0xc);
					_t10 = FindResourceW(_t15, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t15, _t10);
						_t22 = _t7;
						if(_t22 != 0) {
							_t19 = LockResource(_t22);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x011ab1aa
0x011ab1ae
0x011ab1b0
0x011ab1b3
0x011ab1b8
0x011ab1ec
0x011ab1ef
0x011ab1f0
0x011ab1f5
0x011ab1f9
0x011ab200
0x011ab200
0x011ab206
0x011ab1ba
0x011ab1c7
0x011ab1cb
0x011ab1d3
0x00000000
0x011ab1d5
0x011ab1d7
0x011ab1dd
0x011ab1e1
0x011ab1ea
0x00000000
0x011ab1ea
0x011ab1e1
0x011ab1d3
0x011ab20e

APIs

FindResourceW.KERNEL32(?,?,000000F0,?,?,?,?,?,011A7A5D,?,?,011437C4), ref: 011AB1CB
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,011A7A5D,?,?,011437C4), ref: 011AB1D7
LockResource.KERNEL32(00000000,?,?,?,?,?,011A7A5D,?,?,011437C4), ref: 011AB1E4
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,011A7A5D,?,?,011437C4), ref: 011AB200

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: f56bac2c2e99f62a1145c0984fac8a4f9a86fe6be1496d49a109d0a3c9c048f3
Instruction ID: 8391e930ed19a3d785584208aa6c8f36fd93ad9f4cf8727ab5246e4149435c3a
Opcode Fuzzy Hash: f56bac2c2e99f62a1145c0984fac8a4f9a86fe6be1496d49a109d0a3c9c048f3
Instruction Fuzzy Hash: 97F0F436A012106BE336AE59AC84D6FBE6CEB44761F00013AFE04E7201DB30AD0183A4

Uniqueness

Uniqueness Score: -1.00%

Function 011A7E59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E011A7E59(intOrPtr _a4) {
				void* __ebp;
				intOrPtr _t2;
				long _t5;
				void* _t6;
				void* _t7;
				intOrPtr _t8;
				void* _t12;

				_t2 =  *0x13a6e8c; // 0x0
				_t8 = 0;
				if(_t2 != 0) {
					OutputDebugStringA("IsolationAware function called after IsolationAwareCleanup\n");
					_t2 =  *0x13a6e8c; // 0x0
				}
				_t12 =  *0x13a6e84 - _t8; // 0x0
				if(_t12 != 0) {
					L6:
					_t8 = 1;
					goto L11;
				} else {
					if(_t2 != 0) {
						L5:
						if(E011A7CAF(_t7,  *0x139e004, _a4) == 0) {
							L7:
							_t5 = GetLastError();
							if(_t5 == 0x7f || _t5 == 0x7e || _t5 == 0x78) {
								_t8 = 1;
								 *0x13a6e84 = 1;
							}
							L11:
							return _t8;
						}
						goto L6;
					}
					_t6 = E011A7F6B(_t7); // executed
					if(_t6 == 0) {
						goto L7;
					}
					goto L5;
				}
			}

0x011a7e5c
0x011a7e62
0x011a7e66
0x011a7e6d
0x011a7e73
0x011a7e73
0x011a7e78
0x011a7e7e
0x011a7e9f
0x011a7ea1
0x00000000
0x011a7e80
0x011a7e82
0x011a7e8d
0x011a7e9d
0x011a7ea4
0x011a7ea4
0x011a7ead
0x011a7ebb
0x011a7ebc
0x011a7ebc
0x011a7ec2
0x011a7ec6
0x011a7ec6
0x00000000
0x011a7e9d
0x011a7e84
0x011a7e8b
0x00000000
0x00000000
0x00000000
0x011a7e8b

APIs

OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,011AFEBD,011C19E0,0138A7E8,00000010,011A9BBC,?), ref: 011A7E6D
GetLastError.KERNEL32(?,?,?,011AFEBD,011C19E0,0138A7E8,00000010,011A9BBC,?), ref: 011A7EA4

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 011A7E68

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: DebugErrorLastOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 4132100945-2690750368
Opcode ID: e9c31bda0a8238bb50996456c4b1ced82dc116ea25f4e51881222a366c9c9c10
Instruction ID: adeacab152dd56a816f67e0f6cbdcab0ba9a4bf49068922b62b42c3915eb1af6
Opcode Fuzzy Hash: e9c31bda0a8238bb50996456c4b1ced82dc116ea25f4e51881222a366c9c9c10
Instruction Fuzzy Hash: FDF0673A2002318BEB3D6BACDA018267F9CAB05B42BD45025EB04C2184D762CE0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 01306D3B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01306D3B(int _a4) {
				void* _t14;
				void* _t16;

				if(E0130D32C(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E01306D7C(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x01306d47
0x01306d63
0x01306d63
0x01306d6c
0x01306d75

APIs

GetCurrentProcess.KERNEL32(0130B124,?,01306D11,0130B124,013990E0,0000000C,01306E24,0130B124,00000002,00000000,?,0130B124), ref: 01306D5C
TerminateProcess.KERNEL32(00000000,?,01306D11,0130B124,013990E0,0000000C,01306E24,0130B124,00000002,00000000,?,0130B124), ref: 01306D63
ExitProcess.KERNEL32 ref: 01306D75

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ec2c4f5d887e397b47d04d626319eb166d185adb264c85b3a68286f709273629
Instruction ID: ce216f767d71952ea7106f5a7c086dda730151a81a53dbd4f3e27d9090defd19
Opcode Fuzzy Hash: ec2c4f5d887e397b47d04d626319eb166d185adb264c85b3a68286f709273629
Instruction Fuzzy Hash: 12E04635000609AFDF327FA8D92AA593FB9EB00746F000428F9058A1A9CB36D892CB80

Uniqueness

Uniqueness Score: -1.00%

Function 011E6474 Relevance: 70.4, APIs: 35, Strings: 5, Instructions: 373
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E011E6474(intOrPtr* __ecx, signed int __edx, signed int __fp0) {
				signed char _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				struct tagLOGFONTW _t235;
				signed int _t243;
				struct HFONT__* _t267;
				void* _t269;
				long _t282;
				int _t283;
				int _t285;
				long _t288;
				long _t289;
				long _t290;
				long _t291;
				long _t292;
				long _t293;
				long _t298;
				long _t309;
				struct HBRUSH__* _t310;
				struct HBRUSH__* _t311;
				struct HBRUSH__* _t313;
				struct HBRUSH__* _t315;
				struct HPEN__* _t336;
				void* _t350;
				long _t375;
				void* _t378;
				struct HFONT__* _t391;
				int _t394;
				int _t395;
				WCHAR* _t396;
				void* _t420;
				intOrPtr* _t422;
				int _t423;
				intOrPtr* _t439;
				signed int _t484;
				void* _t485;
				intOrPtr* _t487;
				intOrPtr* _t488;
				void* _t507;
				signed long long _t543;

				_t484 = __edx;
				_push(0x474);
				E012EA0D7();
				_t489 = __ecx;
				_push(0);
				E011B85AB(_t507 - 0x480, __edx);
				 *(_t507 - 4) =  *(_t507 - 4) & 0x00000000;
				_t217 = GetDeviceCaps( *(_t507 - 0x478), 0x58);
				 *(_t507 - 0x460) = _t217;
				asm("fild dword [ebp-0x460]");
				 *(_t507 - 0x460) = __fp0;
				_t543 =  *(_t507 - 0x460) /  *0x13391b8;
				asm("fst qword [esi+0x1e0]");
				asm("fld1");
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t217 & 0x00000005) != 0) {
					st1 = _t543;
					L4:
					st0 = _t543;
				} else {
					_t543 =  *0x13391a8;
					asm("fcomp st0, st2");
					asm("fnstsw ax");
					st1 = _t543;
					if((_t217 & 0x00000041) != 0) {
						goto L4;
					} else {
						 *(_t489 + 0x1e0) = _t543;
					}
				}
				_t485 = _t489 + 0x11c;
				if(_t485 != 0 &&  *((intOrPtr*)(_t485 + 4)) != 0) {
					DeleteObject(E011B9069(_t485, _t484));
				}
				_t218 = _t489 + 0x124;
				if(_t218 != 0 &&  *((intOrPtr*)(_t218 + 4)) != 0) {
					DeleteObject(E011B9069(_t218, _t484));
				}
				_t219 = _t489 + 0x12c;
				if(_t219 != 0 &&  *((intOrPtr*)(_t219 + 4)) != 0) {
					DeleteObject(E011B9069(_t219, _t484));
				}
				_t220 = _t489 + 0x134;
				if(_t220 != 0 &&  *((intOrPtr*)(_t220 + 4)) != 0) {
					DeleteObject(E011B9069(_t220, _t484));
				}
				_t221 = _t489 + 0x13c;
				if(_t221 != 0 &&  *((intOrPtr*)(_t221 + 4)) != 0) {
					DeleteObject(E011B9069(_t221, _t484));
				}
				_t222 = _t489 + 0x144;
				if(_t222 != 0 &&  *((intOrPtr*)(_t222 + 4)) != 0) {
					DeleteObject(E011B9069(_t222, _t484));
				}
				_t223 = _t489 + 0x14c;
				if(_t223 != 0 &&  *((intOrPtr*)(_t223 + 4)) != 0) {
					DeleteObject(E011B9069(_t223, _t484));
				}
				_t224 = _t489 + 0x154;
				if(_t224 != 0 &&  *((intOrPtr*)(_t224 + 4)) != 0) {
					DeleteObject(E011B9069(_t224, _t484));
				}
				_t225 = _t489 + 0x164;
				if(_t225 != 0 &&  *((intOrPtr*)(_t225 + 4)) != 0) {
					DeleteObject(E011B9069(_t225, _t484));
				}
				_t420 = _t489 + 0x15c;
				if(_t420 != 0 &&  *((intOrPtr*)(_t420 + 4)) != 0) {
					DeleteObject(E011B9069(_t420, _t484));
				}
				 *((intOrPtr*)(_t507 - 0x264)) = 0x1f8;
				E011E5F75(_t489, _t507 - 0x264); // executed
				E012EE6E0(_t485, _t507 - 0x6c, 0, 0x5c);
				 *((char*)(_t507 - 0x55)) = GetTextCharsetInfo( *(_t507 - 0x47c), 0, 0);
				 *(_t507 - 0x5c) =  *(_t507 - 0x174);
				 *((char*)(_t507 - 0x58)) =  *((intOrPtr*)(_t507 - 0x170));
				asm("cdq");
				_t235 = ( *(_t507 - 0x184) ^ _t484) - _t484;
				if(_t235 > 0xc) {
					if( *((intOrPtr*)(_t489 + 8)) == 0) {
						_t235 = _t235 - 1;
					}
				} else {
					_t235 = 0xb;
				}
				if( *(_t507 - 0x184) < 0) {
					_t235 =  ~_t235;
				}
				 *(_t507 - 0x6c) = _t235;
				lstrcpyW(_t507 - 0x50, _t507 - 0x168);
				if( *((intOrPtr*)(_t489 + 4)) == 0 &&  *((char*)(_t507 - 0x16d)) <= 2) {
					_t394 = EnumFontFamiliesW( *(_t507 - 0x47c), 0, 0x11e5e10, L"Segoe UI"); // executed
					if(_t394 != 0) {
						_t395 = EnumFontFamiliesW( *(_t507 - 0x47c), 0, 0x11e5e10, L"Tahoma");
						_t396 = _t507 - 0x50;
						if(_t395 != 0) {
							_push(L"MS Sans Serif");
						} else {
							_push(L"Tahoma");
						}
						lstrcpyW(_t396, ??);
					} else {
						lstrcpyW(_t507 - 0x50, L"Segoe UI");
						 *((char*)(_t507 - 0x52)) = 5;
					}
				}
				E011B8E9D(_t485, _t484, _t485, CreateFontIndirectW(_t507 - 0x6c));
				_t486 =  *(_t507 - 0x6c);
				 *(_t507 - 0x460) = E01304A7B(_t484, _t486);
				asm("fild dword [ebp-0x460]");
				 *(_t507 - 0x464) = _t543;
				asm("fld1");
				asm("faddp st1, st0");
				_t243 = E012EA290(_t242, ( *(_t507 - 0x464) + st0) /  *0x13391b0);
				 *(_t507 - 0x6c) = _t243;
				if(_t486 < 0) {
					 *(_t507 - 0x6c) =  ~_t243;
				}
				E011B8E9D(_t420, _t484, _t486, CreateFontIndirectW(_t507 - 0x6c));
				 *(_t507 - 0x6c) = _t486;
				 *((intOrPtr*)(_t507 - 0x45c)) = 0x1f8;
				E011E5F75(_t489, _t507 - 0x45c);
				 *((char*)(_t507 - 0x58)) =  *((intOrPtr*)(_t507 - 0x30c));
				 *(_t507 - 0x5c) =  *(_t507 - 0x310);
				E011B8E9D(_t489 + 0x124, _t484, _t486, CreateFontIndirectW(_t507 - 0x6c));
				 *((char*)(_t507 - 0x58)) =  *((intOrPtr*)(_t507 - 0x170));
				 *(_t507 - 0x5c) =  *(_t507 - 0x174);
				 *((char*)(_t507 - 0x57)) = 1;
				E011B8E9D(_t489 + 0x13c, _t484, _t486, CreateFontIndirectW(_t507 - 0x6c));
				 *((char*)(_t507 - 0x57)) = 0;
				 *(_t507 - 0x5c) = 0x2bc;
				E011B8E9D(_t489 + 0x12c, _t484, _t486, CreateFontIndirectW(_t507 - 0x6c));
				_t421 =  *((intOrPtr*)(_t507 - 0x55));
				 *(_t507 - 0x5c) =  *(_t507 - 0x5c) & 0x00000000;
				 *((char*)(_t507 - 0x55)) = 2;
				 *(_t507 - 0x6c) = GetSystemMetrics(0x48) - 1;
				lstrcpyW(_t507 - 0x50, L"Marlett");
				_t267 = CreateFontIndirectW(_t507 - 0x6c);
				_t435 = _t489 + 0x164;
				E011B8E9D(_t489 + 0x164, _t484, _t486, _t267);
				 *(_t507 - 0x468) =  *(_t507 - 0x468) & 0x00000000;
				 *((intOrPtr*)(_t507 - 0x46c)) = 0x1331f94;
				 *(_t507 - 4) = 1;
				_t269 = GetStockObject(0x11);
				 *(_t507 - 0x468) = _t269;
				if(_t269 != 0) {
					_t435 = _t507 - 0x6c;
					if(GetObjectW(_t269, 0x5c, _t507 - 0x6c) != 0) {
						_t486 = 0x384;
						 *(_t507 - 0x6c) =  *(_t507 - 0x184);
						 *(_t507 - 0x5c) =  *(_t507 - 0x174);
						 *((char*)(_t507 - 0x58)) =  *((intOrPtr*)(_t507 - 0x170));
						 *(_t507 - 0x60) = 0x384;
						 *(_t507 - 0x64) = 0xa8c;
						lstrcpyW(_t507 - 0x50, L"Arial");
						E011B8E9D(_t489 + 0x14c, _t484, 0x384, CreateFontIndirectW(_t507 - 0x6c));
						 *(_t507 - 0x64) = 0x384;
						_t391 = CreateFontIndirectW(_t507 - 0x6c);
						_t435 = _t489 + 0x154;
						E011B8E9D(_t489 + 0x154, _t484, 0x384, _t391);
					}
				}
				GetObjectW( *(E011B9185(_t435, _t484, _t486, _t489, GetStockObject(0x11)) + 4), 0x5c, _t507 - 0x6c);
				 *((char*)(_t507 - 0x57)) = 1;
				E011B8E9D(_t489 + 0x144, _t484, _t486, CreateFontIndirectW(_t507 - 0x6c));
				 *((char*)(_t507 - 0x57)) = 0;
				 *(_t507 - 0x5c) = 0x2bc;
				E011B8E9D(_t489 + 0x134, _t484, _t486, CreateFontIndirectW(_t507 - 0x6c));
				_t439 = _t489; // executed
				E011E6DCA(_t439, _t484);
				_t487 =  *0x13a9654; // 0x0
				while(_t487 != 0) {
					_t422 = _t487;
					if(_t487 == 0) {
						L61:
						E011B1E69(_t439);
						asm("int3");
						_push(0x20);
						E012EA0A3();
						_t488 = _t439;
						_t282 = GetSysColor(0x16);
						_t423 = 0;
						if(_t282 != 0xffffff) {
							L65:
							_t283 = _t423;
						} else {
							_t375 = GetSysColor(0xf);
							if(_t375 != 0) {
								goto L65;
							} else {
								_t283 = _t375 + 1;
							}
						}
						 *(_t488 + 0x184) = _t283;
						if(GetSysColor(0x15) != 0 || GetSysColor(0xf) != 0xffffff) {
							_t285 = _t423;
						} else {
							_t285 = 1;
						}
						_push(_t423);
						_t440 = _t507 - 0x2c;
						 *(_t488 + 0x188) = _t285;
						E011B85AB(_t507 - 0x2c, _t484);
						 *(_t507 - 4) = _t423;
						 *((intOrPtr*)(_t488 + 0x1ac)) = GetDeviceCaps( *(_t507 - 0x24), 0xc);
						_t288 = GetSysColor(0xf);
						 *(_t488 + 0x1c) = _t288;
						 *(_t488 + 0x54) = _t288;
						_t289 = GetSysColor(0x10);
						 *(_t488 + 0x20) = _t289;
						 *(_t488 + 0x58) = _t289;
						_t290 = GetSysColor(0x15);
						 *(_t488 + 0x30) = _t290;
						 *(_t488 + 0x60) = _t290;
						_t291 = GetSysColor(0x16);
						 *(_t488 + 0x34) = _t291;
						 *(_t488 + 0x64) = _t291;
						_t292 = GetSysColor(0x14);
						 *(_t488 + 0x24) = _t292;
						 *(_t488 + 0x5c) = _t292;
						_t293 = GetSysColor(0x12);
						 *(_t488 + 0x28) = _t293;
						 *(_t488 + 0x68) = _t293;
						 *((intOrPtr*)(_t488 + 0x38)) = GetSysColor(0x11);
						 *((intOrPtr*)(_t488 + 0x2c)) = GetSysColor(6);
						 *(_t488 + 0x3c) = GetSysColor(0xd);
						 *((intOrPtr*)(_t488 + 0x40)) = GetSysColor(0xe);
						_t298 = GetSysColor(5);
						 *(_t488 + 0x6c) = _t298;
						 *(_t488 + 0x50) = _t298;
						 *(_t488 + 0x70) = GetSysColor(8);
						 *((intOrPtr*)(_t488 + 0x74)) = GetSysColor(9);
						 *((intOrPtr*)(_t488 + 0x78)) = GetSysColor(7);
						 *(_t488 + 0x7c) = GetSysColor(2);
						 *(_t488 + 0x80) = GetSysColor(3);
						 *((intOrPtr*)(_t488 + 0x88)) = GetSysColor(0x1b);
						 *((intOrPtr*)(_t488 + 0x8c)) = GetSysColor(0x1c);
						 *((intOrPtr*)(_t488 + 0x90)) = GetSysColor(0xa);
						 *((intOrPtr*)(_t488 + 0x94)) = GetSysColor(0xb);
						 *((intOrPtr*)(_t488 + 0x84)) = GetSysColor(0x13);
						if( *(_t488 + 0x184) == _t423) {
							_t309 = GetSysColor(0x1a);
							 *(_t488 + 0x48) = 0xff0000;
							 *(_t488 + 0x4c) = 0x800080;
						} else {
							_t309 =  *(_t488 + 0x70);
							 *(_t488 + 0x48) = _t309;
							 *(_t488 + 0x4c) = _t309;
						}
						 *(_t488 + 0x44) = _t309;
						_t310 = GetSysColorBrush(0x10);
						 *(_t488 + 0x14) = _t310;
						if(_t310 == 0) {
							L74:
							E011B1E69(_t440);
						}
						_t311 = GetSysColorBrush(0x14);
						 *(_t488 + 0x10) = _t311;
						if(_t311 == 0) {
							goto L74;
						}
						_t313 = GetSysColorBrush(5);
						 *(_t488 + 0x18) = _t313;
						if(_t313 == 0) {
							goto L74;
						}
						E011B9017(_t488 + 0x98);
						_t315 = CreateSolidBrush( *(_t488 + 0x1c)); // executed
						E011B8E9D(_t488 + 0x98, _t484, _t488, _t315);
						E011B9017(_t488 + 0xd0);
						E011B8E9D(_t488 + 0xd0, _t484, _t488, CreateSolidBrush( *(_t488 + 0x54)));
						E011B9017(_t488 + 0xb8);
						E011B8E9D(_t488 + 0xb8, _t484, _t488, CreateSolidBrush( *(_t488 + 0x7c)));
						E011B9017(_t488 + 0xc0);
						E011B8E9D(_t488 + 0xc0, _t484, _t488, CreateSolidBrush( *(_t488 + 0x80)));
						E011B9017(_t488 + 0xa0);
						E011B8E9D(_t488 + 0xa0, _t484, _t488, CreateSolidBrush( *(_t488 + 0x3c)));
						E011B9017(_t488 + 0xb0);
						E011B8E9D(_t488 + 0xb0, _t484, _t488, CreateSolidBrush( *(_t488 + 0x30)));
						E011B9017(_t488 + 0xc8);
						E011B8E9D(_t488 + 0xc8, _t484, _t488, CreateSolidBrush( *(_t488 + 0x6c)));
						E011B9017(_t488 + 0xd8);
						_t336 = CreatePen(_t423, 1,  *0x13a925c); // executed
						E011B8E9D(_t488 + 0xd8, _t484, _t488, _t336);
						E011B9017(_t488 + 0xe0);
						E011B8E9D(_t488 + 0xe0, _t484, _t488, CreatePen(_t423, 1,  *0x13a9274));
						_t500 = _t488 + 0xe8;
						E011B9017(_t488 + 0xe8);
						E011B8E9D(_t488 + 0xe8, _t484, _t488, CreatePen(_t423, 1,  *0x13a9278));
						_t423 = _t488 + 0xa8;
						if(_t423 != 0 &&  *((intOrPtr*)(_t423 + 4)) != 0) {
							E011B9017(_t423);
						}
						if( *((intOrPtr*)(_t488 + 0x1ac)) <= 8) {
							_t440 = _t488;
							if(E011E5A78(_t423, _t488, _t500,  *((intOrPtr*)(_t507 - 0x28))) == 0) {
								goto L74;
							} else {
								 *(_t507 - 0x14) =  *(_t507 - 0x14) & 0x00000000;
								 *((intOrPtr*)(_t507 - 0x18)) = 0x1331fa4;
								 *(_t507 - 4) = 1;
								E011B8E9D(_t507 - 0x18, _t484, _t488, _t344);
								E011B8E9D(_t423, _t484, _t488, CreatePatternBrush( *(_t507 - 0x14)));
								 *(_t507 - 4) = 0;
								 *((intOrPtr*)(_t507 - 0x18)) = 0x1331fa4;
								E011681B0(_t423, _t507 - 0x18, _t488, 0x1331fa4);
							}
						} else {
							 *(_t507 - 0x10) =  *(_t488 + 0x1d) & 0x000000ff;
							 *(_t507 - 0xd) =  *(_t488 + 0x1c);
							asm("cdq");
							asm("cdq");
							asm("cdq");
							E011B8E9D(_t488 + 0xa8, _t484, _t488, CreateSolidBrush((((( *(_t488 + 0x26) & 0x000000ff) - ( *(_t488 + 0x1e) & 0x000000ff) - _t484 >> 0x00000001) +  *(_t488 + 0x1e) & 0x000000ff) << 0x00000008 | (( *(_t488 + 0x25) & 0x000000ff) - ( *(_t507 - 0x10) & 0x000000ff) - _t484 >> 0x00000001) +  *(_t507 - 0x10) & 0x000000ff) << 0x00000008 | (( *(_t488 + 0x24) & 0x000000ff) - ( *(_t507 - 0xd) & 0x000000ff) - _t484 >> 0x00000001) +  *(_t507 - 0xd) & 0x000000ff));
						}
						E0121FEAC();
						 *0x13aae74 = 1;
						_t350 = E011B8705(_t507 - 0x2c, _t484);
						E012EA06C();
						return _t350;
					} else {
						_t421 =  *((intOrPtr*)(_t422 + 8));
						_t487 =  *_t487;
						if(_t421 == 0) {
							goto L61;
						} else {
							if(E011AB259(_t439,  *((intOrPtr*)(_t421 + 0x20))) != 0) {
								_t489 =  *((intOrPtr*)( *_t421 + 0x3a8));
								L012EA066();
								_t439 = _t421;
								 *((intOrPtr*)( *((intOrPtr*)( *_t421 + 0x3a8))))();
							}
							continue;
						}
					}
					L85:
				}
				 *((intOrPtr*)(_t507 - 0x46c)) = 0x1331f94;
				E011681B0(_t421, _t507 - 0x46c, _t487, _t489); // executed
				_t378 = E011B8705(_t507 - 0x480, _t484);
				E012EA081();
				return _t378;
				goto L85;
			}

0x011e6474
0x011e6474
0x011e647e
0x011e6483
0x011e6485
0x011e648d
0x011e6492
0x011e649e
0x011e64a4
0x011e64aa
0x011e64b0
0x011e64bc
0x011e64c2
0x011e64c8
0x011e64ca
0x011e64cc
0x011e64d1
0x011e64ec
0x011e64ee
0x011e64ee
0x011e64d3
0x011e64d3
0x011e64d9
0x011e64db
0x011e64dd
0x011e64e2
0x00000000
0x011e64e4
0x011e64e4
0x011e64e4
0x011e64e2
0x011e64f0
0x011e64f8
0x011e6508
0x011e6508
0x011e650e
0x011e6516
0x011e6526
0x011e6526
0x011e652c
0x011e6534
0x011e6544
0x011e6544
0x011e654a
0x011e6552
0x011e6562
0x011e6562
0x011e6568
0x011e6570
0x011e6580
0x011e6580
0x011e6586
0x011e658e
0x011e659e
0x011e659e
0x011e65a4
0x011e65ac
0x011e65bc
0x011e65bc
0x011e65c2
0x011e65ca
0x011e65da
0x011e65da
0x011e65e0
0x011e65e8
0x011e65f8
0x011e65f8
0x011e65fe
0x011e6606
0x011e6616
0x011e6616
0x011e6622
0x011e662f
0x011e663c
0x011e6654
0x011e665d
0x011e6666
0x011e666f
0x011e6672
0x011e6677
0x011e6682
0x011e6684
0x011e6684
0x011e6679
0x011e667b
0x011e667b
0x011e668c
0x011e668e
0x011e668e
0x011e6690
0x011e669e
0x011e66a8
0x011e66c5
0x011e66cd
0x011e66f6
0x011e66fe
0x011e6701
0x011e670a
0x011e6703
0x011e6703
0x011e6703
0x011e6710
0x011e66cf
0x011e66d8
0x011e66de
0x011e66de
0x011e66cd
0x011e6723
0x011e6728
0x011e6731
0x011e6737
0x011e673e
0x011e674a
0x011e674c
0x011e6756
0x011e675b
0x011e6760
0x011e6764
0x011e6764
0x011e6774
0x011e677f
0x011e6785
0x011e678f
0x011e679a
0x011e67a3
0x011e67b7
0x011e67c2
0x011e67cb
0x011e67d2
0x011e67e3
0x011e67eb
0x011e67f0
0x011e6804
0x011e6809
0x011e680c
0x011e6812
0x011e681d
0x011e6829
0x011e6833
0x011e683a
0x011e6840
0x011e6845
0x011e684f
0x011e685b
0x011e685f
0x011e6865
0x011e686d
0x011e686f
0x011e687e
0x011e6886
0x011e688b
0x011e6894
0x011e689d
0x011e68a9
0x011e68ac
0x011e68b3
0x011e68ca
0x011e68d2
0x011e68d6
0x011e68dd
0x011e68e3
0x011e68e3
0x011e687e
0x011e68ff
0x011e6908
0x011e691a
0x011e6922
0x011e6927
0x011e693b
0x011e6940
0x011e6942
0x011e6947
0x011e697d
0x011e694f
0x011e6953
0x011e69a7
0x011e69a7
0x011e69ac
0x011e69ad
0x011e69b4
0x011e69b9
0x011e69bd
0x011e69c8
0x011e69cc
0x011e69dd
0x011e69dd
0x011e69ce
0x011e69d0
0x011e69d8
0x00000000
0x011e69da
0x011e69da
0x011e69da
0x011e69d8
0x011e69e1
0x011e69ef
0x011e6a02
0x011e69fd
0x011e69ff
0x011e69ff
0x011e6a04
0x011e6a05
0x011e6a08
0x011e6a0e
0x011e6a18
0x011e6a23
0x011e6a29
0x011e6a31
0x011e6a34
0x011e6a37
0x011e6a3f
0x011e6a42
0x011e6a45
0x011e6a4d
0x011e6a50
0x011e6a53
0x011e6a5b
0x011e6a5e
0x011e6a61
0x011e6a69
0x011e6a6c
0x011e6a6f
0x011e6a77
0x011e6a7a
0x011e6a85
0x011e6a90
0x011e6a9b
0x011e6aa6
0x011e6aa9
0x011e6ab1
0x011e6ab4
0x011e6abf
0x011e6aca
0x011e6ad5
0x011e6ae0
0x011e6aeb
0x011e6af9
0x011e6b07
0x011e6b15
0x011e6b23
0x011e6b35
0x011e6b3b
0x011e6b4a
0x011e6b50
0x011e6b57
0x011e6b3d
0x011e6b3d
0x011e6b40
0x011e6b43
0x011e6b43
0x011e6b60
0x011e6b63
0x011e6b69
0x011e6b6e
0x011e6b70
0x011e6b70
0x011e6b70
0x011e6b77
0x011e6b7d
0x011e6b82
0x00000000
0x00000000
0x011e6b86
0x011e6b8c
0x011e6b91
0x00000000
0x00000000
0x011e6b9b
0x011e6ba3
0x011e6bac
0x011e6bb9
0x011e6bca
0x011e6bd7
0x011e6be8
0x011e6bf5
0x011e6c09
0x011e6c16
0x011e6c27
0x011e6c34
0x011e6c45
0x011e6c52
0x011e6c63
0x011e6c70
0x011e6c7e
0x011e6c87
0x011e6c94
0x011e6cab
0x011e6cb0
0x011e6cb8
0x011e6ccf
0x011e6cd4
0x011e6cdc
0x011e6ce6
0x011e6ce6
0x011e6cf2
0x011e6d65
0x011e6d6e
0x00000000
0x011e6d74
0x011e6d74
0x011e6d7d
0x011e6d84
0x011e6d88
0x011e6d99
0x011e6da1
0x011e6da5
0x011e6da8
0x011e6da8
0x011e6cf4
0x011e6cfc
0x011e6d03
0x011e6d10
0x011e6d2b
0x011e6d40
0x011e6d5b
0x011e6d5b
0x011e6dad
0x011e6db5
0x011e6dbf
0x011e6dc4
0x011e6dc9
0x011e6955
0x011e6955
0x011e6958
0x011e695c
0x00000000
0x011e695e
0x011e6968
0x011e696c
0x011e6974
0x011e6979
0x011e697b
0x011e697b
0x00000000
0x011e6968
0x011e695c
0x00000000
0x011e6953
0x011e6987
0x011e6991
0x011e699c
0x011e69a1
0x011e69a6
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 011E647E

Part of subcall function 011B85AB: __EH_prolog3.LIBCMT ref: 011B85B2
Part of subcall function 011B85AB: GetWindowDC.USER32(00000000,00000004,011E6A13,00000000), ref: 011B85DE

GetDeviceCaps.GDI32(?,00000058), ref: 011E649E
DeleteObject.GDI32(00000000), ref: 011E6508
DeleteObject.GDI32(00000000), ref: 011E6526
DeleteObject.GDI32(00000000), ref: 011E6544
DeleteObject.GDI32(00000000), ref: 011E6562
DeleteObject.GDI32(00000000), ref: 011E6580
DeleteObject.GDI32(00000000), ref: 011E659E
DeleteObject.GDI32(00000000), ref: 011E65BC
DeleteObject.GDI32(00000000), ref: 011E65DA
DeleteObject.GDI32(00000000), ref: 011E65F8
DeleteObject.GDI32(00000000), ref: 011E6616
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 011E664E
lstrcpyW.KERNEL32 ref: 011E669E
EnumFontFamiliesW.GDI32(?,00000000,011E5E10,Segoe UI), ref: 011E66C5
lstrcpyW.KERNEL32 ref: 011E66D8
EnumFontFamiliesW.GDI32(?,00000000,011E5E10,Tahoma), ref: 011E66F6
lstrcpyW.KERNEL32 ref: 011E6710
CreateFontIndirectW.GDI32(?), ref: 011E671A
CreateFontIndirectW.GDI32(?), ref: 011E676B
CreateFontIndirectW.GDI32(?), ref: 011E67AA
CreateFontIndirectW.GDI32(?), ref: 011E67D6
CreateFontIndirectW.GDI32(?), ref: 011E67F7
GetSystemMetrics.USER32 ref: 011E6816
lstrcpyW.KERNEL32 ref: 011E6829
CreateFontIndirectW.GDI32(?), ref: 011E6833
GetStockObject.GDI32(00000011), ref: 011E685F
GetObjectW.GDI32(00000000,0000005C,?,?,?,00000000), ref: 011E6876
lstrcpyW.KERNEL32 ref: 011E68B3
CreateFontIndirectW.GDI32(?), ref: 011E68BD
CreateFontIndirectW.GDI32(?), ref: 011E68D6
GetStockObject.GDI32(00000011), ref: 011E68EA
GetObjectW.GDI32(?,0000005C,?,00000000,?,?,00000000), ref: 011E68FF
CreateFontIndirectW.GDI32(?), ref: 011E690D
CreateFontIndirectW.GDI32(?), ref: 011E692E

Part of subcall function 011E6DCA: __EH_prolog3_GS.LIBCMT ref: 011E6DD1
Part of subcall function 011E6DCA: GetTextMetricsW.GDI32(?,?,?,00000000,00000054,011E6947,00000000,?,?,00000000), ref: 011E6E07
Part of subcall function 011E6DCA: GetTextMetricsW.GDI32(?,?,?,?,?,00000000), ref: 011E6E48

Part of subcall function 011B1E69: __CxxThrowException@8.LIBVCRUNTIME ref: 011B1E7D

Strings

Marlett, xrefs: 011E6823
Arial, xrefs: 011E68A3
MS Sans Serif, xrefs: 011E670A
Tahoma, xrefs: 011E66E4, 011E6703
Segoe UI, xrefs: 011E66B3, 011E66CF

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_Stock$CapsCharsetDeviceException@8H_prolog3InfoSystemThrowWindow
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 3209990573-1395034203
Opcode ID: 97ed528ccb1d565a5e1677683cc32355b7d42b71124d64a30c9bb24c2ea0bab3
Instruction ID: 59c718d9c37c5dd7454cb280207c8935e79610458ebe0640f95ab756ab7dd0d0
Opcode Fuzzy Hash: 97ed528ccb1d565a5e1677683cc32355b7d42b71124d64a30c9bb24c2ea0bab3
Instruction Fuzzy Hash: 7EE17EB0A00749DBDB29AFA4C84CBEEBBFCAF14308F54446DE11AA7285DB74A544CF10

Uniqueness

Uniqueness Score: -1.00%

Function 011E69AD Relevance: 64.8, APIs: 43, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E011E69AD(void* __ecx, void* __edx) {
				long _t90;
				int _t91;
				int _t93;
				long _t96;
				long _t97;
				long _t98;
				long _t99;
				long _t100;
				long _t101;
				long _t106;
				long _t117;
				struct HBRUSH__* _t118;
				struct HBRUSH__* _t119;
				struct HBRUSH__* _t121;
				struct HBRUSH__* _t123;
				struct HPEN__* _t144;
				void* _t158;
				long _t183;
				int _t184;
				void* _t217;
				void* _t218;
				void* _t236;

				_t217 = __edx;
				_push(0x20);
				E012EA0A3();
				_t218 = __ecx;
				_t90 = GetSysColor(0x16);
				_t184 = 0;
				if(_t90 != 0xffffff) {
					L3:
					_t91 = _t184;
				} else {
					_t183 = GetSysColor(0xf);
					if(_t183 != 0) {
						goto L3;
					} else {
						_t91 = _t183 + 1;
					}
				}
				 *(_t218 + 0x184) = _t91;
				if(GetSysColor(0x15) != 0 || GetSysColor(0xf) != 0xffffff) {
					_t93 = _t184;
				} else {
					_t93 = 1;
				}
				_push(_t184);
				_t187 = _t236 - 0x2c;
				 *(_t218 + 0x188) = _t93;
				E011B85AB(_t236 - 0x2c, _t217);
				 *(_t236 - 4) = _t184;
				 *((intOrPtr*)(_t218 + 0x1ac)) = GetDeviceCaps( *(_t236 - 0x24), 0xc);
				_t96 = GetSysColor(0xf);
				 *(_t218 + 0x1c) = _t96;
				 *(_t218 + 0x54) = _t96;
				_t97 = GetSysColor(0x10);
				 *(_t218 + 0x20) = _t97;
				 *(_t218 + 0x58) = _t97;
				_t98 = GetSysColor(0x15);
				 *(_t218 + 0x30) = _t98;
				 *(_t218 + 0x60) = _t98;
				_t99 = GetSysColor(0x16);
				 *(_t218 + 0x34) = _t99;
				 *(_t218 + 0x64) = _t99;
				_t100 = GetSysColor(0x14);
				 *(_t218 + 0x24) = _t100;
				 *(_t218 + 0x5c) = _t100;
				_t101 = GetSysColor(0x12);
				 *(_t218 + 0x28) = _t101;
				 *(_t218 + 0x68) = _t101;
				 *((intOrPtr*)(_t218 + 0x38)) = GetSysColor(0x11);
				 *((intOrPtr*)(_t218 + 0x2c)) = GetSysColor(6);
				 *(_t218 + 0x3c) = GetSysColor(0xd);
				 *((intOrPtr*)(_t218 + 0x40)) = GetSysColor(0xe);
				_t106 = GetSysColor(5);
				 *(_t218 + 0x6c) = _t106;
				 *(_t218 + 0x50) = _t106;
				 *(_t218 + 0x70) = GetSysColor(8);
				 *((intOrPtr*)(_t218 + 0x74)) = GetSysColor(9);
				 *((intOrPtr*)(_t218 + 0x78)) = GetSysColor(7);
				 *(_t218 + 0x7c) = GetSysColor(2);
				 *(_t218 + 0x80) = GetSysColor(3);
				 *((intOrPtr*)(_t218 + 0x88)) = GetSysColor(0x1b);
				 *((intOrPtr*)(_t218 + 0x8c)) = GetSysColor(0x1c);
				 *((intOrPtr*)(_t218 + 0x90)) = GetSysColor(0xa);
				 *((intOrPtr*)(_t218 + 0x94)) = GetSysColor(0xb);
				 *((intOrPtr*)(_t218 + 0x84)) = GetSysColor(0x13);
				if( *(_t218 + 0x184) == _t184) {
					_t117 = GetSysColor(0x1a);
					 *(_t218 + 0x48) = 0xff0000;
					 *(_t218 + 0x4c) = 0x800080;
				} else {
					_t117 =  *(_t218 + 0x70);
					 *(_t218 + 0x48) = _t117;
					 *(_t218 + 0x4c) = _t117;
				}
				 *(_t218 + 0x44) = _t117;
				_t118 = GetSysColorBrush(0x10);
				 *(_t218 + 0x14) = _t118;
				if(_t118 == 0) {
					L12:
					E011B1E69(_t187);
				}
				_t119 = GetSysColorBrush(0x14);
				 *(_t218 + 0x10) = _t119;
				if(_t119 == 0) {
					goto L12;
				}
				_t121 = GetSysColorBrush(5);
				 *(_t218 + 0x18) = _t121;
				if(_t121 == 0) {
					goto L12;
				}
				E011B9017(_t218 + 0x98);
				_t123 = CreateSolidBrush( *(_t218 + 0x1c)); // executed
				E011B8E9D(_t218 + 0x98, _t217, _t218, _t123);
				E011B9017(_t218 + 0xd0);
				E011B8E9D(_t218 + 0xd0, _t217, _t218, CreateSolidBrush( *(_t218 + 0x54)));
				E011B9017(_t218 + 0xb8);
				E011B8E9D(_t218 + 0xb8, _t217, _t218, CreateSolidBrush( *(_t218 + 0x7c)));
				E011B9017(_t218 + 0xc0);
				E011B8E9D(_t218 + 0xc0, _t217, _t218, CreateSolidBrush( *(_t218 + 0x80)));
				E011B9017(_t218 + 0xa0);
				E011B8E9D(_t218 + 0xa0, _t217, _t218, CreateSolidBrush( *(_t218 + 0x3c)));
				E011B9017(_t218 + 0xb0);
				E011B8E9D(_t218 + 0xb0, _t217, _t218, CreateSolidBrush( *(_t218 + 0x30)));
				E011B9017(_t218 + 0xc8);
				E011B8E9D(_t218 + 0xc8, _t217, _t218, CreateSolidBrush( *(_t218 + 0x6c)));
				E011B9017(_t218 + 0xd8);
				_t144 = CreatePen(_t184, 1,  *0x13a925c); // executed
				E011B8E9D(_t218 + 0xd8, _t217, _t218, _t144);
				E011B9017(_t218 + 0xe0);
				E011B8E9D(_t218 + 0xe0, _t217, _t218, CreatePen(_t184, 1,  *0x13a9274));
				_t229 = _t218 + 0xe8;
				E011B9017(_t218 + 0xe8);
				E011B8E9D(_t218 + 0xe8, _t217, _t218, CreatePen(_t184, 1,  *0x13a9278));
				_t184 = _t218 + 0xa8;
				if(_t184 != 0 &&  *((intOrPtr*)(_t184 + 4)) != 0) {
					E011B9017(_t184);
				}
				if( *((intOrPtr*)(_t218 + 0x1ac)) <= 8) {
					_t187 = _t218;
					if(E011E5A78(_t184, _t218, _t229,  *((intOrPtr*)(_t236 - 0x28))) == 0) {
						goto L12;
					} else {
						 *(_t236 - 0x14) =  *(_t236 - 0x14) & 0x00000000;
						 *((intOrPtr*)(_t236 - 0x18)) = 0x1331fa4;
						 *(_t236 - 4) = 1;
						E011B8E9D(_t236 - 0x18, _t217, _t218, _t152);
						E011B8E9D(_t184, _t217, _t218, CreatePatternBrush( *(_t236 - 0x14)));
						 *(_t236 - 4) = 0;
						 *((intOrPtr*)(_t236 - 0x18)) = 0x1331fa4;
						E011681B0(_t184, _t236 - 0x18, _t218, 0x1331fa4);
					}
				} else {
					 *(_t236 - 0x10) =  *(_t218 + 0x1d) & 0x000000ff;
					 *(_t236 - 0xd) =  *(_t218 + 0x1c);
					asm("cdq");
					asm("cdq");
					asm("cdq");
					E011B8E9D(_t218 + 0xa8, _t217, _t218, CreateSolidBrush((((( *(_t218 + 0x26) & 0x000000ff) - ( *(_t218 + 0x1e) & 0x000000ff) - _t217 >> 0x00000001) +  *(_t218 + 0x1e) & 0x000000ff) << 0x00000008 | (( *(_t218 + 0x25) & 0x000000ff) - ( *(_t236 - 0x10) & 0x000000ff) - _t217 >> 0x00000001) +  *(_t236 - 0x10) & 0x000000ff) << 0x00000008 | (( *(_t218 + 0x24) & 0x000000ff) - ( *(_t236 - 0xd) & 0x000000ff) - _t217 >> 0x00000001) +  *(_t236 - 0xd) & 0x000000ff));
				}
				E0121FEAC();
				 *0x13aae74 = 1;
				_t158 = E011B8705(_t236 - 0x2c, _t217);
				E012EA06C();
				return _t158;
			}

0x011e69ad
0x011e69ad
0x011e69b4
0x011e69b9
0x011e69bd
0x011e69c8
0x011e69cc
0x011e69dd
0x011e69dd
0x011e69ce
0x011e69d0
0x011e69d8
0x00000000
0x011e69da
0x011e69da
0x011e69da
0x011e69d8
0x011e69e1
0x011e69ef
0x011e6a02
0x011e69fd
0x011e69ff
0x011e69ff
0x011e6a04
0x011e6a05
0x011e6a08
0x011e6a0e
0x011e6a18
0x011e6a23
0x011e6a29
0x011e6a31
0x011e6a34
0x011e6a37
0x011e6a3f
0x011e6a42
0x011e6a45
0x011e6a4d
0x011e6a50
0x011e6a53
0x011e6a5b
0x011e6a5e
0x011e6a61
0x011e6a69
0x011e6a6c
0x011e6a6f
0x011e6a77
0x011e6a7a
0x011e6a85
0x011e6a90
0x011e6a9b
0x011e6aa6
0x011e6aa9
0x011e6ab1
0x011e6ab4
0x011e6abf
0x011e6aca
0x011e6ad5
0x011e6ae0
0x011e6aeb
0x011e6af9
0x011e6b07
0x011e6b15
0x011e6b23
0x011e6b35
0x011e6b3b
0x011e6b4a
0x011e6b50
0x011e6b57
0x011e6b3d
0x011e6b3d
0x011e6b40
0x011e6b43
0x011e6b43
0x011e6b60
0x011e6b63
0x011e6b69
0x011e6b6e
0x011e6b70
0x011e6b70
0x011e6b70
0x011e6b77
0x011e6b7d
0x011e6b82
0x00000000
0x00000000
0x011e6b86
0x011e6b8c
0x011e6b91
0x00000000
0x00000000
0x011e6b9b
0x011e6ba3
0x011e6bac
0x011e6bb9
0x011e6bca
0x011e6bd7
0x011e6be8
0x011e6bf5
0x011e6c09
0x011e6c16
0x011e6c27
0x011e6c34
0x011e6c45
0x011e6c52
0x011e6c63
0x011e6c70
0x011e6c7e
0x011e6c87
0x011e6c94
0x011e6cab
0x011e6cb0
0x011e6cb8
0x011e6ccf
0x011e6cd4
0x011e6cdc
0x011e6ce6
0x011e6ce6
0x011e6cf2
0x011e6d65
0x011e6d6e
0x00000000
0x011e6d74
0x011e6d74
0x011e6d7d
0x011e6d84
0x011e6d88
0x011e6d99
0x011e6da1
0x011e6da5
0x011e6da8
0x011e6da8
0x011e6cf4
0x011e6cfc
0x011e6d03
0x011e6d10
0x011e6d2b
0x011e6d40
0x011e6d5b
0x011e6d5b
0x011e6dad
0x011e6db5
0x011e6dbf
0x011e6dc4
0x011e6dc9

APIs

__EH_prolog3.LIBCMT ref: 011E69B4
GetSysColor.USER32(00000016), ref: 011E69BD
GetSysColor.USER32(0000000F), ref: 011E69D0
GetSysColor.USER32(00000015), ref: 011E69E7
GetSysColor.USER32(0000000F), ref: 011E69F3
GetDeviceCaps.GDI32(?,0000000C), ref: 011E6A1B
GetSysColor.USER32(0000000F), ref: 011E6A29
GetSysColor.USER32(00000010), ref: 011E6A37
GetSysColor.USER32(00000015), ref: 011E6A45
GetSysColor.USER32(00000016), ref: 011E6A53
GetSysColor.USER32(00000014), ref: 011E6A61
GetSysColor.USER32(00000012), ref: 011E6A6F
GetSysColor.USER32(00000011), ref: 011E6A7D
GetSysColor.USER32(00000006), ref: 011E6A88
GetSysColor.USER32(0000000D), ref: 011E6A93
GetSysColor.USER32(0000000E), ref: 011E6A9E
GetSysColor.USER32(00000005), ref: 011E6AA9
GetSysColor.USER32(00000008), ref: 011E6AB7
GetSysColor.USER32(00000009), ref: 011E6AC2
GetSysColor.USER32(00000007), ref: 011E6ACD
GetSysColor.USER32(00000002), ref: 011E6AD8
GetSysColor.USER32(00000003), ref: 011E6AE3
GetSysColor.USER32(0000001B), ref: 011E6AF1
GetSysColor.USER32(0000001C), ref: 011E6AFF
GetSysColor.USER32(0000000A), ref: 011E6B0D
GetSysColor.USER32(0000000B), ref: 011E6B1B
GetSysColor.USER32(00000013), ref: 011E6B29
GetSysColor.USER32(0000001A), ref: 011E6B4A
GetSysColorBrush.USER32(00000010), ref: 011E6B63
GetSysColorBrush.USER32(00000014), ref: 011E6B77
GetSysColorBrush.USER32(00000005), ref: 011E6B86
CreateSolidBrush.GDI32(00000180), ref: 011E6BA3
CreateSolidBrush.GDI32(00000010), ref: 011E6BC1
CreateSolidBrush.GDI32(?), ref: 011E6BDF
CreateSolidBrush.GDI32(?), ref: 011E6C00
CreateSolidBrush.GDI32(?), ref: 011E6C1E
CreateSolidBrush.GDI32(?), ref: 011E6C3C
CreateSolidBrush.GDI32(?), ref: 011E6C5A
CreatePen.GDI32(00000000,00000001,00000000), ref: 011E6C7E
CreatePen.GDI32(00000000,00000001,00000000), ref: 011E6CA2
CreatePen.GDI32(00000000,00000001,00000000), ref: 011E6CC6
CreateSolidBrush.GDI32(?), ref: 011E6D4E
CreatePatternBrush.GDI32(00000000), ref: 011E6D90

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeviceH_prolog3Pattern
String ID:
API String ID: 3832706086-0
Opcode ID: 673bae3193de849cc422542fbac63dd9e62919ad1af47c12b804e8d7baef843f
Instruction ID: 3e4418b744fc1b8e6142336c2c8bc86d798fe3f53263522bdaaacf9b0089a992
Opcode Fuzzy Hash: 673bae3193de849cc422542fbac63dd9e62919ad1af47c12b804e8d7baef843f
Instruction Fuzzy Hash: 85C1A570B00B26AFCB39BFB4C9497ACBBB8BF14705F004129E216E7580DB78A515DB91

Uniqueness

Uniqueness Score: -1.00%

Function 011AA8BC Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 184
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E011AA8BC(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v76;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _t68;
				struct tagMONITORINFO* _t71;
				struct HMONITOR__* _t102;
				struct HMONITOR__* _t107;
				signed int _t112;
				struct tagMONITORINFO* _t117;
				intOrPtr _t119;
				long _t122;
				void* _t131;
				intOrPtr _t133;
				struct tagMONITORINFO* _t134;
				intOrPtr _t137;
				signed int _t141;
				struct HWND__* _t142;
				void* _t144;
				signed int _t145;

				_t131 = __edx;
				_t68 =  *0x139eff4; // 0xdde28b47
				_v8 = _t68 ^ _t145;
				_t119 = __ecx;
				_t133 = _a4;
				_v104 = __ecx;
				_t141 = E011B0661(__ecx);
				if(_t133 == 0) {
					if((_t141 & 0x40000000) == 0) {
						_t71 = GetWindow( *(_t119 + 0x20), 4);
					} else {
						_t71 = GetParent( *(_t119 + 0x20));
					}
					_t134 = _t71;
					if(_t134 != 0) {
						_t117 = SendMessageW(_t134, 0x36b, 0, 0);
						if(_t117 != 0) {
							_t134 = _t117;
						}
					}
				} else {
					_t134 =  *(_t133 + 0x20);
				}
				_v40.left = _v40.left & 0x00000000;
				_v40.top = _v40.top & 0x00000000;
				_v40.right = _v40.right & 0x00000000;
				_v40.bottom = _v40.bottom & 0x00000000;
				GetWindowRect( *(_t119 + 0x20),  &_v40);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_v56.left = 0;
				_v56.top = 0;
				_v56.right = 0;
				_v56.bottom = 0;
				if((_t141 & 0x40000000) != 0) {
					_t142 = GetParent( *(_t119 + 0x20));
					GetClientRect(_t142,  &_v24);
					GetClientRect(_t134,  &_v56);
					MapWindowPoints(_t134, _t142,  &_v56, 2);
				} else {
					if(_t134 != 0) {
						_t112 = GetWindowLongW(_t134, 0xfffffff0);
						asm("sbb eax, eax");
						_t134 = _t134 &  !( ~((_t112 & 0x30000000) - 0x10000000));
					}
					_v96 = 0x28;
					if(_t134 != 0) {
						GetWindowRect(_t134,  &_v56);
						_t102 =  &_v96;
						__imp__MonitorFromWindow(2, _t102);
						GetMonitorInfoW(_t102, _t134);
					} else {
						_t107 = E01168AF0();
						if(_t107 != 0) {
							_t107 =  *(_t107 + 0x20);
						}
						__imp__MonitorFromWindow(1,  &_v96);
						GetMonitorInfoW(_t107, _t107);
						CopyRect( &_v56,  &_v76);
					}
					CopyRect( &_v24,  &_v76);
				}
				_t144 = _v40.right - _v40.left;
				asm("cdq");
				asm("cdq");
				_t122 = (_v56.right + _v56.left - _t131 >> 1) - (_t144 - _t131 >> 1);
				_v100 = _v40.bottom - _v40.top;
				asm("cdq");
				asm("cdq");
				_t137 = (_v56.bottom + _v56.top - _t131 >> 1) - (_v100 - _t131 >> 1);
				if(_t144 + _t122 > _v24.right) {
					_t122 = _v40.left - _v40.right + _v24.right;
				}
				if(_t122 < _v24.left) {
					_t122 = _v24.left;
				}
				if(_v100 + _t137 > _v24.bottom) {
					_t137 = _v40.top - _v40.bottom + _v24.bottom;
				}
				if(_t137 < _v24.top) {
					_t137 = _v24.top;
				}
				E011B0C78(_v104, 0, _t122, _t137, 0xffffffff, 0xffffffff, 0x15); // executed
				return E012E980C(_v8 ^ _t145);
			}

0x011aa8bc
0x011aa8c2
0x011aa8c9
0x011aa8ce
0x011aa8d1
0x011aa8d4
0x011aa8dc
0x011aa8e0
0x011aa8ed
0x011aa8ff
0x011aa8ef
0x011aa8f2
0x011aa8f2
0x011aa905
0x011aa909
0x011aa915
0x011aa91d
0x011aa91f
0x011aa91f
0x011aa91d
0x011aa8e2
0x011aa8e2
0x011aa8e2
0x011aa921
0x011aa928
0x011aa92c
0x011aa930
0x011aa938
0x011aa940
0x011aa943
0x011aa946
0x011aa949
0x011aa94c
0x011aa94f
0x011aa952
0x011aa955
0x011aa95e
0x011aa9f6
0x011aa9fd
0x011aaa08
0x011aaa16
0x011aa964
0x011aa966
0x011aa96b
0x011aa97d
0x011aa981
0x011aa981
0x011aa983
0x011aa98c
0x011aa9c3
0x011aa9c9
0x011aa9d0
0x011aa9d7
0x011aa98e
0x011aa98e
0x011aa995
0x011aa997
0x011aa997
0x011aa9a1
0x011aa9a8
0x011aa9b6
0x011aa9b6
0x011aa9e5
0x011aa9e5
0x011aaa25
0x011aaa28
0x011aaa2f
0x011aaa36
0x011aaa3e
0x011aaa4a
0x011aaa52
0x011aaa59
0x011aaa5e
0x011aaa66
0x011aaa66
0x011aaa6c
0x011aaa6e
0x011aaa6e
0x011aaa79
0x011aaa81
0x011aaa81
0x011aaa87
0x011aaa89
0x011aaa89
0x011aaa99
0x011aaaae

APIs

Part of subcall function 011B0661: GetWindowLongW.USER32(?,000000F0), ref: 011B066E

GetParent.USER32(?), ref: 011AA8F2
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 011AA915
GetWindowRect.USER32 ref: 011AA938
GetWindowLongW.USER32(00000000,000000F0), ref: 011AA96B
MonitorFromWindow.USER32(00000000,00000001), ref: 011AA9A1
GetMonitorInfoW.USER32 ref: 011AA9A8
CopyRect.USER32 ref: 011AA9B6
GetWindowRect.USER32 ref: 011AA9C3
MonitorFromWindow.USER32(00000000,00000002), ref: 011AA9D0
GetMonitorInfoW.USER32 ref: 011AA9D7
CopyRect.USER32 ref: 011AA9E5
GetParent.USER32(?), ref: 011AA9F0
GetClientRect.USER32 ref: 011AA9FD
GetClientRect.USER32 ref: 011AAA08
MapWindowPoints.USER32 ref: 011AAA16

Strings

(, xrefs: 011AA983

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
String ID: (
API String ID: 3610148278-3887548279
Opcode ID: 9c3042c8ce8c1bd43b6186f36d6a6bc67bb1d3dcb351808ffe407961b972ab00
Instruction ID: b1a7406772644e3b98f2e8e2e3e8d44333cc2d67e8571710bcd11f145df2b855
Opcode Fuzzy Hash: 9c3042c8ce8c1bd43b6186f36d6a6bc67bb1d3dcb351808ffe407961b972ab00
Instruction Fuzzy Hash: 7A618C7690020AAFDB25DFA8DD89BEEBBB9FF48310F550128E505F7244E730A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 011AA714 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E011AA714(void* __edx, void* __edi, void* __esi, WCHAR* _a4) {
				signed int _v8;
				short _v532;
				void* __ebp;
				signed int _t11;
				_Unknown_base(*)()* _t13;
				signed int _t15;
				void* _t23;
				struct HINSTANCE__* _t25;
				_Unknown_base(*)()* _t26;
				WCHAR* _t31;
				_Unknown_base(*)()* _t33;
				signed int _t35;
				void* _t36;

				_t11 =  *0x139eff4; // 0xdde28b47
				_v8 = _t11 ^ _t35;
				_t13 =  *0x13a88d0; // 0x77d8bfcd
				_t31 = _a4;
				if(_t13 != 0) {
					__imp__DecodePointer(_t13); // executed
					_t33 = _t13;
					goto L4;
				} else {
					_t25 = GetModuleHandleW(L"kernel32.dll");
					if(_t25 == 0) {
						L6:
						_t15 = GetSystemDirectoryW( &_v532, 0x105);
						if(_t15 == 0 || _t15 >= 0x105) {
							L12:
						} else {
							if( *((short*)(_t35 + _t15 * 2 - 0x212)) == 0x5c) {
								L10:
								if(E01300513( &_v532, 0x105, _t31) != 0) {
									goto L12;
								} else {
									_push( &_v532);
									E011AFE0C();
								}
							} else {
								_t23 = E01300513( &_v532, 0x105, "\\");
								_t36 = _t36 + 0xc;
								if(_t23 != 0) {
									goto L12;
								} else {
									goto L10;
								}
							}
						}
					} else {
						_t26 = GetProcAddress(_t25, "SetDefaultDllDirectories");
						_t33 = _t26;
						__imp__EncodePointer(_t33); // executed
						 *0x13a88d0 = _t26;
						L4:
						if(_t33 == 0) {
							goto L6;
						} else {
							LoadLibraryExW(_t31, 0, 0x800); // executed
						}
					}
				}
				return E012E980C(_v8 ^ _t35);
			}

0x011aa71d
0x011aa724
0x011aa727
0x011aa72e
0x011aa733
0x011aa761
0x011aa767
0x00000000
0x011aa735
0x011aa73a
0x011aa742
0x011aa77d
0x011aa78a
0x011aa792
0x011aa7df
0x011aa798
0x011aa7a1
0x011aa7bc
0x011aa7cf
0x00000000
0x011aa7d1
0x011aa7d7
0x011aa7d8
0x011aa7d8
0x011aa7a3
0x011aa7b0
0x011aa7b5
0x011aa7ba
0x00000000
0x00000000
0x00000000
0x00000000
0x011aa7ba
0x011aa7a1
0x011aa744
0x011aa74a
0x011aa750
0x011aa753
0x011aa759
0x011aa769
0x011aa76b
0x00000000
0x011aa76d
0x011aa775
0x011aa775
0x011aa76b
0x011aa742
0x011aa7f0

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 011AA73A
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 011AA74A
RtlEncodePointer.NTDLL(00000000,?,00000000), ref: 011AA753
RtlDecodePointer.NTDLL(77D8BFCD,?,00000000), ref: 011AA761
LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000000), ref: 011AA775
GetSystemDirectoryW.KERNEL32(?,00000105), ref: 011AA78A

Strings

SetDefaultDllDirectories, xrefs: 011AA744
kernel32.dll, xrefs: 011AA735
\, xrefs: 011AA798

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Pointer$AddressDecodeDirectoryEncodeHandleLibraryLoadModuleProcSystem
String ID: SetDefaultDllDirectories$\$kernel32.dll
API String ID: 4227638471-3881611067
Opcode ID: 470542ba85085a8facf6bb2fbd12f1c760ce0eb06dad2cf73f4baa7d896d5d74
Instruction ID: 284308b7da69df5265ed593e3a3bfc2132d459ca61ea109ae188ac4ea86f1d65
Opcode Fuzzy Hash: 470542ba85085a8facf6bb2fbd12f1c760ce0eb06dad2cf73f4baa7d896d5d74
Instruction Fuzzy Hash: 7121C335A00618ABDB34EFA9AC49FAB7FBCAF14751F440469F906D3144EB319944CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 011BEAF5 Relevance: 15.1, APIs: 10, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E011BEAF5(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				int _v12;
				long* _v16;
				signed int _v20;
				long* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t72;
				void* _t73;
				int _t90;
				signed int _t92;
				void* _t93;
				long _t101;
				signed char* _t103;
				signed int _t106;
				signed int _t110;
				signed int _t114;
				long* _t116;
				void* _t118;
				intOrPtr _t126;
				void* _t128;
				signed int _t130;
				struct _CRITICAL_SECTION* _t133;
				void* _t134;
				void* _t135;
				struct _CRITICAL_SECTION* _t137;

				_push(__ecx);
				_t128 = __ecx;
				_t1 = _t128 + 0x1c; // 0x1c
				_t133 = _t1;
				EnterCriticalSection(_t133);
				_t114 =  *(_t128 + 4);
				_t106 =  *(_t128 + 8);
				if(_t106 >= _t114 || ( *( *(_t128 + 0x10) + _t106 * 8) & 0x00000001) != 0) {
					_t106 = 1;
					if(_t114 <= 1) {
						L7:
						_t153 =  *(_t128 + 0x10);
						_t69 = _t114 + 0x20;
						_v8 = _t114 + 0x20;
						if( *(_t128 + 0x10) != 0) {
							_t134 = GlobalHandle( *(_t128 + 0x10));
							GlobalUnlock(_t134);
							_t72 = E011B2297(_t106, _t114, _t128, _t134, __eflags, _v8, 8);
							_t116 = 0x2002;
							_t73 = GlobalReAlloc(_t134, _t72, ??);
							_t17 = _t128 + 0x1c; // 0x1c
							_t133 = _t17;
						} else {
							_t101 = E011B2297(_t106, _t114, _t128, _t133, _t153, _t69, 8);
							_pop(_t116);
							_t73 = GlobalAlloc(2, _t101); // executed
						}
						if(_t73 != 0) {
							_t135 = GlobalLock(_t73);
							__eflags = _v8 -  *(_t128 + 4) << 3;
							E012EE6E0(_t128, _t135 +  *(_t128 + 4) * 8, 0, _v8 -  *(_t128 + 4) << 3);
							 *(_t128 + 0x10) = _t135;
							_t25 = _t128 + 0x1c; // 0x1c
							_t133 = _t25;
							 *(_t128 + 4) = _v8;
							goto L14;
						} else {
							if( *(_t128 + 0x10) != _t73) {
								GlobalLock(GlobalHandle( *(_t128 + 0x10)));
							}
							LeaveCriticalSection(_t133);
							E011B1E83(_t116);
							asm("int3");
							_push(_t106);
							_push(_t133);
							_push(_t128);
							_t130 = _v8;
							_v24 = _t116;
							_t110 = 1;
							_v20 = 1;
							if( *((intOrPtr*)(_t130 + 8)) <= 1) {
								L31:
								_t137 =  &(_t116[7]);
								EnterCriticalSection(_t137);
								_t67 =  &(_v16[5]); // 0x14
								E011BEF0B(_t67, _t130);
								LeaveCriticalSection(_t137);
								LocalFree( *(_t130 + 0xc));
								L012EA066();
								 *((intOrPtr*)( *((intOrPtr*)( *_t130))))(1);
								_t90 = TlsSetValue( *_v16, 0);
							} else {
								_t126 = _a4;
								do {
									if(_t126 == 0 ||  *((intOrPtr*)(_t116[4] + 4 + _t110 * 8)) == _t126) {
										_t92 =  *( *(_t130 + 0xc) + _t110 * 4);
										_v20 = _t92;
										__eflags = _t92;
										if(_t92 != 0) {
											L012EA066();
											 *((intOrPtr*)( *((intOrPtr*)( *_t92))))(1); // executed
											_t116 = _v16;
											_t126 = _a4;
										}
										_t93 =  *(_t130 + 0xc);
										_t59 = _t93 + _t110 * 4;
										 *_t59 =  *(_t93 + _t110 * 4) & 0x00000000;
										__eflags =  *_t59;
										goto L28;
									} else {
										if( *( *(_t130 + 0xc) + _t110 * 4) == 0) {
											L28:
										} else {
											_t90 = 0;
											_v12 = 0;
										}
									}
									_t110 = _t110 + 1;
								} while (_t110 <  *((intOrPtr*)(_t130 + 8)));
								if(_t90 != 0) {
									goto L31;
								}
							}
							return _t90;
						}
					} else {
						_t103 =  *(_t128 + 0x10) + 8;
						while(( *_t103 & 0x00000001) != 0) {
							_t106 = _t106 + 1;
							_t103 =  &(_t103[8]);
							if(_t106 < _t114) {
								continue;
							}
							break;
						}
						if(_t106 < _t114) {
							goto L14;
						} else {
							goto L7;
						}
					}
				} else {
					L14:
					__eflags = _t106 -  *((intOrPtr*)(_t128 + 0xc));
					if(_t106 >=  *((intOrPtr*)(_t128 + 0xc))) {
						 *((intOrPtr*)(_t128 + 0xc)) = _t106 + 1;
					}
					_t118 =  *(_t128 + 0x10);
					_t31 = _t118 + _t106 * 8;
					 *_t31 =  *(_t118 + _t106 * 8) | 0x00000001;
					__eflags =  *_t31;
					 *(_t128 + 8) = _t106 + 1;
					LeaveCriticalSection(_t133);
					return _t106;
				}
			}

0x011beaf8
0x011beafc
0x011beafe
0x011beafe
0x011beb02
0x011beb08
0x011beb0b
0x011beb10
0x011beb21
0x011beb24
0x011beb41
0x011beb41
0x011beb45
0x011beb48
0x011beb4b
0x011beb6b
0x011beb6e
0x011beb7e
0x011beb84
0x011beb87
0x011beb8d
0x011beb8d
0x011beb4d
0x011beb50
0x011beb56
0x011beb5a
0x011beb5a
0x011beb92
0x011beba5
0x011bebac
0x011bebb6
0x011bebc1
0x011bebc4
0x011bebc4
0x011bebc7
0x00000000
0x011beb94
0x011beb97
0x011bebfc
0x011bebfc
0x011bec03
0x011bec09
0x011bec0e
0x011bec15
0x011bec16
0x011bec17
0x011bec18
0x011bec1f
0x011bec23
0x011bec24
0x011bec2a
0x011bec85
0x011bec85
0x011bec89
0x011bec93
0x011bec96
0x011bec9c
0x011beca5
0x011becb3
0x011becba
0x011becc0
0x011bec2c
0x011bec2c
0x011bec2f
0x011bec31
0x011bec4f
0x011bec52
0x011bec55
0x011bec57
0x011bec61
0x011bec69
0x011bec6b
0x011bec6e
0x011bec6e
0x011bec71
0x011bec74
0x011bec74
0x011bec74
0x00000000
0x011bec3c
0x011bec43
0x011bec78
0x011bec45
0x011bec45
0x011bec47
0x011bec47
0x011bec43
0x011bec7b
0x011bec7c
0x011bec83
0x00000000
0x00000000
0x011bec83
0x011beccc
0x011beccc
0x011beb26
0x011beb29
0x011beb2c
0x011beb31
0x011beb32
0x011beb37
0x00000000
0x00000000
0x00000000
0x011beb37
0x011beb3b
0x00000000
0x00000000
0x00000000
0x00000000
0x011beb3b
0x011bebca
0x011bebca
0x011bebca
0x011bebcd
0x011bebd2
0x011bebd2
0x011bebd5
0x011bebd9
0x011bebd9
0x011bebd9
0x011bebe0
0x011bebe3
0x011bebf1
0x011bebf1

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,?,00000000,?,011BEE46,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120), ref: 011BEB02
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,00000000,?,011BEE46,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120), ref: 011BEB5A
GlobalHandle.KERNEL32(?), ref: 011BEB65
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,011BEE46,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911), ref: 011BEB6E
GlobalReAlloc.KERNEL32 ref: 011BEB87
GlobalLock.KERNEL32 ref: 011BEB9C
LeaveCriticalSection.KERNEL32(0000001C), ref: 011BEBE3
GlobalHandle.KERNEL32(?), ref: 011BEBF5
GlobalLock.KERNEL32 ref: 011BEBFC
LeaveCriticalSection.KERNEL32(0000001C,?,?,00000000,?,011BEE46,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911), ref: 011BEC03

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 7ef52c4a6b2fa74ac7a333fa2fb3160fad6d1abef93f6129b6369cc69adb07a2
Instruction ID: 877e1766cf12a0b68611b4d6eb5396624492b857be1667bfd96d31b2bf8752a7
Opcode Fuzzy Hash: 7ef52c4a6b2fa74ac7a333fa2fb3160fad6d1abef93f6129b6369cc69adb07a2
Instruction Fuzzy Hash: 1231C171601706AFD728AF64D8CAAE9BBB8FF04305F00462DE912D3650DB71F960CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011A7F6B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E011A7F6B(void* __ecx) {
				intOrPtr _t25;
				long _t35;
				long _t39;
				intOrPtr* _t43;
				WCHAR* _t44;
				intOrPtr* _t45;
				void* _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;

				_push(0x268);
				_push(0x138a590);
				E012EA1E0();
				_t48 = 0;
				 *((intOrPtr*)(_t50 - 0x230)) = 0;
				_t51 =  *0x13a6e84 - _t48; // 0x0
				if(_t51 != 0 ||  *0x139e004 != 0xffffffff) {
					L22:
					_t48 = 1;
				} else {
					if(E011A7F1A(__ecx, 0x80000010, 0x139e004, 0, 1, _t50 - 0x238, 8, 0) == 0) {
						L23:
						E012EA229();
						return _t48;
					}
					_t25 =  *((intOrPtr*)(_t50 - 0x238));
					if(_t25 != 0) {
						L18:
						 *0x139e004 = _t25;
						_t42 = _t50 - 0x230;
						if(E011A7CAF(_t50 - 0x230, _t25, _t50 - 0x230) != 0) {
							 *((intOrPtr*)(_t50 - 4)) = _t48;
							 *((intOrPtr*)(_t50 - 0x278)) = 0x40;
							_t44 = L"Comctl32.dll";
							if(E011A7E0E(_t42, _t48, _t48, 2, _t44, _t50 - 0x278) != 0) {
								LoadLibraryW(_t44);
							}
							 *((intOrPtr*)(_t50 - 4)) = 0xfffffffe;
							E011A811F(_t48);
						}
						goto L22;
					}
					_t45 = E011A7EC9(0x132edec, 0x13a6ea4, "GetModuleHandleExW");
					if(_t45 == 0) {
						goto L23;
					}
					_push(_t50 - 0x22c);
					_push(0x139e004);
					_push(6);
					_t43 = _t45;
					L012EA066();
					if( *_t45() == 0) {
						goto L23;
					}
					_t35 = GetModuleFileNameW( *(_t50 - 0x22c), _t50 - 0x228, 0x105);
					if(_t35 == 0) {
						goto L23;
					}
					if(_t35 < 0x105) {
						 *((intOrPtr*)(_t50 - 0x258)) = 0x20;
						 *((intOrPtr*)(_t50 - 0x254)) = 0x88;
						 *((intOrPtr*)(_t50 - 0x250)) = _t50 - 0x228;
						_t47 = 3;
						 *(_t50 - 0x244) = 0x105;
						 *(_t50 - 0x23c) =  *(_t50 - 0x22c);
						_t25 = E011A7CF1(_t43, _t50 - 0x258); // executed
						 *((intOrPtr*)(_t50 - 0x238)) = _t25;
						if(_t25 != 0xffffffff) {
							L17:
							 *0x13a6e88 = 1;
							goto L18;
						}
						_t39 = GetLastError();
						if(_t39 == 0x714 || _t39 == 0x715 || _t39 == 0x717 || _t39 == 0x716 || _t39 == 2 || _t39 == _t47) {
							_t25 = _t48;
							 *((intOrPtr*)(_t50 - 0x238)) = _t25;
							goto L17;
						} else {
							goto L23;
						}
					}
					SetLastError(0x6f);
				}
			}

0x011a7f6b
0x011a7f70
0x011a7f75
0x011a7f7a
0x011a7f7c
0x011a7f82
0x011a7f88
0x011a8112
0x011a8114
0x011a7f9b
0x011a7fba
0x011a8115
0x011a8117
0x011a811c
0x011a811c
0x011a7fc0
0x011a7fc8
0x011a80c2
0x011a80c2
0x011a80c7
0x011a80d6
0x011a80d8
0x011a80db
0x011a80ec
0x011a80fd
0x011a8100
0x011a8100
0x011a8106
0x011a810d
0x011a810d
0x00000000
0x011a80d6
0x011a7fe2
0x011a7fe6
0x00000000
0x00000000
0x011a7ff2
0x011a7ff3
0x011a7ff4
0x011a7ff6
0x011a7ff8
0x011a8001
0x00000000
0x00000000
0x011a801a
0x011a8022
0x00000000
0x00000000
0x011a802a
0x011a8039
0x011a8043
0x011a8053
0x011a805b
0x011a805c
0x011a8068
0x011a8075
0x011a807a
0x011a8083
0x011a80b8
0x011a80b8
0x00000000
0x011a80b8
0x011a8085
0x011a8090
0x011a80b0
0x011a80b2
0x00000000
0x00000000
0x00000000
0x00000000
0x011a8090
0x011a802e
0x011a802e

APIs

Part of subcall function 011A7F1A: QueryActCtxW.KERNEL32(?,011A9BBC,00000010,0138A7E8,011C19E0,011AFEBD,?,00000000,?,011A7FB8,80000010,0139E004,00000000,00000001,?,00000008), ref: 011A7F64

LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 011A8100

Part of subcall function 011A7EC9: DeactivateActCtx.KERNEL32(0013A2DD,756F7590,00000000,00000000,?,011A7DEE,0132EDEC,013A6EA4,DeactivateActCtx,00000000,?,011AFF1B,00000000,011C19E0,011AFEE1), ref: 011A7EE9
Part of subcall function 011A7EC9: GetProcAddress.KERNEL32(00000000,00000000), ref: 011A7EF6

GetModuleFileNameW.KERNEL32(?,?,00000105,?,011AFEBD,011C19E0,0138A7E8,00000010,011A9BBC,?), ref: 011A801A
SetLastError.KERNEL32(0000006F,?,011AFEBD,011C19E0,0138A7E8,00000010,011A9BBC,?), ref: 011A802E
GetLastError.KERNEL32(00000020), ref: 011A8085

Strings

GetModuleHandleExW, xrefs: 011A7FCE
Comctl32.dll, xrefs: 011A80EC, 011A80F1, 011A80FF
, xrefs: 011A8039
@, xrefs: 011A80DB

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ErrorLast$AddressDeactivateFileLibraryLoadModuleNameProcQuery
String ID: $@$Comctl32.dll$GetModuleHandleExW
API String ID: 1356011737-4183358198
Opcode ID: 3e49d78a7aed12e8101a4e96e98a67fd8e473bdae09d62782673e65b271ea46c
Instruction ID: 393cca50a8393ab48f2cf68cd7c3c023ae9d7fa009d9cc7827e62f35bec70105
Opcode Fuzzy Hash: 3e49d78a7aed12e8101a4e96e98a67fd8e473bdae09d62782673e65b271ea46c
Instruction Fuzzy Hash: 7F410A749403299EEB349F68CD4DBED7EBC9B04716F9441A9E608E31C0DB749A80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011ABC1F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E011ABC1F(void* __ecx, void* __edx, void* __fp0, WCHAR* _a4) {
				long _v8;
				void* _v12;
				struct HINSTANCE__* _v16;
				struct HRSRC__* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t20;
				struct HRSRC__* _t21;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t33;
				void* _t34;
				struct HINSTANCE__* _t35;
				void* _t36;
				void* _t48;

				_t48 = __fp0;
				_t33 = __edx;
				_t36 = __ecx;
				if(__ecx == 0 ||  *(__ecx + 0x20) == 0 || IsWindow( *(__ecx + 0x20)) == 0 || _a4 == 0) {
					L13:
					return 0;
				} else {
					_t29 = 0;
					_v8 = 0;
					_v12 = 0;
					_t34 = 0;
					_t20 =  *(E011B72B6(_t36) + 0xc);
					_v16 = _t20;
					_t21 = FindResourceW(_t20, _a4, L"AFX_DIALOG_LAYOUT"); // executed
					_v20 = _t21;
					if(_t21 == 0) {
						L7:
						_push(_v8);
						_push(_t29);
						_push(_t36);
						_t30 = E011C025F(_t33, _t48);
						if(_v12 != 0 && _t34 != 0) {
							FreeResource(_t34);
						}
						if(_t30 != 0) {
							E011AB9BE(_t30, _t36, _t34, _t36);
						}
						return _t30;
					}
					_t35 = _v16;
					_v8 = SizeofResource(_t35, _t21);
					_t34 = LoadResource(_t35, _v20);
					if(_t34 == 0) {
						goto L13;
					}
					_t28 = LockResource(_t34);
					_t29 = _t28;
					_v12 = _t28;
					goto L7;
				}
			}

0x011abc1f
0x011abc1f
0x011abc27
0x011abc2c
0x011abcdd
0x00000000
0x011abc57
0x011abc59
0x011abc5b
0x011abc5e
0x011abc61
0x011abc70
0x011abc74
0x011abc77
0x011abc7d
0x011abc82
0x011abcae
0x011abcae
0x011abcb1
0x011abcb2
0x011abcbb
0x011abcc1
0x011abcc8
0x011abcc8
0x011abcd0
0x011abcd4
0x011abcd4
0x00000000
0x011abcd9
0x011abc84
0x011abc92
0x011abc9c
0x011abca0
0x00000000
0x00000000
0x011abca3
0x011abca9
0x011abcab
0x00000000
0x011abcab

APIs

IsWindow.USER32(00000000), ref: 011ABC3F
FindResourceW.KERNELBASE(?,00000000,AFX_DIALOG_LAYOUT,?,?,?,?,?), ref: 011ABC77
SizeofResource.KERNEL32(?,00000000,?,?,?,?,?), ref: 011ABC89
LoadResource.KERNEL32(?,?,?,?,?,?,?), ref: 011ABC96
LockResource.KERNEL32(00000000,?,?,?,?,?), ref: 011ABCA3
FreeResource.KERNEL32(00000000,?,?,?,?,?), ref: 011ABCC8

Strings

AFX_DIALOG_LAYOUT, xrefs: 011ABC68

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 4180966417-2436846380
Opcode ID: 39d7aa7ff33f906a389238cd2669230ad6d240aa4318cdd08c20d16de1cc708f
Instruction ID: b78f01e571c45d703c354fa5be413f48e5b3d80308f22adeb6a922d5c3635a8c
Opcode Fuzzy Hash: 39d7aa7ff33f906a389238cd2669230ad6d240aa4318cdd08c20d16de1cc708f
Instruction Fuzzy Hash: 0721C339A00245AFEB25AFB89849F7E7FB8AB48601F44403DE904D2204EB318914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011B6D9F Relevance: 10.6, APIs: 7, Instructions: 119
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E011B6D9F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, int _a4, WCHAR* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				short _v14;
				short _v532;
				int _v536;
				struct HWND__* _v540;
				long _v544;
				WCHAR* _v548;
				signed int _t30;
				WCHAR* _t42;
				signed int _t51;
				intOrPtr _t54;
				long _t57;
				int _t61;
				intOrPtr _t64;
				struct HWND__* _t69;
				long _t72;
				signed int _t73;

				_t30 =  *0x139eff4; // 0xdde28b47
				_v8 = _t30 ^ _t73;
				_v536 = _a4;
				_v548 = _a8;
				E011B6C86(__ecx, 0);
				_t69 = E011B6D03(0,  &_v540);
				if(_t69 != _v540) {
					EnableWindow(_t69, 1);
				}
				_v544 = 0;
				_t72 = 0;
				GetWindowThreadProcessId(_t69,  &_v544);
				if(_t69 == 0 || _v544 != GetCurrentProcessId()) {
					L6:
					_t64 = _v536;
					if(_t64 != 0) {
						_t72 = _t64 + 0x7c;
					}
					goto L8;
				} else {
					_t57 = SendMessageW(_t69, 0x376, 0, 0);
					if(_t57 == 0) {
						goto L6;
					} else {
						_t64 = _v536;
						_t72 = _t57;
						L8:
						_v536 = 0;
						if(_t72 != 0) {
							_v536 =  *_t72;
							_t54 = _a16;
							if(_t54 != 0) {
								 *_t72 = _t54 + 0x30000;
							}
						}
						_t61 = _a12;
						if((_t61 & 0x000000f0) == 0) {
							_t51 = _t61 & 0x0000000f;
							if(_t51 <= 1) {
								_t61 = _t61 | 0x00000030;
							} else {
								if(_t51 + 0xfffffffd <= 1) {
									_t61 = _t61 | 0x00000020;
								}
							}
						}
						_v532 = 0;
						if(_t64 == 0) {
							if(GetModuleFileNameW(0,  &_v532, 0x104) == 0x104) {
								_v14 = 0;
							}
							_t42 =  &_v532;
						} else {
							_t42 =  *(_t64 + 0x50);
						}
						MessageBoxW(_t69, _v548, _t42, _t61); // executed
						if(_t72 != 0) {
							 *_t72 = _v536;
						}
						if(_v540 != 0) {
							EnableWindow(_v540, 1);
						}
						E011B6C86(_t64, 1);
						return E012E980C(_v8 ^ _t73);
					}
				}
			}

0x011b6da8
0x011b6daf
0x011b6db8
0x011b6dc4
0x011b6dca
0x011b6ddd
0x011b6de5
0x011b6dea
0x011b6dea
0x011b6df6
0x011b6dfe
0x011b6e00
0x011b6e08
0x011b6e34
0x011b6e34
0x011b6e3c
0x011b6e3e
0x011b6e3e
0x00000000
0x011b6e18
0x011b6e20
0x011b6e28
0x00000000
0x011b6e2a
0x011b6e2a
0x011b6e30
0x011b6e41
0x011b6e41
0x011b6e49
0x011b6e4d
0x011b6e53
0x011b6e58
0x011b6e5f
0x011b6e5f
0x011b6e58
0x011b6e61
0x011b6e67
0x011b6e6b
0x011b6e71
0x011b6e80
0x011b6e73
0x011b6e79
0x011b6e7b
0x011b6e7b
0x011b6e79
0x011b6e71
0x011b6e85
0x011b6e8e
0x011b6eae
0x011b6eb2
0x011b6eb2
0x011b6eb6
0x011b6e90
0x011b6e90
0x011b6e90
0x011b6ec5
0x011b6ecf
0x011b6ed7
0x011b6ed7
0x011b6ee0
0x011b6eea
0x011b6eea
0x011b6ef2
0x011b6f0a
0x011b6f0a
0x011b6e28

APIs

Part of subcall function 011B6D03: GetParent.USER32(?), ref: 011B6D51
Part of subcall function 011B6D03: GetLastActivePopup.USER32(?), ref: 011B6D64
Part of subcall function 011B6D03: IsWindowEnabled.USER32(?), ref: 011B6D78
Part of subcall function 011B6D03: EnableWindow.USER32(?,00000000), ref: 011B6D8B

EnableWindow.USER32(?,00000001), ref: 011B6DEA
GetWindowThreadProcessId.USER32(?,?), ref: 011B6E00
GetCurrentProcessId.KERNEL32 ref: 011B6E0A
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 011B6E20
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 011B6EA3
MessageBoxW.USER32(?,?,?,011B2CB8), ref: 011B6EC5
EnableWindow.USER32(00000000,00000001), ref: 011B6EEA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
String ID:
API String ID: 1924968399-0
Opcode ID: 8564abc80ac271769f6164502a0bce18bfe6d39485ecdcdd97d6fbe12f89d7d4
Instruction ID: 14b2b281d31635be108cba0a6a3e5f355b20eef8e57dd893bdc1bbcec1c33254
Opcode Fuzzy Hash: 8564abc80ac271769f6164502a0bce18bfe6d39485ecdcdd97d6fbe12f89d7d4
Instruction Fuzzy Hash: 6E415071A412299BDB35DF68DCC9BE9B7B8EF24710F1405ADE509E7280DB709D80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011A9A65 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E011A9A65(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v0;
				short* _v24;
				short* _v28;
				void* __ebp;
				struct HHOOK__* _t23;
				void* _t36;
				struct HINSTANCE__* _t37;
				_Unknown_base(*)()* _t38;
				void* _t41;
				void* _t45;
				struct HHOOK__* _t49;
				void* _t50;
				void* _t51;
				void* _t57;
				void* _t58;
				void* _t63;

				_t46 = __edi;
				_t45 = __edx;
				_t41 = __ebx;
				_t57 = _t63;
				_push(__esi);
				_push(__edi);
				_push(0x11aad96);
				_t23 = E011BEDFB(0x13a89b4);
				_t49 = _t23;
				if(_t49 == 0) {
					E011B1E69(0x13a89b4);
					goto L7;
				} else {
					_t46 = _a4;
					if( *((intOrPtr*)(_t49 + 0x14)) == _t46) {
						L5:
						return _t23;
					} else {
						if( *(_t49 + 0x28) != 0) {
							L4:
							 *((intOrPtr*)(_t49 + 0x14)) = _t46;
							goto L5;
						} else {
							_t23 = SetWindowsHookExW(5, 0x11ae70e, 0, GetCurrentThreadId()); // executed
							 *(_t49 + 0x28) = _t23;
							if(_t23 == 0) {
								L7:
								E011B1E83(0x13a89b4);
								asm("int3");
								_push(_t57);
								_t58 = _t63;
								_push(_t49);
								E011C1532(_t41, 0x13a89b4, _t45, _t46, _t49, 0xc);
								_push(0x11aad81);
								_t50 = E011BEDA5(0x13a88d4, _t49);
								if(_t50 == 0) {
									E011B1E69(0x13a88d4);
									asm("int3");
									_push(_t50);
									_t51 = E011B72B6(_t50);
									if(_t51 == 0) {
										E011B1E69(0x13a88d4);
										asm("int3");
										_push(_t58);
										return E011C08B3(0x132ffb4, 1, _v28, 0xffffffff, _v24, 0xffffffff) - 2;
									} else {
										if( *((intOrPtr*)(_t51 + 0x7c)) == 0) {
											 *((intOrPtr*)(_t51 + 0x78)) = E011C0EB1();
											 *((intOrPtr*)(_t51 + 0x7c)) = 1;
										}
										return  *((intOrPtr*)(_t51 + 0x78));
									}
								} else {
									if( *(_t50 + 8) != 0) {
										L13:
										E011C15A6(_t41, 0x13a88d4, _t45);
										L012EA066();
										_t36 =  *( *(_t50 + 8))(_v0, _a4, _a8, _a12, 0xc);
									} else {
										_t37 = E011AA714(_t45, _t46, _t50, L"hhctrl.ocx");
										 *(_t50 + 4) = _t37;
										_pop(0x13a88d4);
										if(_t37 != 0) {
											_t38 = GetProcAddress(_t37, "HtmlHelpW");
											 *(_t50 + 8) = _t38;
											if(_t38 != 0) {
												goto L13;
											} else {
												FreeLibrary( *(_t50 + 4));
												 *(_t50 + 4) =  *(_t50 + 4) & 0x00000000;
												goto L10;
											}
										} else {
											L10:
											_t36 = 0;
										}
									}
									return _t36;
								}
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x011a9a65
0x011a9a65
0x011a9a65
0x011a9a66
0x011a9a68
0x011a9a69
0x011a9a6a
0x011a9a74
0x011a9a79
0x011a9a7d
0x011a9ab3
0x00000000
0x011a9a7f
0x011a9a7f
0x011a9a85
0x011a9aad
0x011a9ab0
0x011a9a87
0x011a9a8b
0x011a9aaa
0x011a9aaa
0x00000000
0x011a9a8d
0x011a9a9d
0x011a9aa3
0x011a9aa8
0x011a9ab8
0x011a9ab8
0x011a9abd
0x011a9abe
0x011a9abf
0x011a9ac1
0x011a9ac4
0x011a9ac9
0x011a9ad8
0x011a9adc
0x011a9b40
0x011a9b45
0x011a9b46
0x011a9b4c
0x011a9b50
0x011a9b6c
0x011a9b71
0x011a9b72
0x011a9b92
0x011a9b52
0x011a9b56
0x011a9b5d
0x011a9b60
0x011a9b60
0x011a9b6b
0x011a9b6b
0x011a9ade
0x011a9ae2
0x011a9b1c
0x011a9b1e
0x011a9b34
0x011a9b39
0x011a9ae4
0x011a9ae9
0x011a9aee
0x011a9af1
0x011a9af4
0x011a9b00
0x011a9b06
0x011a9b0b
0x00000000
0x011a9b0d
0x011a9b10
0x011a9b16
0x00000000
0x011a9b16
0x011a9af6
0x011a9af6
0x011a9af6
0x011a9af6
0x011a9af4
0x011a9b3d
0x011a9b3d
0x00000000
0x00000000
0x00000000
0x011a9aa8
0x011a9a8b
0x011a9a85

APIs

Part of subcall function 011BEDFB: __EH_prolog3.LIBCMT ref: 011BEE02

GetCurrentThreadId.KERNEL32 ref: 011A9A8D
SetWindowsHookExW.USER32(00000005,011AE70E,00000000,00000000), ref: 011A9A9D
GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 011A9B00
FreeLibrary.KERNEL32(?,?,011AAD96,?,?,?,011A747E), ref: 011A9B10

Strings

hhctrl.ocx, xrefs: 011A9AE4
HtmlHelpW, xrefs: 011A9AFA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AddressCurrentFreeH_prolog3HookLibraryProcThreadWindows
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 3379832378-3773518134
Opcode ID: 052f399b4950c1a83832e9ea4c6c5d3c6b03a31ca8e5542ba3599784f8514c05
Instruction ID: 9e27052d185a49c18e1758327ae998d2168fb2f884462ff0862a494e3d8d3db3
Opcode Fuzzy Hash: 052f399b4950c1a83832e9ea4c6c5d3c6b03a31ca8e5542ba3599784f8514c05
Instruction Fuzzy Hash: 29216B3960071AAFDB397FA9D814F5B7F98EF50B29F80442DFA0692544CB70D480C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 011C0EB1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E011C0EB1() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t7;

				_t1 =  *0x13a8ca8; // 0x9088bf89
				if(_t1 != 0) {
					__imp__DecodePointer(_t1);
					_t7 = _t1;
					goto L4;
				} else {
					_t4 = GetModuleHandleW(L"shell32.dll");
					if(_t4 == 0) {
						L6:
						return 0;
					} else {
						_t5 = GetProcAddress(_t4, "InitNetworkAddressControl");
						_t7 = _t5;
						__imp__EncodePointer(_t7); // executed
						 *0x13a8ca8 = _t5;
						L4:
						if(_t7 == 0) {
							goto L6;
						} else {
							L012EA066();
							return  *_t7();
						}
					}
				}
			}

0x011c0eb1
0x011c0eb9
0x011c0ee7
0x011c0eed
0x00000000
0x011c0ebb
0x011c0ec0
0x011c0ec8
0x011c0efe
0x011c0f01
0x011c0eca
0x011c0ed0
0x011c0ed6
0x011c0ed9
0x011c0edf
0x011c0eef
0x011c0ef1
0x00000000
0x011c0ef3
0x011c0ef5
0x011c0efd
0x011c0efd
0x011c0ef1
0x011c0ec8

APIs

GetModuleHandleW.KERNEL32(shell32.dll,00000000,011A9B5D,?,?,?,011A73AB,000FC000,00000010,00000040,011A75AB,?,?,?,?), ref: 011C0EC0
GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 011C0ED0
RtlEncodePointer.NTDLL(00000000,?,?,?,011A73AB,000FC000,00000010,00000040,011A75AB,?,?,?,?,?,011A757D,00000000), ref: 011C0ED9
DecodePointer.KERNEL32(9088BF89,00000000,011A9B5D,?,?,?,011A73AB,000FC000,00000010,00000040,011A75AB,?,?,?,?), ref: 011C0EE7

Strings

shell32.dll, xrefs: 011C0EBB
InitNetworkAddressControl, xrefs: 011C0ECA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: InitNetworkAddressControl$shell32.dll
API String ID: 2061474489-1950653938
Opcode ID: 3e6ce4b34ba78134abe6c20aba73aa90d26bc4513d3d0a057225154b5a11cf15
Instruction ID: 39850528252b820daf93a1c0d20a28efa115e96a6938cf0f4377d4231c1054b2
Opcode Fuzzy Hash: 3e6ce4b34ba78134abe6c20aba73aa90d26bc4513d3d0a057225154b5a11cf15
Instruction Fuzzy Hash: 86E06D35A41232AFDB346F79B8095AE6B9C9A58A92705006CF902E230CDB349C818FA5

Uniqueness

Uniqueness Score: -1.00%

Function 011A735D Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E011A735D(intOrPtr* __ecx, void* __edx) {
				void* _t63;
				signed int _t68;
				signed int _t69;
				signed int _t75;
				signed int _t77;
				struct HWND__* _t78;
				signed int _t80;
				void* _t102;
				void* _t124;
				intOrPtr* _t125;
				void* _t126;
				signed int _t127;
				struct HWND__* _t128;
				void* _t134;

				_t124 = __edx;
				_t103 = __ecx;
				_push(0x40);
				E012EA10E();
				_t125 = __ecx;
				 *((intOrPtr*)(_t134 - 0x24)) = __ecx;
				if( *((intOrPtr*)(_t134 + 0x10)) == 0) {
					 *((intOrPtr*)(_t134 + 0x10)) =  *((intOrPtr*)(E011B72B6(_t126) + 0xc));
				}
				_t63 = E011B72B6(_t126);
				_t102 = 0;
				 *(_t134 - 0x2c) =  *(_t134 - 0x2c) & 0;
				 *(_t134 - 4) =  *(_t134 - 4) & 0;
				_t127 =  *(_t63 + 0x3c);
				 *(_t134 - 0x18) = _t127;
				 *(_t134 - 0x28) = 0;
				E011A96EF(_t103, 0x10); // executed
				E011A96EF(_t103, 0xfc000);
				E011A9B46(_t127);
				E011BCF08();
				if(_t127 == 0) {
					_t68 =  *(_t134 + 8);
					L7:
					 *(_t134 - 0x14) = _t68;
					__eflags = _t68;
					if(_t68 == 0) {
						L4:
						_t69 = 0;
						L25:
						E012EA06C();
						return _t69;
					}
					E01143CD0(_t134 - 0x20, E011B2411());
					 *(_t134 - 4) = 1;
					 *((short*)(_t134 - 0x1c)) = 0;
					_t75 = E011BD187(__eflags,  *(_t134 - 0x14), _t134 - 0x20, _t134 - 0x1c);
					__eflags = _t75;
					if(_t75 == 0) {
						E011BD138(_t134 - 0x3c, _t127,  *(_t134 - 0x14));
						 *(_t134 - 4) = 2;
						E011BD482(_t102, _t134 - 0x3c, _t125, _t127,  *((intOrPtr*)(_t134 - 0x1c)));
						_t102 = E011BD181(_t134 - 0x3c);
						 *(_t134 - 4) = 1;
						 *(_t134 - 0x28) = _t102;
						E011BD173(_t134 - 0x3c);
						__eflags = _t102;
						if(_t102 != 0) {
							 *(_t134 - 0x14) = GlobalLock(_t102);
						}
					}
					 *(_t125 + 0x68) =  *(_t125 + 0x68) | 0xffffffff;
					 *(_t125 + 0x60) =  *(_t125 + 0x60) | 0x00000010;
					_push(_t125);
					E011A9A65(_t102, _t124, _t125, _t127);
					_t77 =  *(_t134 + 0xc);
					__eflags = _t77;
					if(_t77 != 0) {
						_t77 =  *(_t77 + 0x20);
					}
					_push(0);
					_push(0x11a713f);
					_push(_t77);
					_push( *(_t134 - 0x14));
					_push( *((intOrPtr*)(_t134 + 0x10)));
					_t78 = E011A7D35(); // executed
					 *(_t134 - 0x14) = _t78;
					E01144240( *((intOrPtr*)(_t134 - 0x20)) + 0xfffffff0);
					 *(_t134 - 4) =  *(_t134 - 4) | 0xffffffff;
					__eflags = _t127;
					if(_t127 != 0) {
						L012EA066();
						 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x18))))(_t134 - 0x4c);
						__eflags =  *(_t134 - 0x14);
						if( *(_t134 - 0x14) != 0) {
							L012EA066();
							 *((intOrPtr*)( *((intOrPtr*)( *_t125 + 0x15c))))(0);
						}
					}
					_t80 = E011A9DD3(_t124);
					__eflags = _t80;
					if(_t80 == 0) {
						L012EA066();
						 *((intOrPtr*)( *((intOrPtr*)( *_t125 + 0x120))))();
					}
					_t128 =  *(_t134 - 0x14);
					__eflags = _t128;
					if(_t128 != 0) {
						__eflags =  *(_t125 + 0x60) & 0x00000010;
						if(( *(_t125 + 0x60) & 0x00000010) == 0) {
							DestroyWindow(_t128);
							_t128 = 0;
							__eflags = 0;
						}
					}
					__eflags = _t102;
					if(_t102 != 0) {
						GlobalUnlock(_t102);
						GlobalFree(_t102);
					}
					__eflags = _t128;
					_t61 = _t128 != 0;
					__eflags = _t61;
					_t69 = 0 | _t61;
					goto L25;
				}
				_push(_t134 - 0x4c);
				L012EA066();
				if( *((intOrPtr*)( *((intOrPtr*)( *_t125 + 0x15c))))() != 0) {
					L012EA066();
					_t68 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t134 - 0x18)) + 0x14))))(_t134 - 0x4c,  *(_t134 + 8));
					_t127 =  *(_t134 - 0x18);
					goto L7;
				}
				goto L4;
			}

0x011a735d
0x011a735d
0x011a735d
0x011a7364
0x011a7369
0x011a736b
0x011a7372
0x011a737c
0x011a737c
0x011a737f
0x011a7384
0x011a7386
0x011a7389
0x011a738c
0x011a7391
0x011a7394
0x011a7397
0x011a73a1
0x011a73a6
0x011a73ab
0x011a73b2
0x011a73f6
0x011a73f9
0x011a73f9
0x011a73fc
0x011a73fe
0x011a73cf
0x011a73cf
0x011a7556
0x011a7556
0x011a755b
0x011a755b
0x011a7409
0x011a7410
0x011a7414
0x011a7423
0x011a742b
0x011a742d
0x011a7435
0x011a7440
0x011a7444
0x011a7451
0x011a7453
0x011a745a
0x011a745d
0x011a7462
0x011a7464
0x011a746d
0x011a746d
0x011a7464
0x011a7470
0x011a7474
0x011a7478
0x011a7479
0x011a747e
0x011a7481
0x011a7483
0x011a7485
0x011a7485
0x011a7488
0x011a748a
0x011a748f
0x011a7490
0x011a7493
0x011a7496
0x011a74a1
0x011a74a4
0x011a74d3
0x011a74d7
0x011a74d9
0x011a74e6
0x011a74ee
0x011a74f0
0x011a74f4
0x011a7502
0x011a7509
0x011a7509
0x011a74f4
0x011a750b
0x011a7510
0x011a7512
0x011a751e
0x011a7525
0x011a7525
0x011a7527
0x011a752a
0x011a752c
0x011a752e
0x011a7532
0x011a7535
0x011a753b
0x011a753b
0x011a753b
0x011a7532
0x011a753d
0x011a753f
0x011a7542
0x011a7549
0x011a7549
0x011a7551
0x011a7553
0x011a7553
0x011a7553
0x00000000
0x011a7553
0x011a73b9
0x011a73c2
0x011a73cd
0x011a73e7
0x011a73ef
0x011a73f1
0x00000000
0x011a73f1
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 011A7364
GlobalLock.KERNEL32 ref: 011A7467
DestroyWindow.USER32(?,?,?,?,011A713F,00000000), ref: 011A7535
GlobalUnlock.KERNEL32(00000000,?,?,?,011A713F,00000000), ref: 011A7542
GlobalFree.KERNEL32 ref: 011A7549

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Global$DestroyFreeH_prolog3_catchLockUnlockWindow
String ID:
API String ID: 571947920-0
Opcode ID: 00300cc7de73d7bf8ba02e936db6c0b5d782ef76ea45ed4932617574c908f7cd
Instruction ID: af7bf59a55e9b5bfac4221a85bef9c3e6ca5a4adcd0c6c5c3b2a688f2738e103
Opcode Fuzzy Hash: 00300cc7de73d7bf8ba02e936db6c0b5d782ef76ea45ed4932617574c908f7cd
Instruction Fuzzy Hash: 1C519175E0021A9BCF0DEFA8C980AFEBFB4AF14718F454059E911A72D1DB359A01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E6020 Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E011E6020(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, signed int __fp0) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v292;
				void* __ebp;
				signed int _t11;
				longlong _t15;
				signed int _t30;
				intOrPtr* _t36;
				signed int _t37;

				_t30 = __edx;
				_t11 =  *0x139eff4; // 0xdde28b47
				_v8 = _t11 ^ _t37;
				_t36 = __ecx;
				if( *__ecx == 0) {
					_v292.dwOSVersionInfoSize = 0x11c;
					_v292.dwMajorVersion = 6;
					_v292.dwMinorVersion = 1;
					_t15 = E012EE6E0(1,  &(_v292.dwBuildNumber), 0, 0x110);
					__imp__VerSetConditionMask(0, 0, 2, 3, 1, 3, __edi);
					__imp__VerSetConditionMask(_t15, _t30);
					_push(_t30);
					 *((intOrPtr*)(_t36 + 0x17c)) = VerifyVersionInfoW( &_v292, 3, _t15);
					 *((intOrPtr*)(_t36 + 0x180)) = GetSystemMetrics(0x1000);
					E011E69AD(_t36, _t30); // executed
					E011E6474(_t36, _t30, __fp0); // executed
					E011E6107(_t36);
					 *((intOrPtr*)(_t36 + 0x19c)) = 1;
				}
				return E012E980C(_v8 ^ _t37);
			}

0x011e6020
0x011e6029
0x011e6030
0x011e6035
0x011e603b
0x011e6049
0x011e6059
0x011e6066
0x011e606c
0x011e607d
0x011e6085
0x011e608b
0x011e60a1
0x011e60af
0x011e60b5
0x011e60bc
0x011e60c3
0x011e60c8
0x011e60ce
0x011e60de

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000000,013A9220), ref: 011E607D
VerSetConditionMask.KERNEL32(00000000), ref: 011E6085
VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 011E6096
GetSystemMetrics.USER32 ref: 011E60A7

Part of subcall function 011E69AD: __EH_prolog3.LIBCMT ref: 011E69B4
Part of subcall function 011E69AD: GetSysColor.USER32(00000016), ref: 011E69BD
Part of subcall function 011E69AD: GetSysColor.USER32(0000000F), ref: 011E69D0
Part of subcall function 011E69AD: GetSysColor.USER32(00000015), ref: 011E69E7
Part of subcall function 011E69AD: GetSysColor.USER32(0000000F), ref: 011E69F3
Part of subcall function 011E69AD: GetDeviceCaps.GDI32(?,0000000C), ref: 011E6A1B
Part of subcall function 011E69AD: GetSysColor.USER32(0000000F), ref: 011E6A29
Part of subcall function 011E69AD: GetSysColor.USER32(00000010), ref: 011E6A37
Part of subcall function 011E69AD: GetSysColor.USER32(00000015), ref: 011E6A45
Part of subcall function 011E69AD: GetSysColor.USER32(00000016), ref: 011E6A53
Part of subcall function 011E69AD: GetSysColor.USER32(00000014), ref: 011E6A61
Part of subcall function 011E69AD: GetSysColor.USER32(00000012), ref: 011E6A6F
Part of subcall function 011E69AD: GetSysColor.USER32(00000011), ref: 011E6A7D
Part of subcall function 011E69AD: GetSysColor.USER32(00000006), ref: 011E6A88
Part of subcall function 011E69AD: GetSysColor.USER32(0000000D), ref: 011E6A93
Part of subcall function 011E69AD: GetSysColor.USER32(0000000E), ref: 011E6A9E
Part of subcall function 011E69AD: GetSysColor.USER32(00000005), ref: 011E6AA9
Part of subcall function 011E69AD: GetSysColor.USER32(00000008), ref: 011E6AB7
Part of subcall function 011E69AD: GetSysColor.USER32(00000009), ref: 011E6AC2
Part of subcall function 011E69AD: GetSysColor.USER32(00000007), ref: 011E6ACD
Part of subcall function 011E69AD: GetSysColor.USER32(00000002), ref: 011E6AD8
Part of subcall function 011E69AD: GetSysColor.USER32(00000003), ref: 011E6AE3
Part of subcall function 011E69AD: GetSysColor.USER32(0000001B), ref: 011E6AF1
Part of subcall function 011E69AD: GetSysColor.USER32(0000001C), ref: 011E6AFF
Part of subcall function 011E69AD: GetSysColor.USER32(0000000A), ref: 011E6B0D

Part of subcall function 011E6474: __EH_prolog3_GS.LIBCMT ref: 011E647E
Part of subcall function 011E6474: GetDeviceCaps.GDI32(?,00000058), ref: 011E649E
Part of subcall function 011E6474: DeleteObject.GDI32(00000000), ref: 011E6508
Part of subcall function 011E6474: DeleteObject.GDI32(00000000), ref: 011E6526
Part of subcall function 011E6474: DeleteObject.GDI32(00000000), ref: 011E6544
Part of subcall function 011E6474: DeleteObject.GDI32(00000000), ref: 011E6562
Part of subcall function 011E6474: DeleteObject.GDI32(00000000), ref: 011E6580
Part of subcall function 011E6474: DeleteObject.GDI32(00000000), ref: 011E659E
Part of subcall function 011E6474: DeleteObject.GDI32(00000000), ref: 011E65BC

Part of subcall function 011E6107: GetSystemMetrics.USER32 ref: 011E6115
Part of subcall function 011E6107: GetSystemMetrics.USER32 ref: 011E6123
Part of subcall function 011E6107: SetRectEmpty.USER32(013A938C), ref: 011E6136
Part of subcall function 011E6107: EnumDisplayMonitors.USER32(00000000,00000000,011E5F9B,013A938C), ref: 011E6146
Part of subcall function 011E6107: SystemParametersInfoW.USER32(00000030,00000000,013A938C,00000000), ref: 011E6155
Part of subcall function 011E6107: SystemParametersInfoW.USER32(00001002,00000000,013A93B0,00000000), ref: 011E6182
Part of subcall function 011E6107: SystemParametersInfoW.USER32(00001012,00000000,013A93B4,00000000), ref: 011E6196
Part of subcall function 011E6107: SystemParametersInfoW.USER32(0000100A,00000000,013A93C4,00000000), ref: 011E61BC

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Color$DeleteObjectSystem$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 551326122-0
Opcode ID: 5c60098ed7ebcd02dba1ab02dfcaa2ab5abddd47564664bc304063844dda3a70
Instruction ID: b299d5bfcae302f69be46955d88f63fcc60aab9a3ead94a76e2843ba6c84bd8d
Opcode Fuzzy Hash: 5c60098ed7ebcd02dba1ab02dfcaa2ab5abddd47564664bc304063844dda3a70
Instruction Fuzzy Hash: 541194B0A00318AFEB35AF759C4AFEA7BFCDB99704F40056DE14696181CB744A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011BEC0F Relevance: 5.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E011BEC0F(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				long* _v12;
				signed int _v16;
				signed int _t40;
				intOrPtr _t42;
				signed int _t48;
				long* _t50;
				intOrPtr _t56;
				intOrPtr* _t57;
				struct _CRITICAL_SECTION* _t58;

				_t50 = __ecx;
				_t57 = _a4;
				_v12 = __ecx;
				_t48 = 1;
				_v8 = 1;
				if( *((intOrPtr*)(_t57 + 8)) <= 1) {
					L12:
					_t58 =  &(_t50[7]);
					EnterCriticalSection(_t58);
					_t30 =  &(_v12[5]); // 0x14
					E011BEF0B(_t30, _t57);
					LeaveCriticalSection(_t58);
					LocalFree( *(_t57 + 0xc));
					L012EA066();
					 *((intOrPtr*)( *((intOrPtr*)( *_t57))))(1);
					return TlsSetValue( *_v12, 0);
				}
				_t56 = _a8;
				do {
					if(_t56 == 0 ||  *((intOrPtr*)(_t50[4] + 4 + _t48 * 8)) == _t56) {
						_t40 =  *( *(_t57 + 0xc) + _t48 * 4);
						_v16 = _t40;
						if(_t40 != 0) {
							L012EA066();
							 *((intOrPtr*)( *((intOrPtr*)( *_t40))))(1); // executed
							_t50 = _v12;
							_t56 = _a8;
						}
						 *( *(_t57 + 0xc) + _t48 * 4) =  *( *(_t57 + 0xc) + _t48 * 4) & 0x00000000;
						goto L9;
					} else {
						if( *( *(_t57 + 0xc) + _t48 * 4) == 0) {
							L9:
							_t42 = _v8;
						} else {
							_t42 = 0;
							_v8 = 0;
						}
					}
					_t48 = _t48 + 1;
				} while (_t48 <  *((intOrPtr*)(_t57 + 8)));
				if(_t42 != 0) {
					goto L12;
				}
				return _t42;
			}

0x011bec0f
0x011bec18
0x011bec1f
0x011bec23
0x011bec24
0x011bec2a
0x011bec85
0x011bec85
0x011bec89
0x011bec93
0x011bec96
0x011bec9c
0x011beca5
0x011becb3
0x011becba
0x00000000
0x011becc0
0x011bec2c
0x011bec2f
0x011bec31
0x011bec4f
0x011bec52
0x011bec57
0x011bec61
0x011bec69
0x011bec6b
0x011bec6e
0x011bec6e
0x011bec74
0x00000000
0x011bec3c
0x011bec43
0x011bec78
0x011bec78
0x011bec45
0x011bec45
0x011bec47
0x011bec47
0x011bec43
0x011bec7b
0x011bec7c
0x011bec83
0x00000000
0x00000000
0x011beccc

APIs

EnterCriticalSection.KERNEL32(?,00000000,0000001C,00000001), ref: 011BEC89
LeaveCriticalSection.KERNEL32(?,00000000), ref: 011BEC9C
LocalFree.KERNEL32(?), ref: 011BECA5
TlsSetValue.KERNEL32(00000000,00000000), ref: 011BECC0

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: fca6c20979389df46170085cbae3899916c75e2b8a380d70afe9ecb577a43838
Instruction ID: 6ca22ac15edd21c7daa180e253650f01bd72729fd5e3301a350f88c000a6f733
Opcode Fuzzy Hash: fca6c20979389df46170085cbae3899916c75e2b8a380d70afe9ecb577a43838
Instruction Fuzzy Hash: 27215E35A01119EFDB28DF58C8C4AE9BBB5FF49311F108169EA159B261DB31E911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011B266A Relevance: 4.6, APIs: 3, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E011B266A(int __ecx) {
				signed short _t35;
				signed short _t36;
				long _t39;
				long _t44;
				int _t48;
				int _t49;
				int _t51;
				signed short _t56;
				signed int _t58;
				signed short* _t59;
				long _t60;
				void* _t61;

				_t52 = __ecx;
				_push(0x1c);
				E012EA0A3();
				_t51 = __ecx;
				_t59 =  *(_t61 + 8);
				_t58 = 1;
				if(_t59 == 0) {
					L8:
					E011ADF1B(_t52, _t56,  *(_t51 + 0x20), 0x364, 0, 0, 0, 0);
					goto L9;
				} else {
					 *(_t61 - 0x1c) = 0x180;
					 *(_t61 - 0x20) = 0x143;
					 *(_t61 - 0x24) = 0x37c;
					while(1) {
						_t35 =  *_t59 & 0x0000ffff;
						if(_t35 == 0) {
							break;
						}
						_t52 = _t59[2];
						_t56 = _t35;
						_t36 = _t59[1] & 0x0000ffff;
						_t60 =  &(_t59[4]);
						 *((intOrPtr*)(_t61 - 0x18)) = 0x401;
						 *(_t61 - 0x14) = _t56;
						 *(_t61 - 0x10) = _t52;
						if(_t36 !=  *((intOrPtr*)(_t61 - 0x18))) {
							 *((intOrPtr*)(_t61 - 0x18)) = 0x403;
							__eflags = _t36 -  *((intOrPtr*)(_t61 - 0x18));
							if(_t36 ==  *((intOrPtr*)(_t61 - 0x18))) {
								_t36 = 0x143;
							}
							__eflags = _t36 -  *(_t61 - 0x1c);
							if(_t36 ==  *(_t61 - 0x1c)) {
								L5:
								_t39 = SendDlgItemMessageA( *(_t51 + 0x20), _t56 & 0x0000ffff, _t36 & 0x0000ffff, 0, _t60); // executed
								asm("sbb eax, eax");
								_t58 = _t58 &  ~(_t39 + 1);
								goto L6;
							} else {
								__eflags = _t36 -  *(_t61 - 0x20);
								if(_t36 ==  *(_t61 - 0x20)) {
									goto L5;
								}
								__eflags = _t36 -  *(_t61 - 0x24);
								if(_t36 ==  *(_t61 - 0x24)) {
									__eflags =  *(_t51 + 0x78);
									if(__eflags == 0) {
										_t48 = E011A6FE4(__eflags, 0x38);
										 *(_t61 - 0x28) = _t48;
										 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
										__eflags = _t48;
										if(__eflags == 0) {
											_t49 = 0;
											__eflags = 0;
										} else {
											_push(_t51);
											_t49 = E011C4A87(_t48, __eflags);
										}
										_t23 = _t61 - 4;
										 *_t23 =  *(_t61 - 4) | 0xffffffff;
										__eflags =  *_t23;
										 *(_t51 + 0x78) = _t49;
										E011BCFFE(_t51, _t49, _t56, _t58, _t60);
										_t52 =  *(_t61 - 0x10);
										_t56 =  *(_t61 - 0x14);
									}
									_t44 = SendDlgItemMessageA( *(_t51 + 0x20), _t56 & 0x0000ffff, 0x37c, _t52, _t60);
									_t52 =  *(_t51 + 0x78);
									asm("sbb eax, eax");
									_t58 = _t58 &  ~(_t44 + 1);
									__eflags =  *(_t51 + 0x78);
									if(__eflags != 0) {
										_push(_t60);
										_push( *(_t61 - 0x10));
										_push( *(_t61 - 0x14));
										E011C505A(_t51, _t52, _t56, __eflags);
									}
								}
								L6:
								_t59 = _t60 +  *(_t61 - 0x10);
								if(_t58 != 0) {
									continue;
								}
								break;
							}
						}
						_t36 = 0x180;
						goto L5;
					}
					if(_t58 == 0) {
						L9:
						E012EA06C();
						return _t58;
					}
					goto L8;
				}
			}

0x011b266a
0x011b266a
0x011b2671
0x011b2676
0x011b2678
0x011b267d
0x011b2680
0x011b26e9
0x011b26f9
0x00000000
0x011b2682
0x011b2682
0x011b2689
0x011b2690
0x011b2697
0x011b2697
0x011b269d
0x00000000
0x00000000
0x011b269f
0x011b26a2
0x011b26a4
0x011b26a8
0x011b26ab
0x011b26b2
0x011b26b5
0x011b26bc
0x011b2708
0x011b270f
0x011b2713
0x011b2715
0x011b2715
0x011b271a
0x011b271e
0x011b26c3
0x011b26d1
0x011b26da
0x011b26dc
0x00000000
0x011b2720
0x011b2720
0x011b2724
0x00000000
0x00000000
0x011b2726
0x011b272a
0x011b272c
0x011b2730
0x011b2734
0x011b273a
0x011b273d
0x011b2741
0x011b2743
0x011b274f
0x011b274f
0x011b2745
0x011b2745
0x011b2748
0x011b2748
0x011b2751
0x011b2751
0x011b2751
0x011b2757
0x011b275a
0x011b275f
0x011b2762
0x011b2762
0x011b2774
0x011b277a
0x011b2780
0x011b2782
0x011b2784
0x011b2786
0x011b278c
0x011b278d
0x011b2790
0x011b2793
0x011b2793
0x011b2786
0x011b26de
0x011b26de
0x011b26e3
0x00000000
0x00000000
0x00000000
0x011b26e3
0x011b271e
0x011b26be
0x00000000
0x011b26be
0x011b26e7
0x011b26fe
0x011b2700
0x011b2705
0x011b2705
0x00000000
0x011b26e7

APIs

__EH_prolog3.LIBCMT ref: 011B2671
SendDlgItemMessageA.USER32(00000143,?,?,00000000,?), ref: 011B26D1
SendDlgItemMessageA.USER32(00000143,0000037C,0000037C,00000000,?), ref: 011B2774

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ItemMessageSend$H_prolog3
String ID:
API String ID: 138487902-0
Opcode ID: a9ee66c91f04c9679f8191fded0b95f53a126efe8957b1d5b7753478290c428f
Instruction ID: 427d98ba6125fbf5c336f5d9e9580be40fbc41c322441748a29fc4e7a1e6fc9b
Opcode Fuzzy Hash: a9ee66c91f04c9679f8191fded0b95f53a126efe8957b1d5b7753478290c428f
Instruction Fuzzy Hash: BC31C3709102169BEF29AFA8CC81BFE7AB5EF44700F504018FD54BB194DB749986C764

Uniqueness

Uniqueness Score: -1.00%

Function 011BECCF Relevance: 3.8, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011BECCF(long* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t7;
				struct _CRITICAL_SECTION* _t9;
				long* _t13;
				void* _t15;

				_t13 = __ecx;
				_t1 =  &(_t13[7]); // 0x1c
				_t9 = _t1;
				EnterCriticalSection(_t9);
				if(_a8 != 0) {
					_t7 = _t13[5];
					if(_t7 == 0) {
						L7:
						LeaveCriticalSection(_t9);
						return _t7;
					}
					do {
						_t15 =  *(_t7 + 4);
						E011BEC0F(_t13, _t7, _a4); // executed
						_t7 = _t15;
					} while (_t15 != 0);
					goto L7;
				}
				_t7 = TlsGetValue( *_t13);
				if(_t7 != 0) {
					_t7 = E011BEC0F(_t13, _t7, _a4);
				}
				goto L7;
			}

0x011becd4
0x011becd6
0x011becd6
0x011becda
0x011bece4
0x011becff
0x011bed04
0x011bed1c
0x011bed1d
0x011bed26
0x011bed26
0x011bed07
0x011bed0a
0x011bed10
0x011bed15
0x011bed17
0x00000000
0x011bed1b
0x011bece8
0x011becf0
0x011becf8
0x011becf8
0x00000000

APIs

EnterCriticalSection.KERNEL32(0000001C,00000001,00000001,?,011B3268,00000001,00000000,000000FF,00000014,011B2F61,00000000,?,?,?,0114394F,00000001), ref: 011BECDA
TlsGetValue.KERNEL32(00000000,?,011B3268,00000001,00000000,000000FF,00000014,011B2F61,00000000), ref: 011BECE8

Part of subcall function 011BEC0F: EnterCriticalSection.KERNEL32(?,00000000,0000001C,00000001), ref: 011BEC89
Part of subcall function 011BEC0F: LeaveCriticalSection.KERNEL32(?,00000000), ref: 011BEC9C
Part of subcall function 011BEC0F: LocalFree.KERNEL32(?), ref: 011BECA5
Part of subcall function 011BEC0F: TlsSetValue.KERNEL32(00000000,00000000), ref: 011BECC0

LeaveCriticalSection.KERNEL32(0000001C,?,011B3268,00000001,00000000,000000FF,00000014,011B2F61,00000000), ref: 011BED1D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$FreeLocal
String ID:
API String ID: 2683480450-0
Opcode ID: f107dea5121fd976dde292002bf54ea7b2e9d5a209e70758da1e0963ccd4d7de
Instruction ID: e2d36e3cbf95b1b0afe89d36189f28124435576af2ac6a9fe2bae3595cf39366
Opcode Fuzzy Hash: f107dea5121fd976dde292002bf54ea7b2e9d5a209e70758da1e0963ccd4d7de
Instruction Fuzzy Hash: E4F0B431202245ABDB397E2BDC8CDDB7F6DEF543A0B048025F80597206CB74D854DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011AFD60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E011AFD60(void* __ecx) {
				signed int _t12;
				void* _t15;
				signed int _t17;
				intOrPtr* _t18;
				void* _t19;
				void* _t20;

				_t15 = __ecx;
				_push(0x10);
				_push(0x138a848);
				E012EA180();
				_t17 = 0;
				 *(_t19 - 0x1c) = 0;
				_t18 =  *0x13a88cc;
				 *(_t19 - 0x20) =  *(_t19 - 0x20) & 0;
				_t20 =  *0x13a6e84 - _t17; // 0x0
				if(_t20 != 0) {
					L2:
					 *(_t19 - 4) =  *(_t19 - 4) & _t17;
					if(_t18 != 0) {
						L5:
						L012EA066();
						_t17 =  *_t18( *((intOrPtr*)(_t19 + 8)));
						 *(_t19 - 0x1c) = _t17;
					} else {
						_push("InitCommonControlsEx");
						_t18 = E011A8E00(_t15);
						if(_t18 != 0) {
							 *0x13a88cc = _t18;
							goto L5;
						}
					}
					 *(_t19 - 4) = 0xfffffffe;
					E011AFDD6(_t17);
					_t12 = _t17;
				} else {
					_t12 = E011A7E59(_t19 - 0x20); // executed
					if(_t12 != 0) {
						goto L2;
					}
				}
				E012EA1C6();
				return _t12;
			}

0x011afd60
0x011afd60
0x011afd62
0x011afd67
0x011afd6c
0x011afd6e
0x011afd71
0x011afd77
0x011afd7a
0x011afd80
0x011afd8f
0x011afd8f
0x011afd94
0x011afdac
0x011afdb1
0x011afdb8
0x011afdba
0x011afd96
0x011afd96
0x011afda0
0x011afda4
0x011afda6
0x00000000
0x011afda6
0x011afda4
0x011afdbd
0x011afdc4
0x011afdc9
0x011afd82
0x011afd86
0x011afd8d
0x00000000
0x00000000
0x011afd8d
0x011afdcb
0x011afdd0

APIs

InitCommonControlsEx.COMCTL32(00000008,0138A848,00000010,011AEAAD,00000008,00000000,?,011A99AC,00000008,00080000,?,?,00000000), ref: 011AFDB6

Part of subcall function 011A7E59: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,011AFEBD,011C19E0,0138A7E8,00000010,011A9BBC,?), ref: 011A7E6D

Strings

InitCommonControlsEx, xrefs: 011AFD96

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CommonControlsDebugInitOutputString
String ID: InitCommonControlsEx
API String ID: 650261710-2357626986
Opcode ID: caa87728b26c9bd1c5a25b58ba065a75af2fe4d322b93a41af1c2114468fc31a
Instruction ID: dc8c7f2edcad637036e99578e0794f313bf8de88ec6758893291c493db6421ef
Opcode Fuzzy Hash: caa87728b26c9bd1c5a25b58ba065a75af2fe4d322b93a41af1c2114468fc31a
Instruction Fuzzy Hash: F2F0F6B6C1132B9BCF27BB6988005BDBEF9AFA47A1F804106C420A7240CB74C9029BD0

Uniqueness

Uniqueness Score: -1.00%

Function 011A7CF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E011A7CF1(void* __ecx, intOrPtr _a4) {
				void* _t2;
				signed int _t3;
				signed int _t7;

				_t7 =  *0x13a6e90;
				if(_t7 != 0) {
					L4:
					L012EA066(); // executed
					_t2 =  *_t7(_a4); // executed
					return _t2;
				}
				_t3 = E011A7EC9(0x132edec, 0x13a6ea4, "CreateActCtxW");
				_t7 = _t3;
				if(_t7 != 0) {
					 *0x13a6e90 = _t7;
					goto L4;
				}
				return _t3 | 0xffffffff;
			}

0x011a7cf5
0x011a7cfd
0x011a7d24
0x011a7d29
0x011a7d2e
0x00000000
0x011a7d2e
0x011a7d0e
0x011a7d13
0x011a7d17
0x011a7d1e
0x00000000
0x011a7d1e
0x00000000

APIs

CreateActCtxWWorker.KERNEL32(?,00000000,?,011A807A,00000020), ref: 011A7D2E

Part of subcall function 011A7EC9: DeactivateActCtx.KERNEL32(0013A2DD,756F7590,00000000,00000000,?,011A7DEE,0132EDEC,013A6EA4,DeactivateActCtx,00000000,?,011AFF1B,00000000,011C19E0,011AFEE1), ref: 011A7EE9
Part of subcall function 011A7EC9: GetProcAddress.KERNEL32(00000000,00000000), ref: 011A7EF6

Strings

CreateActCtxW, xrefs: 011A7CFF

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AddressCreateDeactivateProcWorker
String ID: CreateActCtxW
API String ID: 1192707186-1163823230
Opcode ID: 69be86281d2c7b87d8581c2ce6e98d1cc606cc0b3d624952a094cd7360a23359
Instruction ID: 6d01efc76f523057b6a800fdc43e7ed30c0ba89f3064e3e47da8b717f7996b81
Opcode Fuzzy Hash: 69be86281d2c7b87d8581c2ce6e98d1cc606cc0b3d624952a094cd7360a23359
Instruction Fuzzy Hash: 16E08677A40635568636269AD80396E7D499D10AB97C5061AEA58673C0C7A26D0043D1

Uniqueness

Uniqueness Score: -1.00%

Function 011AEB0B Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E011AEB0B(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _t21;
				void* _t32;
				intOrPtr* _t41;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				void* _t51;
				signed int _t52;

				_t49 = __esi;
				_t46 = __edx;
				_t21 =  *0x139eff4; // 0xdde28b47
				_v8 = _t21 ^ _t52;
				_t48 = _a4;
				if((_a12 & 0x10000000) == 0 && (E011B0661(_t48) & 0x50000000) == 0) {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *(_t48 + 0x20),  &_v24);
					_t41 = _a8;
					if( *_t41 == _v24.left &&  *((intOrPtr*)(_t41 + 4)) == _v24.top && (E011AB22F(_t41, _t46, GetWindow( *(_t48 + 0x20), 4)) == 0 || E011B082E(_t30) == 0)) {
						L012EA066();
						_t32 =  *((intOrPtr*)( *((intOrPtr*)( *_t48 + 0x14c))))(); // executed
						_t51 = _t49;
						if(_t32 != 0) {
							E011AA8BC(0, _t48, _t46, _t48, _t51, 0); // executed
						}
					}
				}
				return E012E980C(_v8 ^ _t52);
			}

0x011aeb0b
0x011aeb0b
0x011aeb11
0x011aeb18
0x011aeb23
0x011aeb26
0x011aeb40
0x011aeb43
0x011aeb46
0x011aeb49
0x011aeb4c
0x011aeb52
0x011aeb5a
0x011aeb8f
0x011aeb96
0x011aeb98
0x011aeb9b
0x011aeba0
0x011aeba0
0x011aeb9b
0x011aeba5
0x011aebb4

APIs

Part of subcall function 011B0661: GetWindowLongW.USER32(?,000000F0), ref: 011B066E

GetWindowRect.USER32 ref: 011AEB4C
GetWindow.USER32(?,00000004), ref: 011AEB69

Part of subcall function 011B082E: IsWindowEnabled.USER32(?), ref: 011B0839

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Window$EnabledLongRect
String ID:
API String ID: 3170195891-0
Opcode ID: 677403985316bab9d5901ea2ceb78ce522ee1302e7b0ed9a1bec8748fe13dd86
Instruction ID: f0989573c4c9cb693949c566f7c1ffb95926f50feb02eb062d16d5682dd12aab
Opcode Fuzzy Hash: 677403985316bab9d5901ea2ceb78ce522ee1302e7b0ed9a1bec8748fe13dd86
Instruction Fuzzy Hash: 77118C74B011069BDF15EF69D984A7EBBB9FF58314F900069E806D7240EB30D9018B61

Uniqueness

Uniqueness Score: -1.00%

Function 011A9DD3 Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E011A9DD3(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				intOrPtr _v0;
				void* __esi;
				void* _t20;
				long _t21;
				void* _t31;
				struct HWND__* _t32;

				_push(0x11aad96);
				_t31 = E011BEDFB(0x13a89b4);
				if(_t31 == 0) {
					E011B1E69(0x13a89b4);
					asm("int3");
					if(_v0 != 0x360) {
						_push(_t31);
						_t32 = _a4;
						_t20 = E011AB259(0x13a89b4, _t32);
						if(_t20 == 0 ||  *((intOrPtr*)(_t20 + 0x20)) != _t32) {
							_t21 = DefWindowProcW(_t32, _a8, _a12, _a16);
						} else {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push(_t32);
							_push(_t20); // executed
							_t21 = E011A95D2(__edx); // executed
						}
					} else {
						_t21 = 1;
					}
					return _t21;
				} else {
					if( *((char*)(E011B72B6(_t31) + 0x14)) != 0 &&  *(_t31 + 0x28) != 0) {
						UnhookWindowsHookEx( *(_t31 + 0x28));
						 *(_t31 + 0x28) =  *(_t31 + 0x28) & 0x00000000;
					}
					if( *(_t31 + 0x14) == 0) {
						return 1;
					} else {
						 *(_t31 + 0x14) =  *(_t31 + 0x14) & 0x00000000;
						return 0;
					}
				}
			}

0x011a9dd4
0x011a9de3
0x011a9de7
0x011a9e1a
0x011a9e1f
0x011a9e2a
0x011a9e31
0x011a9e32
0x011a9e36
0x011a9e3d
0x011a9e60
0x011a9e44
0x011a9e44
0x011a9e47
0x011a9e4a
0x011a9e4d
0x011a9e4e
0x011a9e4f
0x011a9e4f
0x011a9e2c
0x011a9e2e
0x011a9e2e
0x011a9e68
0x011a9de9
0x011a9df2
0x011a9dfd
0x011a9e03
0x011a9e03
0x011a9e0b
0x011a9e19
0x011a9e0d
0x011a9e0d
0x011a9e14
0x011a9e14
0x011a9e0b

APIs

Part of subcall function 011BEDFB: __EH_prolog3.LIBCMT ref: 011BEE02

UnhookWindowsHookEx.USER32(?), ref: 011A9DFD
DefWindowProcW.USER32(?,00000360,?,?,?,00000000,?,011AAD96,?,011A7510,?,?,?,011A713F,00000000), ref: 011A9E60

Part of subcall function 011A95D2: __EH_prolog3_catch_GS.LIBCMT ref: 011A95D9

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch_HookProcUnhookWindowWindows
String ID:
API String ID: 2533299859-0
Opcode ID: 7a0c8dcf9752d3b625655938ec1cd7a125dc75a7efca23cd2b9f8b837f430e67
Instruction ID: b68be8fb696813f4c091c799cecc81f675f2eb71c886725d054050690efd1f14
Opcode Fuzzy Hash: 7a0c8dcf9752d3b625655938ec1cd7a125dc75a7efca23cd2b9f8b837f430e67
Instruction Fuzzy Hash: 2911E136400639EFDF3AAE68E808BEB3FA8EF04329F404419F74681051C734C5A0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011BE922 Relevance: 3.0, APIs: 2, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E011BE922(long* __ecx) {
				intOrPtr* _v8;
				long _t14;
				intOrPtr _t15;
				intOrPtr* _t20;
				void* _t23;
				long* _t27;

				_t20 = __ecx;
				_t27 = __ecx;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 1;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				_t14 = TlsAlloc();
				 *_t27 = _t14;
				if(_t14 == 0xffffffff) {
					_t15 = E011B1E83(_t20);
					asm("int3");
					_push(_t20);
					if( *_t20 != 0) {
						_v8 =  *_t20;
						_t15 = _v8;
						_v8 = _t15;
						if(_v8 != 0) {
							L012EA066();
							_t15 =  *((intOrPtr*)( *((intOrPtr*)( *_v8))))(1, _t23, _t27); // executed
						}
					}
					return _t15;
				} else {
					_t7 =  &(_t27[7]); // 0x13a8c60
					InitializeCriticalSection(_t7);
					return _t27;
				}
			}

0x011be922
0x011be923
0x011be927
0x011be92a
0x011be931
0x011be934
0x011be93b
0x011be93e
0x011be941
0x011be947
0x011be94c
0x011be95c
0x011be961
0x011be965
0x011be969
0x011be96d
0x011be970
0x011be973
0x011be97a
0x011be989
0x011be990
0x011be993
0x011be97a
0x011be997
0x011be94e
0x011be94e
0x011be952
0x011be95b
0x011be95b

APIs

TlsAlloc.KERNEL32(?,011BEE32,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911,00000000,013FDC00,?,0114106D), ref: 011BE941
InitializeCriticalSection.KERNEL32(013A8C60,?,011BEE32,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911,00000000,013FDC00), ref: 011BE952

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AllocCriticalInitializeSection
String ID:
API String ID: 1921445636-0
Opcode ID: 8dc558e03765345501285ab8fe1e64dfa2c55585847c17b6a10b7067b4fab745
Instruction ID: 5c91ee737f1c17c5862cbe10fdac8939e21cbed2baa2024b0bd63ac6ac83f549
Opcode Fuzzy Hash: 8dc558e03765345501285ab8fe1e64dfa2c55585847c17b6a10b7067b4fab745
Instruction Fuzzy Hash: E5018C74A01725DFC724EF68D44879ABBF8EF09314F10496EE656C3750E375AA44CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01308253 Relevance: 1.6, APIs: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01308329

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1e4176455c80f7cae3e7de8f33152f83e4e2e30d3f599962a2419cfd053e7595
Instruction ID: e087470fc6e78bab100359c9b64b154d50f891050a183c4b52e17da47484deec
Opcode Fuzzy Hash: 1e4176455c80f7cae3e7de8f33152f83e4e2e30d3f599962a2419cfd053e7595
Instruction Fuzzy Hash: B8417E36E006158FDB18CF6DD49096EBBF5EF8D324B1581AAE516EB3A4DB309C40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 011A95D2 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E011A95D2(void* __edx) {
				void _t48;
				intOrPtr _t49;
				intOrPtr _t51;
				void* _t52;
				intOrPtr _t62;
				signed int _t64;
				signed int _t70;
				intOrPtr* _t72;
				void* _t75;
				intOrPtr _t79;
				intOrPtr* _t84;
				void* _t88;

				_t75 = __edx;
				_push(0x44);
				E012EA145();
				_push(0x11aad96);
				 *((intOrPtr*)(_t88 - 0x2c)) =  *((intOrPtr*)(_t88 + 8));
				_t62 = E011BEDFB(0x13a89b4);
				 *((intOrPtr*)(_t88 - 0x30)) = _t62;
				if(_t62 == 0) {
					E011B1E69(0x13a89b4);
				}
				_t5 = _t62 + 0x58; // 0x58
				_t64 = 7;
				_t48 = memcpy(_t88 - 0x50, _t5, _t64 << 2);
				_t79 = 0;
				_t84 =  *((intOrPtr*)(_t88 - 0x2c));
				 *(_t62 + 0x58) = _t48;
				_t49 =  *((intOrPtr*)(_t88 + 0x10));
				 *((intOrPtr*)(_t62 + 0x60)) =  *((intOrPtr*)(_t88 + 0x14));
				 *((intOrPtr*)(_t62 + 0x5c)) = _t49;
				 *((intOrPtr*)(_t62 + 0x64)) =  *((intOrPtr*)(_t88 + 0x18));
				 *((intOrPtr*)(_t88 - 4)) = 0;
				if(_t49 == 2) {
					_t72 =  *((intOrPtr*)(_t84 + 0x70));
					 *((intOrPtr*)(_t88 - 0x28)) = _t72;
					if(_t72 != 0) {
						L012EA066();
						 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 0x60))))(0);
						_t84 =  *((intOrPtr*)(_t88 - 0x2c));
						_t49 =  *((intOrPtr*)(_t88 + 0x10));
					}
				}
				 *((intOrPtr*)(_t88 - 0x24)) = _t79;
				 *((intOrPtr*)(_t88 - 0x20)) = _t79;
				 *((intOrPtr*)(_t88 - 0x1c)) = _t79;
				 *((intOrPtr*)(_t88 - 0x18)) = _t79;
				 *((intOrPtr*)(_t88 - 0x28)) = _t79;
				if(_t49 == 0x110) {
					E011AEBB7(_t84, _t88 - 0x24, _t88 - 0x28);
					_t79 =  *((intOrPtr*)(_t88 - 0x28));
				}
				_t85 =  *((intOrPtr*)( *_t84 + 0x114));
				L012EA066();
				_t51 =  *((intOrPtr*)( *((intOrPtr*)( *_t84 + 0x114))))( *((intOrPtr*)(_t88 + 0x10)),  *((intOrPtr*)(_t88 + 0x14)),  *((intOrPtr*)(_t88 + 0x18))); // executed
				 *((intOrPtr*)(_t88 - 0x28)) = _t51;
				if( *((intOrPtr*)(_t88 + 0x10)) == 0x110) {
					E011AEB0B(_t62, _t75, _t79, _t85,  *((intOrPtr*)(_t88 - 0x2c)), _t88 - 0x24, _t79); // executed
				}
				_t41 = _t62 + 0x58; // 0x58
				_t70 = 7;
				_t52 = memcpy(_t41, _t88 - 0x50, _t70 << 2);
				E012EA092();
				return _t52;
			}

0x011a95d2
0x011a95d2
0x011a95d9
0x011a95e6
0x011a95eb
0x011a95f3
0x011a95f5
0x011a95fa
0x011a95fc
0x011a95fc
0x011a9604
0x011a9609
0x011a960d
0x011a9612
0x011a9614
0x011a9617
0x011a961a
0x011a961d
0x011a9623
0x011a9626
0x011a9629
0x011a962f
0x011a9631
0x011a9634
0x011a9639
0x011a9643
0x011a964b
0x011a964d
0x011a9650
0x011a9650
0x011a9639
0x011a9653
0x011a9656
0x011a9659
0x011a965c
0x011a965f
0x011a9667
0x011a9672
0x011a9677
0x011a9677
0x011a9685
0x011a968d
0x011a9695
0x011a969e
0x011a96a1
0x011a96ab
0x011a96d9
0x011a96de
0x011a96e1
0x011a96e5
0x011a96e7
0x011a96ec

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 011A95D9

Part of subcall function 011BEDFB: __EH_prolog3.LIBCMT ref: 011BEE02

Part of subcall function 011B1E69: __CxxThrowException@8.LIBVCRUNTIME ref: 011B1E7D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Exception@8H_prolog3H_prolog3_catch_Throw
String ID:
API String ID: 2399685165-0
Opcode ID: 98ed87214a53d3902c997b046140279d63b34e9a10e813c7542de462a370985d
Instruction ID: e61b102c734f4cdd08888ef4c936167bb01dc86a6fd9fe9a22f7232f0531589a
Opcode Fuzzy Hash: 98ed87214a53d3902c997b046140279d63b34e9a10e813c7542de462a370985d
Instruction Fuzzy Hash: B131B3B5D0021DDBCF09DFA8C8809EEBBB5BF58314F51445AE915BB251C770A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01144280 Relevance: 1.6, APIs: 1, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E01144280(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t40;
				void* _t44;

				_v32 = __ecx;
				_v8 = E011447B0(_v32);
				_t5 = _v8 + 4; // 0x5de58b00
				_v16 =  *_t5;
				_t9 =  *((intOrPtr*)( *_v8)) + 0x10; // 0x4d8951ec
				_v20 =  *((intOrPtr*)( *_t9))();
				_t40 =  *((intOrPtr*)( *((intOrPtr*)( *_v20))))(_a4, 2); // executed
				_v12 = _t40;
				if(_v12 == 0) {
					E01144340();
				}
				if(_v16 >= _a4) {
					_v24 = _a4;
				} else {
					_v24 = _v16;
				}
				_v28 = _v24 + 1;
				_t44 = E01144350(_v8);
				E01144740(E01144350(_v12), _v28, _t44, _v28);
				 *((intOrPtr*)(_v12 + 4)) = _v16;
				E01144240(_v8);
				return E01144370(_v32, _v12);
			}

0x01144286
0x01144291
0x01144297
0x0114429a
0x011442a9
0x011442ae
0x011442c1
0x011442c3
0x011442ca
0x011442cc
0x011442cc
0x011442d7
0x011442e4
0x011442d9
0x011442dc
0x011442dc
0x011442ed
0x011442f7
0x0114430a
0x01144318
0x0114431e
0x01144332

APIs

_wmemcpy_s.LIBCPMTD ref: 0114430A

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _wmemcpy_s
String ID:
API String ID: 67063488-0
Opcode ID: 042889e7a4a12d6017fbb714a120ea617ae2c7003ac289a88bba7b240ca2d3a3
Instruction ID: b4d3da3b26aaa3613cfaf7ae041de05721236f3f1ddf1fb32a54296f4322c1cf
Opcode Fuzzy Hash: 042889e7a4a12d6017fbb714a120ea617ae2c7003ac289a88bba7b240ca2d3a3
Instruction Fuzzy Hash: B521C674E0010AEFCB08EF98D490EAEB7B1FF88704F2081A9D915A7751DB30AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 011AAE8B Relevance: 1.6, APIs: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E011AAE8B(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t16;
				void* _t17;
				void* _t20;
				struct HWND__* _t23;
				int _t25;
				void* _t27;
				void* _t32;
				void* _t33;
				signed int _t34;
				intOrPtr* _t35;
				int _t36;
				void* _t37;

				_t32 = __edx;
				_t27 = __ecx;
				_t33 = __ecx;
				_t36 = 0;
				_t16 =  *((intOrPtr*)(__ecx + 0x20));
				if(_t16 != 0) {
					L3:
					_push(_t36);
					_t17 = E011AF00D(_t27, _t33, _t36);
					if(_t17 != 0) {
						_push( *(_t33 + 0x20));
						_t4 = _t17 + 0x1c; // 0x1c
						E011BDC9F(_t4, _t32);
						goto L5;
					}
					E011B1E69(_t27);
					asm("int3");
					_push(_t36);
					_t37 = _t27;
					_push(_t33);
					_t34 =  *(_t37 + 0x20);
					if(_t34 != 0) {
						_push(0);
						_t20 = E011AF00D(_t27, _t34, _t37);
						if(_t20 != 0) {
							_t11 = _t20 + 0x1c; // 0x1c
							E011BDDE4(_t11, _t32,  *(_t37 + 0x20));
						}
						 *(_t37 + 0x20) =  *(_t37 + 0x20) & 0x00000000;
					}
					 *(_t37 + 0x74) =  *(_t37 + 0x74) & 0x00000000;
					return _t34;
				} else {
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						return _t16;
					} else {
						if(_t16 == 0) {
							L5:
							_t23 =  *(_t33 + 0x20);
							if(_t23 != 0 ||  *((intOrPtr*)(_t33 + 0x74)) != _t36) {
								_t35 =  *((intOrPtr*)(_t33 + 0x74));
								if(_t35 != 0) {
									L012EA066();
									_t25 =  *((intOrPtr*)( *((intOrPtr*)( *_t35 + 0x58))))();
								} else {
									_t25 = DestroyWindow(_t23); // executed
								}
								_t36 = _t25;
							}
							return _t36;
						}
						goto L3;
					}
				}
			}

0x011aae8b
0x011aae8b
0x011aae8d
0x011aae8f
0x011aae91
0x011aae96
0x011aaea1
0x011aaea1
0x011aaea2
0x011aaea9
0x011aaeab
0x011aaeae
0x011aaeb1
0x00000000
0x011aaeb1
0x011aaee9
0x011aaeee
0x011aaeef
0x011aaef0
0x011aaef2
0x011aaef3
0x011aaef8
0x011aaefa
0x011aaefc
0x011aaf03
0x011aaf08
0x011aaf0b
0x011aaf0b
0x011aaf10
0x011aaf10
0x011aaf14
0x011aaf1c
0x011aae98
0x011aae9b
0x011aaee8
0x011aae9d
0x011aae9f
0x011aaeb6
0x011aaeb6
0x011aaebb
0x011aaec2
0x011aaec7
0x011aaed9
0x011aaee0
0x011aaec9
0x011aaeca
0x011aaeca
0x011aaee2
0x011aaee2
0x00000000
0x011aaee4
0x00000000
0x011aae9f
0x011aae9b

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,?,011A830E,DDE28B47,?,00000000,0131B0B0,000000FF,?,0114371C,?,?,011436AF), ref: 011AAECA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9d8ad18ca93eb1f116c53260759120f235520038aa53f9e9455a33eda8c641f8
Instruction ID: 08b7094f08c4a01ba5395b2334d3e788d001937c726e0668a00a1509645f6d00
Opcode Fuzzy Hash: 9d8ad18ca93eb1f116c53260759120f235520038aa53f9e9455a33eda8c641f8
Instruction Fuzzy Hash: 92118679701622ABDB2EAE2CE800B6ABFE9FF94A25F454119E745D3550EB60EC01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 011BE844 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E011BE844(void* __ecx, void* __edx) {
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t45;

				_t41 = __edx;
				_push(0x10);
				E012EA10E();
				_t33 = __ecx;
				_t42 =  *((intOrPtr*)(_t45 + 8));
				if(_t42 != 0) {
					_push(_t42);
					_t26 = E011BDC9F(__ecx + 0x1c, __edx);
					__eflags = _t26;
					if(_t26 == 0) {
						_push(_t42);
						_t26 = E011BDC9F(__ecx + 0x38, __edx);
						__eflags = _t26;
						if(_t26 == 0) {
							_t27 = E011A7029(0x11bd675);
							 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
							_t37 = _t33 + 4;
							 *((intOrPtr*)(_t45 - 0x14)) = _t27;
							_t28 = E011D41A4(_t33 + 4);
							 *((intOrPtr*)(_t45 - 0x18)) = _t28;
							__eflags = _t28;
							if(__eflags == 0) {
								_t28 = E011B1E83(_t37);
							}
							L012EA066();
							 *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x14))))(_t28);
							_t30 = E011BDAFE(_t33 + 0x38, _t41, __eflags, _t42); // executed
							_t44 =  *((intOrPtr*)(_t45 - 0x18));
							 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
							 *_t30 = _t44;
							E011A7029( *((intOrPtr*)(_t45 - 0x14)));
							_t32 =  *((intOrPtr*)(_t33 + 0x58));
							 *((intOrPtr*)(_t32 + _t44)) = _t42;
							__eflags =  *((intOrPtr*)(_t33 + 0x5c)) - 2;
							if( *((intOrPtr*)(_t33 + 0x5c)) == 2) {
								 *((intOrPtr*)(_t32 + _t44 + 4)) = _t42;
							}
							_t26 = _t44;
						} else {
							_t40 =  *((intOrPtr*)(__ecx + 0x58));
							 *((intOrPtr*)(_t40 + _t26)) = _t42;
							__eflags =  *((intOrPtr*)(__ecx + 0x5c)) - 2;
							if( *((intOrPtr*)(__ecx + 0x5c)) == 2) {
								 *((intOrPtr*)(_t40 + _t26 + 4)) = _t42;
							}
						}
					}
				} else {
					_t26 = 0;
				}
				E012EA06C();
				return _t26;
			}

0x011be844
0x011be844
0x011be84b
0x011be850
0x011be852
0x011be857
0x011be863
0x011be867
0x011be86c
0x011be86e
0x011be873
0x011be874
0x011be879
0x011be87b
0x011be894
0x011be899
0x011be89d
0x011be8a0
0x011be8a3
0x011be8a8
0x011be8ab
0x011be8ad
0x011be8af
0x011be8af
0x011be8ba
0x011be8bf
0x011be8c5
0x011be8cd
0x011be8d0
0x011be8d4
0x011be8d6
0x011be8db
0x011be8de
0x011be8e1
0x011be8e5
0x011be8e7
0x011be8e7
0x011be8eb
0x011be87d
0x011be87d
0x011be880
0x011be883
0x011be887
0x011be889
0x011be889
0x011be887
0x011be87b
0x011be859
0x011be859
0x011be859
0x011be85b
0x011be860

APIs

__EH_prolog3_catch.LIBCMT ref: 011BE84B

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 816061cfcc090276e97b3960bd6e291d694b263c9c73cf7f312db3232c6d081b
Instruction ID: 5aed6201f5b0bb758619358c031c8948996672f92ea65b6068c288b7b1167dd6
Opcode Fuzzy Hash: 816061cfcc090276e97b3960bd6e291d694b263c9c73cf7f312db3232c6d081b
Instruction Fuzzy Hash: 4311B274A01612CBCF2DEFA8C9C46FE3BF1AF60318B50409CD801AB295DB34DA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BEDFB Relevance: 1.5, APIs: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E011BEDFB(signed int __ecx) {
				void* _t12;
				signed int _t14;
				intOrPtr _t15;
				signed int _t18;
				signed int _t20;
				void* _t21;
				intOrPtr* _t22;
				void* _t23;

				_t17 = __ecx;
				_push(4);
				E012EA0A3();
				_t22 = __ecx;
				if( *((intOrPtr*)(_t23 + 8)) == 0) {
					L1:
					E011B1E69(_t17);
				}
				if( *_t22 == 0) {
					_t14 =  *0x13a8c78; // 0x0
					if(_t14 != 0) {
						L5:
						_t17 = _t14; // executed
						_t15 = E011BEAF5(_t14); // executed
						 *_t22 = _t15;
						if(_t15 == 0) {
							goto L1;
						}
					} else {
						_t17 = 0x13a8c44;
						 *(_t23 - 0x10) = 0x13a8c44;
						 *(_t23 - 4) =  *(_t23 - 4) & _t14;
						_t14 = E011BE922(0x13a8c44);
						 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
						 *0x13a8c78 = _t14;
						if(_t14 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t18 =  *0x13a8c78; // 0x0
				_t21 = E011BEEB7(_t18,  *_t22);
				if(_t21 == 0) {
					L012EA066();
					_t12 =  *((intOrPtr*)(_t23 + 8))();
					_t20 =  *0x13a8c78; // 0x0
					_t21 = _t12;
					E011BEF72(_t20,  *_t22, _t21);
				}
				E012EA06C();
				return _t21;
			}

0x011bedfb
0x011bedfb
0x011bee02
0x011bee07
0x011bee0d
0x011bee0f
0x011bee0f
0x011bee0f
0x011bee17
0x011bee19
0x011bee20
0x011bee3f
0x011bee3f
0x011bee41
0x011bee46
0x011bee4a
0x00000000
0x00000000
0x011bee22
0x011bee22
0x011bee27
0x011bee2a
0x011bee2d
0x011bee32
0x011bee36
0x011bee3d
0x00000000
0x00000000
0x00000000
0x00000000
0x011bee3d
0x011bee20
0x011bee4e
0x011bee59
0x011bee5d
0x011bee62
0x011bee67
0x011bee6a
0x011bee70
0x011bee75
0x011bee75
0x011bee7c
0x011bee81

APIs

__EH_prolog3.LIBCMT ref: 011BEE02

Part of subcall function 011B1E69: __CxxThrowException@8.LIBVCRUNTIME ref: 011B1E7D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 5597d1c30a27d6dbfdde179a6af03901144f4290241d8380e3329530ed002111
Instruction ID: 098cf74288486e2c63b89c99e906ad0fb571ee3bbfebcc27d5d40092426aff73
Opcode Fuzzy Hash: 5597d1c30a27d6dbfdde179a6af03901144f4290241d8380e3329530ed002111
Instruction Fuzzy Hash: 11018F70612222CBEF29AF38C4947E87AA5EFA1355F50452CE5418B280EF30CA90CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0130B125 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0130B125(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E012F9217())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x13ad470, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01308126();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0130AFEC(_t7, _t8, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0130b125
0x0130b12b
0x0130b131
0x0130b163
0x0130b168
0x0130b16e
0x00000000
0x0130b16e
0x0130b135
0x0130b137
0x0130b137
0x0130b14e
0x0130b157
0x0130b15f
0x00000000
0x00000000
0x0130b13f
0x0130b141
0x00000000
0x00000000
0x0130b144
0x0130b149
0x0130b14a
0x0130b14c
0x00000000
0x00000000
0x0130b14c
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,8007000E,?,?,011A700E,8007000E,00000000,?,?,011B186B,0000000C,00000004,011447AC,8007000E), ref: 0130B157

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d705610a200c0003528362c09595955c2ad2d17a6c87f46f72aac08dbb3c80fb
Instruction ID: 7e7bf82a387fb70173e313d640053b3a3fd37c0b58ee5e88a895bc662699daba
Opcode Fuzzy Hash: d705610a200c0003528362c09595955c2ad2d17a6c87f46f72aac08dbb3c80fb
Instruction Fuzzy Hash: F7E02B3914121557F73B267DAC20F5BFADC9F412BCF040020ED50A34D8DB20D80083E4

Uniqueness

Uniqueness Score: -1.00%

Function 011A7D35 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E011A7D35() {
				struct HWND__* _t15;
				signed int _t17;
				signed int _t19;
				void* _t20;

				_push(0x10);
				_push(0x138a5b0);
				E012EA180();
				 *(_t20 - 0x1c) =  *(_t20 - 0x1c) & 0x00000000;
				 *(_t20 - 0x20) =  *(_t20 - 0x20) & 0x00000000;
				if( *0x13a6e84 != 0) {
					L2:
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					_t15 = CreateDialogIndirectParamW( *(_t20 + 8),  *(_t20 + 0xc),  *(_t20 + 0x10),  *(_t20 + 0x14),  *(_t20 + 0x18)); // executed
					_t19 = _t15;
					 *(_t20 - 0x1c) = _t19;
					 *(_t20 - 4) = 0xfffffffe;
					E011A7D96(_t19);
					_t17 = _t19;
				} else {
					_t17 = E011A7E59(_t20 - 0x20);
					if(_t17 != 0) {
						goto L2;
					}
				}
				E012EA1C6();
				return _t17;
			}

0x011a7d35
0x011a7d37
0x011a7d3c
0x011a7d41
0x011a7d45
0x011a7d50
0x011a7d5f
0x011a7d5f
0x011a7d72
0x011a7d78
0x011a7d7a
0x011a7d7d
0x011a7d84
0x011a7d89
0x011a7d52
0x011a7d56
0x011a7d5d
0x00000000
0x00000000
0x011a7d5d
0x011a7d8b
0x011a7d90

APIs

CreateDialogIndirectParamW.USER32 ref: 011A7D72

Part of subcall function 011A7E59: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,011AFEBD,011C19E0,0138A7E8,00000010,011A9BBC,?), ref: 011A7E6D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CreateDebugDialogIndirectOutputParamString
String ID:
API String ID: 3066322445-0
Opcode ID: c59c7fcf358abc3950c88928125c52bfbf643191e355ede9d167744512fcdb7d
Instruction ID: 2895aa18d0a9cf65eead607960ee4e0ff2e3b2ec46cd475e1072dae36b200734
Opcode Fuzzy Hash: c59c7fcf358abc3950c88928125c52bfbf643191e355ede9d167744512fcdb7d
Instruction Fuzzy Hash: 67F05E7680021EEFDF11AFA4C904BED3BB5BF18366F408408E510661D0D37A8651EF90

Uniqueness

Uniqueness Score: -1.00%

Function 011B020B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011B020B(void* __ecx, int _a4) {
				void* _t9;
				void* _t10;
				void* _t13;
				intOrPtr* _t14;
				void* _t15;

				_t10 = __ecx;
				_t14 =  *((intOrPtr*)(__ecx + 0x70));
				if(_t14 != 0) {
					L012EA066();
					return  *((intOrPtr*)( *((intOrPtr*)( *_t14 + 0x74))))(_a4, _t15);
				}
				_t9 = E011AB22F(_t10, _t13, GetDlgItem( *(__ecx + 0x20), _a4)); // executed
				return _t9;
			}

0x011b020b
0x011b020f
0x011b0214
0x011b0235
0x00000000
0x011b023e
0x011b0223
0x00000000

APIs

GetDlgItem.USER32 ref: 011B021C

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Item
String ID:
API String ID: 3207170592-0
Opcode ID: 550b7180678a4506dd79aba6d49ed47543f1164dde2430759fe9e0a87385c77f
Instruction ID: 94906b80ea46a3f6285ea2ceb95494cd29c2c5e6430c4a5210c53e3f01eba49f
Opcode Fuzzy Hash: 550b7180678a4506dd79aba6d49ed47543f1164dde2430759fe9e0a87385c77f
Instruction Fuzzy Hash: 44E02036200014AB8F057F94D8408AE7FBEFFD8361700006AF5044B220DB31D4128B90

Uniqueness

Uniqueness Score: -1.00%

Function 011A781A Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E011A781A(intOrPtr* __ecx, int _a4) {
				int _t9;
				intOrPtr* _t15;

				_t15 = __ecx;
				 *((intOrPtr*)(__ecx + 0x9c)) = 1;
				if(( *(__ecx + 0x60) & 0x00000018) != 0) {
					_push(_a4);
					L012EA066();
					 *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x8c))))(); // executed
				}
				_t9 = EndDialog( *(_t15 + 0x20), _a4); // executed
				return _t9;
			}

0x011a781e
0x011a7824
0x011a782e
0x011a7833
0x011a783e
0x011a7845
0x011a7847
0x011a784e
0x011a7856

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 011A784E

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2ae8731d710dbdef56b91904935ab79783827fc79c4e3e77d110d81843361368
Instruction ID: e852dcdbf104f154a3d45302acfd47daa3d76c36d92177497ded5cb689363b33
Opcode Fuzzy Hash: 2ae8731d710dbdef56b91904935ab79783827fc79c4e3e77d110d81843361368
Instruction Fuzzy Hash: 03E0D835300119A7C7095B19C408BDDBF65FF85360F04402AE90847650DB725520DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 011B0D25 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011B0D25(void* __ecx, int _a4) {
				int _t8;
				intOrPtr* _t12;
				void* _t13;

				_t12 =  *((intOrPtr*)(__ecx + 0x74));
				if(_t12 != 0) {
					L012EA066();
					return  *((intOrPtr*)( *((intOrPtr*)( *_t12 + 0xa0))))(_a4, _t13);
				}
				_t8 = ShowWindow( *(__ecx + 0x20), _a4); // executed
				return _t8;
			}

0x011b0d29
0x011b0d2e
0x011b0d4c
0x00000000
0x011b0d55
0x011b0d36
0x00000000

APIs

ShowWindow.USER32(?,?,?,?,011A7AAC,00000000,0000E146,00000000,?,?,?,011437C4), ref: 011B0D36

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 183467c23482ef86b050283503dccc07d2d61857781b2fd5836a353fe3d07cef
Instruction ID: 90f6e6ae9fd68356e5c4b49b944034336004a34bf62bb91517fd7ff6c094228c
Opcode Fuzzy Hash: 183467c23482ef86b050283503dccc07d2d61857781b2fd5836a353fe3d07cef
Instruction Fuzzy Hash: E9E02636300118ABCA165F44C8409AE7F7AFFC46A0F000079F9084B260D732A812CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 011BEDA5 Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E011BEDA5(intOrPtr* __ecx, void* __esi) {
				void* _t12;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t13 = __ecx;
				_push(8);
				E012EA10E();
				_t15 = __ecx;
				if( *__ecx == 0) {
					_push(0x10);
					E011C1532(_t12, __ecx, _t14, __ecx, __esi);
					 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
					if( *_t15 == 0) {
						_t13 =  *((intOrPtr*)(_t17 + 8));
						L012EA066(); // executed
						 *_t15 =  *((intOrPtr*)(_t17 + 8))();
					}
					 *(_t17 - 4) =  *(_t17 - 4) | 0xffffffff;
					_push(0x10);
					E011C15A6(_t12, _t13, _t14);
				}
				E012EA06C();
				return  *_t15;
			}

0x011beda5
0x011beda5
0x011bedac
0x011bedb1
0x011bedb6
0x011bedb8
0x011bedba
0x011bedbf
0x011bedc6
0x011bedc8
0x011bedcb
0x011bedd3
0x011bedd3
0x011bedd5
0x011bedd9
0x011beddb
0x011beddb
0x011bede2
0x011bede7

APIs

__EH_prolog3_catch.LIBCMT ref: 011BEDAC

Part of subcall function 011C1532: EnterCriticalSection.KERNEL32(013A8ED0,?,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011C1563
Part of subcall function 011C1532: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011C1579
Part of subcall function 011C1532: LeaveCriticalSection.KERNEL32(013A8ED0,?,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011C1587
Part of subcall function 011C1532: EnterCriticalSection.KERNEL32(00000000,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120), ref: 011C1594

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 5af008c7aa44b68f3cf9b0764df50180dd08d249c0b81a278b409d931d2af6f7
Instruction ID: 8b078247b8d210b62d130384bc19f78a9de98cb25f7cf041eb0317208acc99a1
Opcode Fuzzy Hash: 5af008c7aa44b68f3cf9b0764df50180dd08d249c0b81a278b409d931d2af6f7
Instruction Fuzzy Hash: 79E01A315A021BEBEB58BB68C4497AC7BA0BF71725F608125E0526B2C1DFB08990CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011E5F75 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011E5F75(void* __ecx, void* _a4) {
				void* _t3;
				int _t4;

				_t3 = _a4;
				if( *((intOrPtr*)(__ecx + 0x17c)) == 0) {
					 *_t3 = 0x1f4;
				}
				_t4 = SystemParametersInfoW(0x29,  *_t3, _t3, 0); // executed
				return _t4;
			}

0x011e5f7f
0x011e5f82
0x011e5f84
0x011e5f84
0x011e5f91
0x011e5f98

APIs

SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 011E5F91

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 79ed0f388ad2c1659d268d3f85af8b83e18074f11074fca8afe1fb342457c4e1
Instruction ID: f80039a00ec66c3ffad7373249e7059ef1bf53b58884b6eb8e8f5cc88b2b3559
Opcode Fuzzy Hash: 79ed0f388ad2c1659d268d3f85af8b83e18074f11074fca8afe1fb342457c4e1
Instruction Fuzzy Hash: B3D01270140605EFE7115F84DC09FA27BACEB05714F504074F6084E191D7B26811CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 011B9017 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011B9017(void* __ecx) {
				int _t3;
				void* _t6;

				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t3 = DeleteObject(E011B9069(__ecx, _t6)); // executed
					return _t3;
				} else {
					return 0;
				}
			}

0x011b901b
0x011b9026
0x011b902c
0x011b901d
0x011b901f
0x011b901f

APIs

DeleteObject.GDI32(00000000), ref: 011B9026

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: c31f1980ab24fb373cde11cb53bd80739a55d3c8d0fdc769c77bccf663e0ed98
Instruction ID: 89e4be90d845bb462c8c797475eda7c03e1ea74ce92e486cc4f1b67062e3840b
Opcode Fuzzy Hash: c31f1980ab24fb373cde11cb53bd80739a55d3c8d0fdc769c77bccf663e0ed98
Instruction Fuzzy Hash: 8FB092B0801209AACE256E30C6493A6356C5B4230EF2098ACE10081046DF398003C680

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011EEF92 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 667
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E011EEF92(void* __ecx, void* __fp0) {
				signed int _t281;
				void _t282;
				signed int _t286;
				void _t290;
				void _t291;
				void _t294;
				int _t296;
				void _t297;
				int _t299;
				struct HBRUSH__* _t302;
				void _t314;
				void _t317;
				void* _t318;
				void _t321;
				intOrPtr _t322;
				void _t324;
				void* _t325;
				int _t334;
				void* _t337;
				int _t345;
				void* _t348;
				void* _t349;
				void* _t352;
				signed int _t358;
				void* _t360;
				intOrPtr* _t371;
				void* _t375;
				signed int _t379;
				void _t382;
				void _t390;
				void _t392;
				void* _t396;
				void* _t398;
				char _t400;
				char _t401;
				void* _t405;
				void* _t413;
				void* _t415;
				signed char _t424;
				void _t426;
				intOrPtr _t428;
				signed char _t435;
				int _t457;
				signed int _t466;
				signed int _t477;
				intOrPtr _t478;
				int _t483;
				struct HDC__* _t484;
				void _t485;
				int _t486;
				signed int _t487;
				void* _t490;
				void _t491;
				int _t494;
				RECT* _t497;
				signed char _t498;
				void _t499;
				void _t500;
				void _t503;
				int _t504;
				void _t507;
				void _t510;
				short _t515;
				void _t517;
				void* _t520;
				void* _t527;

				_t527 = __fp0;
				_push(0xc4);
				E012EA0D7();
				_t415 = __ecx;
				_t483 =  *(_t520 + 0xc);
				_t494 =  *(_t520 + 0x10);
				 *(_t520 - 0x80) =  *(_t520 + 8);
				_t281 =  *(_t520 + 0x14);
				 *(_t520 - 0x7c) = _t483;
				 *(_t520 - 0x88) = _t494;
				if(_t281 < 0 || _t281 >=  *((intOrPtr*)(__ecx + 4))) {
					L123:
					_t282 = 0;
					__eflags = 0;
					goto L124;
				} else {
					if( *(_t520 + 0x24) == 0 ||  *((intOrPtr*)(E011C5322() + 0x1ac)) <= 8) {
						L6:
						 *(_t520 - 0x1c) = _t494;
						 *(_t520 - 0x18) =  *((intOrPtr*)(_t415 + 0x64)) + _t483;
						 *(_t520 - 0x20) = _t483;
						 *(_t520 - 0x14) = _t494 +  *((intOrPtr*)(_t415 + 0x68));
						_t286 =  *(_t415 + 0x20);
						asm("movsd");
						asm("sbb ecx, ecx");
						asm("movsd");
						asm("sbb eax, eax");
						 *(_t520 - 0x6c) =  !( ~_t286) &  *(_t520 + 0x18);
						asm("movsd");
						 *(_t520 - 0x58) =  !( ~_t286) &  *(_t520 + 0x20);
						asm("movsd");
						 *(_t520 - 0x98) = 0;
						_t490 = 0x20;
						__eflags =  *(_t520 + 0x28);
						if( *(_t520 + 0x28) == 0) {
							L8:
							__eflags =  *(_t415 + 0x2c);
							if( *(_t415 + 0x2c) != 0) {
								__eflags =  *((intOrPtr*)(_t415 + 8)) - _t490;
								if( *((intOrPtr*)(_t415 + 8)) < _t490) {
									_t413 = SelectObject( *0x13a9524,  *(_t415 + 0x8c));
									_t483 =  *(_t520 - 0x7c);
									 *(_t520 - 0x98) = _t413;
								}
							}
							L11:
							_t290 =  *(_t415 + 0x20);
							 *(_t520 - 0xa8) = _t290;
							__eflags =  *((intOrPtr*)(_t415 + 8)) - _t490;
							if( *((intOrPtr*)(_t415 + 8)) != _t490) {
								L14:
								 *(_t520 - 0x5c) = 0;
								L15:
								__eflags =  *((intOrPtr*)(_t415 + 8)) - _t490;
								if( *((intOrPtr*)(_t415 + 8)) == _t490) {
									L18:
									_t424 = 0xffffffffffffffff;
									__eflags = 0xffffffffffffffff;
									L19:
									_t291 =  *(_t415 + 0x20);
									 *(_t520 - 0x68) = _t424;
									 *(_t520 - 0x70) = _t424;
									__eflags = _t291;
									if(_t291 != 0) {
										L21:
										_t491 = _t415 + 0x44;
										L22:
										 *(_t520 - 0x84) = _t491;
										__eflags = _t291;
										if(_t291 != 0) {
											L24:
											 *(_t520 - 0x64) = 0;
											L25:
											__eflags = _t291;
											if(_t291 != 0) {
												L28:
												 *(_t520 - 0x60) = 0;
												L29:
												_t497 = _t415 + 0x7c;
												 *(_t520 - 0x78) = _t497->left;
												 *(_t520 - 0x74) =  *(_t415 + 0x80);
												_t294 = IsRectEmpty(_t497);
												__eflags = _t294;
												if(_t294 == 0) {
													_t296 = _t497->right - _t497->left;
													__eflags = _t296;
												} else {
													_t296 =  *(_t415 + 0x54);
												}
												 *(_t520 - 0x54) = _t296;
												_t297 = IsRectEmpty(_t497);
												__eflags = _t297;
												if(_t297 == 0) {
													_t299 = _t497->bottom - _t497->top;
													__eflags = _t299;
												} else {
													_t299 =  *(_t415 + 0x58);
												}
												_t498 =  *(_t520 - 0x68);
												_t484 = 0;
												 *(_t520 - 0x50) = _t299;
												__eflags =  *(_t415 + 0x20);
												if( *(_t415 + 0x20) != 0) {
													L37:
													 *(_t520 - 0x20) = _t484;
													 *(_t520 - 0x18) =  *(_t415 + 0x54);
													 *(_t520 - 0x1c) = _t484;
													 *(_t520 - 0x14) =  *(_t415 + 0x58);
													__eflags = _t498 - 0xffffffff;
													if(_t498 == 0xffffffff) {
														L40:
														_t302 = E011C5322() + 0x98;
														__eflags = _t302;
														if(_t302 != 0) {
															_t302 =  *(_t302 + 4);
														}
														FillRect( *(_t491 + 4), _t520 - 0x20, _t302);
														L43:
														_t499 =  *(_t520 + 0x1c);
														__eflags = _t499;
														if(_t499 != 0) {
															_t405 = E011C5322();
															__eflags =  *((intOrPtr*)(_t405 + 0x1ac)) - 0x10;
															if( *((intOrPtr*)(_t405 + 0x1ac)) == 0x10) {
																 *(_t520 - 0x70) = GetPixel( *(_t491 + 4),  *(_t520 - 0x20),  *(_t520 - 0x1c));
															}
														}
														_t484 = 0;
														__eflags = 0;
														goto L47;
													}
													__eflags = _t498 -  *(E011C5322() + 0x1c);
													if(__eflags == 0) {
														goto L40;
													}
													_push(_t498);
													E011B8463(_t520 - 0xb0, _t491, __eflags);
													FillRect( *(_t491 + 4), _t520 - 0x20,  *(_t520 - 0xac));
													 *((intOrPtr*)(_t520 - 0xb0)) = 0x13320c4;
													E011681B0(_t415, _t520 - 0xb0, _t491, _t498);
													goto L43;
												} else {
													__eflags = _t498 - 0xffffffff;
													if(_t498 == 0xffffffff) {
														_t499 =  *(_t520 + 0x1c);
														L47:
														_t426 = _t484;
														 *(_t520 - 0x94) = _t426;
														__eflags = _t499;
														if(_t499 != 0) {
															__eflags =  *((intOrPtr*)(_t415 + 8)) - 0x18;
															if( *((intOrPtr*)(_t415 + 8)) >= 0x18) {
																 *(_t520 + 0x1c) = _t484;
																__eflags = 1;
																_t426 = 1;
																 *(_t520 - 0x94) = 1;
															}
														}
														_t500 =  *(_t520 + 0x24);
														__eflags = _t500;
														if(_t500 != 0) {
															asm("sbb eax, eax");
															_t500 = _t500 &  ~( *((intOrPtr*)(_t415 + 8)) - 0x20);
															__eflags = _t500;
														}
														__eflags =  *(_t520 - 0x6c);
														if( *(_t520 - 0x6c) != 0) {
															L92:
															__eflags = _t500;
															if(_t500 == 0) {
																goto L95;
															}
															goto L93;
														} else {
															__eflags =  *(_t520 + 0x1c);
															if( *(_t520 + 0x1c) != 0) {
																goto L92;
															}
															__eflags = _t500;
															if(_t500 != 0) {
																L93:
																_t348 =  *(_t415 + 0x94);
																__eflags = _t348;
																if(_t348 == 0) {
																	L95:
																	__eflags =  *(_t520 + 0x1c);
																	if( *(_t520 + 0x1c) != 0) {
																		L98:
																		E011EED2A(_t415,  *(_t520 + 0x14), 1, _t484);
																		__eflags = _t500;
																		if(_t500 == 0) {
																			_t428 = 0;
																			__eflags = 0;
																		} else {
																			_t428 =  *((intOrPtr*)(_t415 + 0xb0));
																		}
																		L012EA066();
																		 *((intOrPtr*)( *((intOrPtr*)( *_t491 + 0x30))))(_t428);
																		L012EA066();
																		 *((intOrPtr*)( *((intOrPtr*)( *_t491 + 0x2c))))(0xffffff);
																		__eflags =  *(_t520 + 0x1c);
																		if( *(_t520 + 0x1c) != 0) {
																			_t337 = E011C5385();
																			__eflags =  *(_t337 + 0x58);
																			if( *(_t337 + 0x58) != 0) {
																				_t507 = E011D69E1(_t491,  *((intOrPtr*)(E011C5322() + 0x10)));
																				__eflags = _t507;
																				if(_t507 != 0) {
																					_t345 =  *(_t520 - 0x64) + 1;
																					__eflags = _t345;
																					BitBlt( *(_t491 + 4), _t345,  *(_t520 - 0x60) + 1,  *(_t520 - 0x54) + 2,  *(_t520 - 0x50) + 2,  *0x13a9528, 0, 0, 0xb8074a);
																					E011D69E1(_t491, _t507);
																				}
																			}
																		}
																		_t503 = E011D69E1(_t491,  *((intOrPtr*)(E011C5322() + 0x14)));
																		__eflags = _t503;
																		if(_t503 != 0) {
																			_t334 =  *(_t520 - 0x54) + 2;
																			__eflags = _t334;
																			BitBlt( *(_t491 + 4),  *(_t520 - 0x64),  *(_t520 - 0x60), _t334,  *(_t520 - 0x50) + 2,  *0x13a9528, 0, 0, 0xb8074a);
																			E011D69E1(_t491, _t503);
																		}
																		_t314 =  *(_t520 - 0x58);
																		L108:
																		__eflags =  *(_t520 - 0x6c);
																		if( *(_t520 - 0x6c) != 0) {
																			L110:
																			_t317 = E011B96A4(_t491, E011C5322() + 0xa8);
																			 *(_t520 - 0x8c) = _t317;
																			__eflags = _t317;
																			if(_t317 == 0) {
																				L86:
																				_t504 =  *(_t520 - 0x50);
																				L87:
																				_t435 =  *(_t520 - 0x68);
																				_t485 = 0;
																				__eflags =  *(_t415 + 0x20);
																				if( *(_t415 + 0x20) == 0) {
																					__eflags = _t435 - 0xffffffff;
																					if(_t435 == 0xffffffff) {
																						L120:
																						_t318 =  *(_t520 - 0x98);
																						__eflags = _t318;
																						if(_t318 != 0) {
																							SelectObject( *0x13a9524, _t318);
																						}
																						 *(_t415 + 0x20) =  *(_t520 - 0xa8);
																						_t282 = 1;
																						L124:
																						E012EA081();
																						return _t282;
																					}
																					_t321 =  *(_t520 - 0x80);
																					__eflags = _t321;
																					if(_t321 != 0) {
																						_t322 =  *((intOrPtr*)(_t321 + 4));
																					} else {
																						_t322 = 0;
																					}
																					_push(0xffffffff);
																					_push(0xffffffff);
																					L119:
																					_push(_t435);
																					_push(_t485);
																					_push(_t485);
																					_push( *(_t520 - 0x84));
																					_push(_t504);
																					_push( *(_t520 - 0x54));
																					_push( *(_t520 - 0x88));
																					_push( *(_t520 - 0x7c));
																					_push(_t322);
																					E011F215B(_t485);
																					goto L120;
																				}
																				__eflags = _t435 - 0xffffffff;
																				if(_t435 == 0xffffffff) {
																					_t325 = E011C5322();
																					_t485 = 0;
																					__eflags = 0;
																					_t435 =  *(_t325 + 0x1c);
																				}
																				_t324 =  *(_t520 - 0x80);
																				__eflags = _t324;
																				if(_t324 != 0) {
																					_t322 =  *((intOrPtr*)(_t324 + 4));
																				} else {
																					_t322 = _t485;
																				}
																				_push( *((intOrPtr*)(_t415 + 0x68)));
																				_push( *((intOrPtr*)(_t415 + 0x64)));
																				goto L119;
																			}
																			__eflags =  *(_t520 - 0x58);
																			E011EED2A(_t415,  *(_t520 + 0x14), 0 |  *(_t520 - 0x58) == 0x00000000,  *(_t520 + 0x1c));
																			L012EA066();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t491 + 0x30))))(0);
																			L012EA066();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t491 + 0x2c))))(0xffffff);
																			_t504 =  *(_t520 - 0x50);
																			BitBlt( *(_t491 + 4),  *(_t520 - 0x64),  *(_t520 - 0x60),  *(_t520 - 0x54), _t504,  *0x13a9528, 0, 0, 0xe20746);
																			E011B96A4(_t491,  *(_t520 - 0x8c));
																			goto L87;
																		}
																		__eflags = _t314;
																		if(_t314 == 0) {
																			goto L86;
																		}
																		goto L110;
																	}
																	_t314 =  *(_t520 - 0x58);
																	__eflags = _t314;
																	if(_t314 != 0) {
																		goto L98;
																	}
																	__eflags = _t500;
																	if(_t500 == 0) {
																		goto L108;
																	}
																	goto L98;
																}
																_t349 = SelectObject( *0x13a9524, _t348);
																BitBlt( *(_t491 + 4),  *(_t520 - 0x64),  *(_t520 - 0x60),  *(_t520 - 0x54),  *(_t520 - 0x50),  *0x13a9524,  *(_t415 + 0x54) *  *(_t520 + 0x14) +  *(_t520 - 0x78),  *(_t520 - 0x74), 0xcc0020);
																SelectObject( *0x13a9524, _t349);
																goto L86;
															}
															_t352 = 0x20;
															__eflags =  *((intOrPtr*)(_t415 + 8)) - _t352;
															if( *((intOrPtr*)(_t415 + 8)) == _t352) {
																L57:
																 *((char*)(_t520 - 0x56)) =  *((intOrPtr*)(_t520 + 0x2c));
																 *(_t520 - 0x58) = 0;
																 *((char*)(_t520 - 0x55)) = 1;
																__eflags = _t426;
																if(_t426 != 0) {
																	_t401 =  *0x139e514; // 0x7f
																	 *((char*)(_t520 - 0x56)) = _t401;
																}
																__eflags =  *(_t520 + 0x28);
																if( *(_t520 + 0x28) != 0) {
																	__eflags =  *(_t415 + 0x2c) - _t484;
																	if( *(_t415 + 0x2c) != _t484) {
																		_t400 =  *0x139e515; // -106
																		 *((char*)(_t520 - 0x56)) = _t400;
																	}
																}
																asm("sbb eax, eax");
																_t358 =  ~( *(_t520 - 0x5c)) & 0x00000010;
																_t509 =  *((intOrPtr*)(_t415 + 0x54 + _t358));
																 *(_t520 - 0x6c) =  *(_t415 + 0x58 + _t358);
																_t360 = 0x20;
																 *((intOrPtr*)(_t520 - 0xa4)) =  *((intOrPtr*)(_t415 + 0x54 + _t358));
																__eflags =  *((intOrPtr*)(_t415 + 8)) - _t360;
																if( *((intOrPtr*)(_t415 + 8)) == _t360) {
																	__eflags =  *(_t415 + 0x54) *  *(_t520 + 0x14) +  *(_t520 - 0x78);
																	_t510 = E011EDF1C(_t491,  *(_t520 - 0x64),  *(_t520 - 0x60), _t509,  *(_t520 - 0x6c), E011B9173(_t426, _t484, _t491, _t509,  *0x13a9524),  *(_t415 + 0x54) *  *(_t520 + 0x14) +  *(_t520 - 0x78),  *(_t520 - 0x74),  *(_t520 - 0x54),  *(_t520 - 0x50),  *(_t520 - 0x58));
																	goto L81;
																} else {
																	_t379 =  *(_t520 - 0x50);
																	_t466 =  *(_t520 - 0x54);
																	 *((short*)(_t520 - 0x40)) = 1;
																	_t515 = 0x20;
																	 *((short*)(_t520 - 0x3e)) = _t515;
																	 *(_t520 - 0x44) = _t379;
																	_t517 = _t379 * _t466;
																	 *(_t520 - 0x4c) = 0x28;
																	 *(_t520 - 0x48) = _t466;
																	 *(_t520 - 0x3c) = _t484;
																	 *(_t520 - 0x38) = _t517;
																	 *(_t520 - 0x34) = _t484;
																	 *(_t520 - 0x30) = _t484;
																	 *(_t520 - 0x2c) = _t484;
																	 *(_t520 - 0x28) = _t484;
																	 *(_t520 - 0x5c) = _t484;
																	_t382 = CreateDIBSection(_t484, _t520 - 0x4c, _t484, _t520 - 0x5c, _t484, _t484);
																	__eflags = _t382;
																	if(_t382 == 0) {
																		goto L123;
																	}
																	 *(_t520 - 0x9c) =  *(_t520 - 0x9c) & 0x00000000;
																	 *((intOrPtr*)(_t520 - 0xa0)) = 0x1331fa4;
																	 *(_t520 - 4) =  *(_t520 - 4) & 0x00000000;
																	E011B8E9D(_t520 - 0xa0, _t484, _t491, _t382);
																	E011B84FA(_t520 - 0xc0);
																	 *(_t520 - 4) = 1;
																	E011B8E5C(_t520 - 0xc0, CreateCompatibleDC(0));
																	 *(_t520 - 0x8c) = E011B9645( *(_t520 - 0xbc),  *(_t520 - 0x9c));
																	_t390 = BitBlt( *(_t520 - 0xbc), 0, 0,  *(_t520 - 0x54),  *(_t520 - 0x50),  *0x13a9524,  *(_t415 + 0x54) *  *(_t520 + 0x14) +  *(_t520 - 0x78),  *(_t520 - 0x74), 0xcc0020);
																	__eflags =  *(_t415 + 0xa8) - 0xffffffff;
																	if( *(_t415 + 0xa8) != 0xffffffff) {
																		_t390 =  *(_t415 + 0xaa) & 0x000000ff;
																		_t477 = (( *(_t415 + 0xa8) & 0x000000ff) << 0x00000008 |  *(_t415 + 0xa9) & 0x000000ff) << 0x00000008 | _t390;
																		__eflags = _t517;
																		if(_t517 <= 0) {
																			L76:
																			__imp__AlphaBlend( *(_t491 + 4),  *(_t520 - 0x64),  *(_t520 - 0x60),  *((intOrPtr*)(_t520 - 0xa4)),  *(_t520 - 0x6c),  *(_t520 - 0xbc), 0, 0,  *(_t520 - 0x54),  *(_t520 - 0x50),  *(_t520 - 0x58));
																			_t510 = _t390;
																			_t392 =  *(_t520 - 0x8c);
																			__eflags = _t392;
																			if(_t392 != 0) {
																				_t478 =  *((intOrPtr*)(_t392 + 4));
																			} else {
																				_t478 = 0;
																			}
																			E011B9645( *(_t520 - 0xbc), _t478);
																			E011B865B(_t520 - 0xc0);
																			 *(_t520 - 4) =  *(_t520 - 4) | 0xffffffff;
																			 *((intOrPtr*)(_t520 - 0xa0)) = 0x1331fa4;
																			E011681B0(_t415, _t520 - 0xa0, _t491, _t510);
																			L81:
																			__eflags = _t510;
																			if(_t510 != 0) {
																				goto L86;
																			}
																			L82:
																			_t504 =  *(_t520 - 0x50);
																			BitBlt( *(_t491 + 4),  *(_t520 - 0x64),  *(_t520 - 0x60),  *(_t520 - 0x54), _t504,  *0x13a9524,  *(_t415 + 0x54) *  *(_t520 + 0x14) +  *(_t520 - 0x78),  *(_t520 - 0x74), 0xcc0020);
																			__eflags =  *(_t520 - 0x94);
																			if( *(_t520 - 0x94) == 0) {
																				goto L87;
																			}
																			E012203AA(_t520 - 0x90, _t491);
																			__eflags =  *(_t520 - 0x70) - 0xffffffff;
																			 *(_t520 - 4) = 2;
																			if( *(_t520 - 0x70) == 0xffffffff) {
																				 *(_t520 - 0x70) =  *(E011C5322() + 0x1c);
																			}
																			_t371 = E011C5385();
																			_t486 =  *(_t520 - 0x60);
																			_t457 =  *(_t520 - 0x64);
																			 *(_t520 - 0xd0) = _t457;
																			 *((intOrPtr*)(_t520 - 0xc8)) = _t457 +  *(_t520 - 0x54) + 2;
																			 *(_t520 - 0xcc) = _t486;
																			 *((intOrPtr*)(_t520 - 0xc4)) = _t486 + 2 + _t504;
																			L012EA066();
																			_push( *((intOrPtr*)( *((intOrPtr*)( *_t371 + 0xb8))))());
																			_push( *(_t520 - 0x70));
																			_push(0xffffffff);
																			asm("movsd");
																			asm("movsd");
																			asm("movsd");
																			asm("movsd");
																			_t375 = E01222B9F(_t520 - 0x90, _t486, _t527);
																			_t213 = _t520 - 4;
																			 *_t213 =  *(_t520 - 4) | 0xffffffff;
																			__eflags =  *_t213;
																			E012203BF(_t375, _t520 - 0x90);
																			goto L86;
																		}
																		_t396 =  *(_t520 - 0x5c);
																		do {
																			_t487 =  *_t396;
																			__eflags = _t487 - _t477;
																			if(_t487 == _t477) {
																				 *_t396 =  *_t396 & 0x00000000;
																				__eflags =  *_t396;
																			} else {
																				 *_t396 = _t487 | 0xff000000;
																			}
																			_t396 =  *(_t520 - 0x5c) + 4;
																			 *(_t520 - 0x5c) = _t396;
																			_t517 = _t517 - 1;
																			__eflags = _t517;
																		} while (_t517 != 0);
																		goto L76;
																	}
																	__eflags = _t517;
																	if(_t517 <= 0) {
																		goto L76;
																	}
																	_t398 =  *(_t520 - 0x5c);
																	do {
																		 *_t398 =  *_t398 | 0xff000000;
																		_t398 =  *(_t520 - 0x5c) + 4;
																		 *(_t520 - 0x5c) = _t398;
																		_t517 = _t517 - 1;
																		__eflags = _t517;
																	} while (_t517 != 0);
																	goto L76;
																}
															}
															__eflags =  *0x13a94fc - _t500; // 0x0
															if(__eflags == 0) {
																goto L82;
															}
															goto L57;
														}
													}
													goto L37;
												}
											}
											__eflags = _t424 - 0xffffffff;
											if(_t424 != 0xffffffff) {
												goto L28;
											}
											 *(_t520 - 0x60) =  *(_t520 - 0x88);
											goto L29;
										}
										 *(_t520 - 0x64) = _t483;
										__eflags = _t424 - 0xffffffff;
										if(_t424 == 0xffffffff) {
											goto L25;
										}
										goto L24;
									}
									_t491 =  *(_t520 - 0x80);
									__eflags = _t424 - 0xffffffff;
									if(_t424 == 0xffffffff) {
										goto L22;
									}
									goto L21;
								}
								__eflags =  *0x13a94fc; // 0x0
								if(__eflags != 0) {
									goto L18;
								}
								_t424 =  *(_t415 + 0xa8);
								goto L19;
							}
							__eflags = _t290;
							if(_t290 == 0) {
								goto L14;
							} else {
								 *(_t520 - 0x5c) = 1;
								 *(_t415 + 0x20) = 0;
								goto L15;
							}
						}
						__eflags =  *(_t520 + 0x1c);
						if( *(_t520 + 0x1c) == 0) {
							goto L11;
						}
						goto L8;
					} else {
						goto L6;
					}
				}
			}

0x011eef92
0x011eef92
0x011eef9c
0x011eefa1
0x011eefa6
0x011eefa9
0x011eefac
0x011eefaf
0x011eefb2
0x011eefb5
0x011eefbd
0x011ef7fa
0x011ef7fa
0x011ef7fa
0x00000000
0x011eefcc
0x011eefd0
0x011eefeb
0x011eeff6
0x011eeff9
0x011eefff
0x011ef002
0x011ef008
0x011ef00d
0x011ef012
0x011ef01b
0x011ef01c
0x011ef01e
0x011ef026
0x011ef027
0x011ef02a
0x011ef02d
0x011ef033
0x011ef034
0x011ef037
0x011ef03e
0x011ef03e
0x011ef041
0x011ef043
0x011ef046
0x011ef054
0x011ef05a
0x011ef05d
0x011ef05d
0x011ef046
0x011ef063
0x011ef063
0x011ef069
0x011ef06f
0x011ef072
0x011ef080
0x011ef080
0x011ef083
0x011ef083
0x011ef086
0x011ef098
0x011ef098
0x011ef098
0x011ef09b
0x011ef09b
0x011ef09e
0x011ef0a1
0x011ef0a4
0x011ef0a6
0x011ef0b0
0x011ef0b0
0x011ef0b3
0x011ef0b3
0x011ef0b9
0x011ef0bb
0x011ef0c5
0x011ef0c5
0x011ef0c8
0x011ef0c8
0x011ef0ca
0x011ef0dc
0x011ef0dc
0x011ef0df
0x011ef0df
0x011ef0e4
0x011ef0ee
0x011ef0f1
0x011ef0f7
0x011ef0f9
0x011ef103
0x011ef103
0x011ef0fb
0x011ef0fb
0x011ef0fb
0x011ef106
0x011ef109
0x011ef10f
0x011ef111
0x011ef11b
0x011ef11b
0x011ef113
0x011ef113
0x011ef113
0x011ef11e
0x011ef121
0x011ef123
0x011ef126
0x011ef129
0x011ef134
0x011ef13a
0x011ef13d
0x011ef140
0x011ef143
0x011ef146
0x011ef149
0x011ef18b
0x011ef190
0x011ef190
0x011ef195
0x011ef197
0x011ef197
0x011ef1a2
0x011ef1a8
0x011ef1a8
0x011ef1ab
0x011ef1ad
0x011ef1af
0x011ef1b4
0x011ef1bb
0x011ef1cc
0x011ef1cc
0x011ef1bb
0x011ef1cf
0x011ef1cf
0x00000000
0x011ef1cf
0x011ef150
0x011ef153
0x00000000
0x00000000
0x011ef155
0x011ef15c
0x011ef16e
0x011ef17a
0x011ef184
0x00000000
0x011ef12b
0x011ef12b
0x011ef12e
0x011ef393
0x011ef1d1
0x011ef1d1
0x011ef1d3
0x011ef1d9
0x011ef1db
0x011ef1dd
0x011ef1e1
0x011ef1e5
0x011ef1e8
0x011ef1e9
0x011ef1eb
0x011ef1eb
0x011ef1e1
0x011ef1f1
0x011ef1f4
0x011ef1f6
0x011ef200
0x011ef202
0x011ef202
0x011ef202
0x011ef204
0x011ef208
0x011ef596
0x011ef596
0x011ef598
0x00000000
0x00000000
0x00000000
0x011ef20e
0x011ef20e
0x011ef212
0x00000000
0x00000000
0x011ef218
0x011ef21a
0x011ef59a
0x011ef59a
0x011ef5a0
0x011ef5a2
0x011ef5f3
0x011ef5f3
0x011ef5f7
0x011ef608
0x011ef612
0x011ef617
0x011ef619
0x011ef623
0x011ef623
0x011ef61b
0x011ef61b
0x011ef61b
0x011ef62d
0x011ef634
0x011ef642
0x011ef649
0x011ef64b
0x011ef64f
0x011ef651
0x011ef656
0x011ef65a
0x011ef66b
0x011ef66d
0x011ef66f
0x011ef696
0x011ef696
0x011ef69b
0x011ef6a4
0x011ef6a4
0x011ef66f
0x011ef65a
0x011ef6b8
0x011ef6ba
0x011ef6bc
0x011ef6d6
0x011ef6d6
0x011ef6e4
0x011ef6ed
0x011ef6ed
0x011ef6f2
0x011ef6f5
0x011ef6f5
0x011ef6f9
0x011ef703
0x011ef710
0x011ef715
0x011ef71b
0x011ef71d
0x011ef564
0x011ef564
0x011ef567
0x011ef567
0x011ef56a
0x011ef56c
0x011ef56f
0x011ef7a2
0x011ef7a5
0x011ef7d5
0x011ef7d5
0x011ef7db
0x011ef7dd
0x011ef7e6
0x011ef7e6
0x011ef7f2
0x011eefe2
0x011ef7fc
0x011ef7fc
0x011ef801
0x011ef801
0x011ef7a7
0x011ef7aa
0x011ef7ac
0x011ef7b2
0x011ef7ae
0x011ef7ae
0x011ef7ae
0x011ef7b5
0x011ef7b7
0x011ef7b9
0x011ef7b9
0x011ef7ba
0x011ef7bb
0x011ef7bc
0x011ef7c2
0x011ef7c3
0x011ef7c6
0x011ef7cc
0x011ef7cf
0x011ef7d0
0x00000000
0x011ef7d0
0x011ef575
0x011ef578
0x011ef57a
0x011ef57f
0x011ef57f
0x011ef581
0x011ef581
0x011ef584
0x011ef587
0x011ef589
0x011ef797
0x011ef58f
0x011ef58f
0x011ef58f
0x011ef79a
0x011ef79d
0x00000000
0x011ef79d
0x011ef728
0x011ef734
0x011ef742
0x011ef749
0x011ef757
0x011ef75e
0x011ef760
0x011ef77f
0x011ef78d
0x00000000
0x011ef78d
0x011ef6fb
0x011ef6fd
0x00000000
0x00000000
0x00000000
0x011ef6fd
0x011ef5f9
0x011ef5fc
0x011ef5fe
0x00000000
0x00000000
0x011ef600
0x011ef602
0x00000000
0x00000000
0x00000000
0x011ef602
0x011ef5ab
0x011ef5db
0x011ef5e8
0x00000000
0x011ef5e8
0x011ef222
0x011ef223
0x011ef226
0x011ef234
0x011ef237
0x011ef23d
0x011ef243
0x011ef246
0x011ef248
0x011ef24a
0x011ef24f
0x011ef24f
0x011ef252
0x011ef256
0x011ef258
0x011ef25b
0x011ef25d
0x011ef262
0x011ef262
0x011ef25b
0x011ef26c
0x011ef26e
0x011ef271
0x011ef279
0x011ef27c
0x011ef27d
0x011ef283
0x011ef286
0x011ef465
0x011ef486
0x00000000
0x011ef28c
0x011ef28c
0x011ef291
0x011ef297
0x011ef29b
0x011ef29d
0x011ef2a4
0x011ef2ab
0x011ef2b4
0x011ef2bb
0x011ef2be
0x011ef2c1
0x011ef2c4
0x011ef2c7
0x011ef2ca
0x011ef2cd
0x011ef2d0
0x011ef2d3
0x011ef2d9
0x011ef2db
0x00000000
0x00000000
0x011ef2e1
0x011ef2e8
0x011ef2f2
0x011ef2fd
0x011ef308
0x011ef312
0x011ef322
0x011ef347
0x011ef367
0x011ef36d
0x011ef374
0x011ef3ae
0x011ef3b8
0x011ef3ba
0x011ef3bc
0x011ef3e2
0x011ef407
0x011ef40d
0x011ef40f
0x011ef415
0x011ef417
0x011ef41d
0x011ef419
0x011ef419
0x011ef419
0x011ef427
0x011ef432
0x011ef437
0x011ef441
0x011ef44b
0x011ef488
0x011ef488
0x011ef48a
0x00000000
0x00000000
0x011ef490
0x011ef497
0x011ef4b9
0x011ef4bf
0x011ef4c6
0x00000000
0x00000000
0x011ef4d3
0x011ef4d8
0x011ef4dc
0x011ef4e3
0x011ef4ed
0x011ef4ed
0x011ef4f0
0x011ef4f5
0x011ef4fd
0x011ef503
0x011ef50b
0x011ef516
0x011ef51c
0x011ef52c
0x011ef535
0x011ef536
0x011ef53f
0x011ef54c
0x011ef54d
0x011ef54e
0x011ef54f
0x011ef550
0x011ef555
0x011ef555
0x011ef555
0x011ef55f
0x00000000
0x011ef55f
0x011ef3be
0x011ef3c1
0x011ef3c1
0x011ef3c3
0x011ef3c5
0x011ef3d1
0x011ef3d1
0x011ef3c7
0x011ef3cd
0x011ef3cd
0x011ef3d7
0x011ef3da
0x011ef3dd
0x011ef3dd
0x011ef3dd
0x00000000
0x011ef3c1
0x011ef376
0x011ef378
0x00000000
0x00000000
0x011ef37a
0x011ef37d
0x011ef37d
0x011ef386
0x011ef389
0x011ef38c
0x011ef38c
0x011ef38c
0x00000000
0x011ef391
0x011ef286
0x011ef228
0x011ef22e
0x00000000
0x00000000
0x00000000
0x011ef22e
0x011ef208
0x00000000
0x011ef12e
0x011ef129
0x011ef0cc
0x011ef0cf
0x00000000
0x00000000
0x011ef0d7
0x00000000
0x011ef0d7
0x011ef0bd
0x011ef0c0
0x011ef0c3
0x00000000
0x00000000
0x00000000
0x011ef0c3
0x011ef0a8
0x011ef0ab
0x011ef0ae
0x00000000
0x00000000
0x00000000
0x011ef0ae
0x011ef088
0x011ef08e
0x00000000
0x00000000
0x011ef090
0x00000000
0x011ef090
0x011ef074
0x011ef076
0x00000000
0x011ef078
0x011ef078
0x011ef07b
0x00000000
0x011ef07b
0x011ef076
0x011ef039
0x011ef03c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011eefd0

APIs

__EH_prolog3_GS.LIBCMT ref: 011EEF9C
SelectObject.GDI32(?,000000C4), ref: 011EF054
IsRectEmpty.USER32(?), ref: 011EF0F1
IsRectEmpty.USER32(?), ref: 011EF109
FillRect.USER32 ref: 011EF16E
GetPixel.GDI32(?,?,00000007), ref: 011EF1C6

Strings

(, xrefs: 011EF2B4

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Rect$Empty$FillH_prolog3_ObjectPixelSelect
String ID: (
API String ID: 1242395412-3887548279
Opcode ID: ca5e27e6c756abe3a1d037df36d224d80389f69c808aa5b280461986364a4e60
Instruction ID: 5329d498d6f9c2c9511ab10b2dec1d1660444589544be7be982fffac6acafd84
Opcode Fuzzy Hash: ca5e27e6c756abe3a1d037df36d224d80389f69c808aa5b280461986364a4e60
Instruction Fuzzy Hash: 55426971A0061ADFDF29DFA8CC88BADBBB5FF08314F148169E919AB295D7309941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012231B6 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 388
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E012231B6(intOrPtr __ecx, signed int __edx) {
				void* _t151;
				struct HDC__* _t158;
				struct HBITMAP__* _t162;
				intOrPtr _t164;
				void* _t167;
				struct HDC__* _t171;
				int _t174;
				int* _t183;
				signed int* _t186;
				int _t194;
				int _t200;
				int _t207;
				signed char _t211;
				int _t214;
				signed int _t216;
				void* _t218;
				void* _t222;
				void* _t226;
				void* _t230;
				void* _t236;
				signed int _t238;
				void* _t240;
				signed int _t242;
				signed char _t243;
				void* _t259;
				intOrPtr _t267;
				unsigned int _t268;
				int _t279;
				signed int _t288;
				signed int _t292;
				signed int _t294;
				signed int _t297;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t317;
				int _t329;
				int _t330;
				int _t332;
				int _t333;
				void* _t336;
				void* _t338;
				void* _t340;
				void* _t341;
				signed long long* _t342;
				signed long long _t348;

				_t317 = __edx;
				_push(0x4c);
				E012EA0A3();
				_t267 = __ecx;
				 *((intOrPtr*)(_t341 - 0x48)) = __ecx;
				if( *(_t341 + 0x18) == 0x64 ||  *((intOrPtr*)(_t341 + 0x14)) -  *(_t341 + 0xc) <= 0 ||  *((intOrPtr*)(_t341 + 0x10)) -  *(_t341 + 8) <= 0) {
					L32:
					_t151 = 1;
					goto L33;
				} else {
					if( *((intOrPtr*)(E011C5322() + 0x1ac)) > 8) {
						if( *(_t341 + 0x24) == 0xffffffff ||  *(_t341 + 0x18) <= 0x64) {
							_t329 =  *((intOrPtr*)(_t341 + 0x10)) -  *(_t341 + 8);
							_t332 =  *((intOrPtr*)(_t341 + 0x14)) -  *(_t341 + 0xc);
							 *(_t341 - 0x40) = _t329;
							 *(_t341 - 0x44) = _t332;
							E011B84FA(_t341 - 0x3c);
							 *(_t341 - 4) =  *(_t341 - 4) & 0x00000000;
							_t158 =  *(_t267 + 4);
							if(_t158 != 0) {
								_t158 =  *(_t158 + 4);
							}
							if(E011B8E5C(_t341 - 0x3c, CreateCompatibleDC(_t158)) != 0) {
								 *(_t341 - 0x20) =  *(_t341 - 0x20) & 0x00000000;
								 *((intOrPtr*)(_t341 - 0x24)) = 0x1331fa4;
								 *(_t341 - 4) = 1;
								_t162 = CreateCompatibleBitmap( *( *(_t267 + 4) + 4), _t329, _t332);
								_t274 = _t341 - 0x24;
								if(E011B8E9D(_t341 - 0x24, _t317, _t329, _t162) != 0) {
									_t164 = E011B9645( *(_t341 - 0x38),  *(_t341 - 0x20));
									 *((intOrPtr*)(_t341 - 0x4c)) = _t164;
									if(_t164 == 0) {
										E011B1E69(_t274);
									}
									 *(_t341 - 0x58) = _t329;
									 *(_t341 - 0x54) = _t332;
									_t167 = E01220458(_t267, _t329, _t332, _t341 - 0x58, _t341 - 0x18);
									 *(_t341 - 0x50) = _t167;
									if(_t167 == 0 ||  *(_t341 - 0x18) == 0) {
										goto L13;
									} else {
										SelectObject( *(_t341 - 0x38), _t167);
										_t171 =  *(_t267 + 4);
										if(_t171 != 0) {
											_t171 =  *(_t171 + 4);
										}
										BitBlt( *(_t341 - 0x38), 0, 0, _t329, _t332, _t171,  *(_t341 + 8),  *(_t341 + 0xc), 0xcc0020);
										_t268 =  *(_t341 + 0x1c);
										if(_t268 != 0xffffffff) {
											_t268 = _t268 >> 0x00000010 & 0x000000ff | (_t268 >> 0x00000008 & 0x000000ff | (_t268 & 0x000000ff) << 0x00000008) << 0x00000008;
										}
										_t174 = _t332 * _t329;
										 *(_t341 - 0x28) = _t174;
										if(_t174 <= 0) {
											L31:
											BitBlt( *( *((intOrPtr*)( *((intOrPtr*)(_t341 - 0x48)) + 4)) + 4),  *(_t341 + 8),  *(_t341 + 0xc), _t329, _t332,  *(_t341 - 0x38), 0, 0, 0xcc0020);
											E011B9645( *(_t341 - 0x38),  *((intOrPtr*)( *((intOrPtr*)(_t341 - 0x4c)) + 4)));
											DeleteObject( *(_t341 - 0x50));
											 *((intOrPtr*)(_t341 - 0x24)) = 0x1331fa4;
											E011681B0(_t268, _t341 - 0x24, _t329, _t332);
											E011B865B(_t341 - 0x3c);
											goto L32;
										} else {
											_t348 =  *0x13341f0;
											_t183 =  *(_t341 - 0x18);
											_t330 =  *(_t341 - 0x28);
											do {
												_t279 =  *_t183;
												 *(_t341 - 0x10) = _t279;
												if( *((intOrPtr*)(_t341 + 0x20)) <= 0) {
													if((0 | _t279 == _t268) != 0) {
														L28:
														_t186 =  *(_t341 - 0x18);
														goto L29;
													}
													L38:
													_t333 =  *(_t341 + 0x18);
													if(_t333 != 0xffffffff) {
														if( *(_t341 + 0x24) != 0xffffffff) {
															_t317 = _t279 & 0x000000ff;
															st0 = _t348;
															 *(_t341 - 0x10) = _t279 >> 0x00000008 & 0x000000ff;
															 *(_t341 - 0x1c) = _t279 >> 0x00000010 & 0x000000ff;
															_t194 = ( *(_t341 + 0x24) >> 0x00000010 & 0x000000ff) - _t317;
															 *(_t341 - 0x14) = _t317;
															 *(_t341 - 0x28) = _t194;
															if(MulDiv(_t194, _t333, 0x64) +  *(_t341 - 0x14) <= 0xff) {
																 *(_t341 - 0x28) = MulDiv( *(_t341 - 0x28), _t333, 0x64) +  *(_t341 - 0x14);
															} else {
																 *(_t341 - 0x28) = 0xff;
															}
															_t200 = ( *(_t341 + 0x24) >> 0x00000008 & 0x000000ff) -  *(_t341 - 0x10);
															 *(_t341 - 0x14) = _t200;
															if(MulDiv(_t200, _t333, 0x64) +  *(_t341 - 0x10) <= 0xff) {
																 *(_t341 - 0x14) = MulDiv( *(_t341 - 0x14), _t333, 0x64) +  *(_t341 - 0x10);
															} else {
																 *(_t341 - 0x14) = 0xff;
															}
															_t207 = ( *(_t341 + 0x24) & 0x000000ff) -  *(_t341 - 0x1c);
															 *(_t341 - 0x10) = _t207;
															if(MulDiv(_t207, _t333, 0x64) +  *(_t341 - 0x1c) <= 0xff) {
																_t211 = MulDiv( *(_t341 - 0x10), _t333, 0x64) +  *(_t341 - 0x1c);
															} else {
																_t211 = 0xff;
															}
															_t288 = (_t211 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t341 - 0x14) & 0x000000ff;
															_t214 =  *(_t341 - 0x28);
															L49:
															_t348 =  *0x13341f0;
															_t186 =  *(_t341 - 0x18);
															 *_t186 = _t288 << 0x00000008 | _t214 & 0x000000ff;
															goto L29;
														}
														asm("fild dword [ebp+0x18]");
														_t342 = _t342 - 0x18;
														 *(_t341 - 0x2c) = _t348;
														asm("fst qword [esp+0x10]");
														asm("fst qword [esp+0x8]");
														 *_t342 = _t348 *  *(_t341 - 0x2c);
														_push(_t279);
														_t216 = E01223BB2(_t279);
														_t348 =  *0x13341f0;
														 *( *(_t341 - 0x18)) = _t216 | 0xff000000;
														goto L28;
													}
													st0 = _t348;
													_t336 = (_t279 & 0x000000ff) + (_t279 & 0x000000ff);
													_t218 = E011C5322();
													_t292 = 3;
													if((( *(_t218 + 0x26) & 0x000000ff) + _t336) / _t292 <= 0xff) {
														_t222 = E011C5322();
														_t294 = 3;
														 *(_t341 - 0x14) = (( *(_t222 + 0x26) & 0x000000ff) + _t336) / _t294;
													} else {
														 *(_t341 - 0x14) = 0xff;
													}
													_t338 = ( *(_t341 - 0x10) >> 0x00000008 & 0x000000ff) + ( *(_t341 - 0x10) >> 0x00000008 & 0x000000ff);
													_t226 = E011C5322();
													_t297 = 3;
													if((( *(_t226 + 0x25) & 0x000000ff) + _t338) / _t297 <= 0xff) {
														_t230 = E011C5322();
														_t299 = 3;
														 *(_t341 - 0x1c) = (( *(_t230 + 0x25) & 0x000000ff) + _t338) / _t299;
													} else {
														 *(_t341 - 0x1c) = 0xff;
													}
													_t340 = ( *(_t341 - 0x10) >> 0x00000010 & 0x000000ff) + ( *(_t341 - 0x10) >> 0x00000010 & 0x000000ff);
													_t236 = E011C5322();
													_t300 = 3;
													_t238 = ( *(_t236 + 0x24) & 0x000000ff) + _t340;
													_t317 = _t238 % _t300;
													if(_t238 / _t300 <= 0xff) {
														_t240 = E011C5322();
														_t301 = 3;
														_t242 = ( *(_t240 + 0x24) & 0x000000ff) + _t340;
														_t243 = _t242 / _t301;
														_t317 = _t242 % _t301;
													} else {
														_t243 = 0xff;
													}
													_t288 = (_t243 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t341 - 0x1c) & 0x000000ff;
													_t214 =  *(_t341 - 0x14);
													goto L49;
												}
												st0 = _t348;
												if(E01304A7B(_t317, (_t279 & 0x000000ff) - (_t268 & 0x000000ff)) >=  *((intOrPtr*)(_t341 + 0x20))) {
													L36:
													_t348 =  *0x13341f0;
													L37:
													_t279 =  *(_t341 - 0x10);
													goto L38;
												}
												_t334 =  *(_t341 - 0x10);
												if(E01304A7B(_t317, ( *(_t341 - 0x10) >> 0x00000008 & 0x000000ff) - (_t268 >> 0x00000008 & 0x000000ff)) >=  *((intOrPtr*)(_t341 + 0x20))) {
													goto L36;
												}
												_t259 = E01304A7B(_t317, (_t334 >> 0x00000010 & 0x000000ff) - (_t268 >> 0x00000010 & 0x000000ff));
												_t348 =  *0x13341f0;
												if(_t259 >=  *((intOrPtr*)(_t341 + 0x20))) {
													goto L37;
												}
												goto L28;
												L29:
												_t183 =  &(_t186[1]);
												 *(_t341 - 0x18) = _t183;
												_t330 = _t330 - 1;
											} while (_t330 != 0);
											_t329 =  *(_t341 - 0x40);
											st0 = _t348;
											_t332 =  *(_t341 - 0x44);
											goto L31;
										}
									}
								}
								L13:
								 *((intOrPtr*)(_t341 - 0x24)) = 0x1331fa4;
								E011681B0(_t267, _t341 - 0x24, _t329, _t332);
								goto L11;
							} else {
								L11:
								E011B865B(_t341 - 0x3c);
								goto L7;
							}
						} else {
							L7:
							_t151 = 0;
							L33:
							E012EA06C();
							return _t151;
						}
					}
					E011EFDD7( *(_t267 + 4), _t341 + 8);
					goto L32;
				}
			}

0x012231b6
0x012231b6
0x012231bd
0x012231c2
0x012231c4
0x012231cb
0x01223426
0x01223428
0x00000000
0x012231ed
0x012231f9
0x01223210
0x01223228
0x0122322b
0x0122322e
0x01223231
0x01223234
0x01223239
0x0122323d
0x01223242
0x01223244
0x01223244
0x01223259
0x01223265
0x01223269
0x01223275
0x0122327c
0x01223283
0x0122328d
0x012232a6
0x012232ab
0x012232b0
0x012232b2
0x012232b2
0x012232ba
0x012232c1
0x012232c5
0x012232ca
0x012232cf
0x00000000
0x012232d7
0x012232db
0x012232e1
0x012232e6
0x012232e8
0x012232e8
0x01223300
0x01223306
0x0122330c
0x01223327
0x01223327
0x0122332b
0x0122332e
0x01223333
0x012233d5
0x012233f2
0x01223401
0x01223409
0x01223412
0x01223419
0x01223421
0x00000000
0x01223339
0x01223339
0x0122333f
0x01223342
0x01223345
0x01223349
0x0122334b
0x0122334e
0x0122343a
0x012233bb
0x012233bb
0x00000000
0x012233bb
0x0122344b
0x0122344b
0x01223451
0x01223543
0x01223579
0x0122357f
0x01223584
0x0122358d
0x0122359b
0x0122359d
0x012235a2
0x012235b5
0x012235cb
0x012235b7
0x012235b7
0x012235b7
0x012235d9
0x012235de
0x012235f1
0x01223607
0x012235f3
0x012235f3
0x012235f3
0x01223612
0x01223617
0x01223628
0x0122363d
0x0122362a
0x0122362a
0x0122362a
0x01223652
0x01223654
0x01223527
0x01223527
0x01223535
0x01223538
0x00000000
0x01223538
0x01223545
0x01223548
0x0122354b
0x01223551
0x01223555
0x01223559
0x0122355c
0x0122355d
0x0122356a
0x01223570
0x00000000
0x01223570
0x0122345a
0x0122345c
0x0122345e
0x01223467
0x01223477
0x0122347e
0x01223487
0x01223490
0x01223479
0x01223479
0x01223479
0x0122349c
0x0122349e
0x012234a7
0x012234b7
0x012234be
0x012234c7
0x012234d0
0x012234b9
0x012234b9
0x012234b9
0x012234dc
0x012234de
0x012234e7
0x012234ec
0x012234ee
0x012234f5
0x012234fe
0x01223507
0x0122350c
0x0122350e
0x0122350e
0x012234f7
0x012234f7
0x012234f7
0x01223522
0x01223524
0x00000000
0x01223524
0x01223357
0x01223368
0x01223442
0x01223442
0x01223448
0x01223448
0x00000000
0x01223448
0x0122336e
0x0122338d
0x00000000
0x00000000
0x012233a6
0x012233ab
0x012233b5
0x00000000
0x00000000
0x00000000
0x012233be
0x012233be
0x012233c1
0x012233c4
0x012233c4
0x012233cd
0x012233d0
0x012233d2
0x00000000
0x012233d2
0x01223333
0x012232cf
0x0122328f
0x01223292
0x01223299
0x00000000
0x0122325b
0x0122325b
0x0122325e
0x00000000
0x0122325e
0x01223218
0x01223218
0x01223218
0x01223429
0x01223429
0x0122342e
0x0122342e
0x01223210
0x01223202
0x00000000
0x01223202

APIs

__EH_prolog3.LIBCMT ref: 012231BD
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 012233F2
DeleteObject.GDI32(?), ref: 01223409
MulDiv.KERNEL32(?,00000000,00000064), ref: 012235A5
MulDiv.KERNEL32(00000064,00000000,00000064), ref: 012235C2
MulDiv.KERNEL32(00000000,00000000,00000064), ref: 012235E1
MulDiv.KERNEL32(00000028,00000000,00000064), ref: 012235FE
MulDiv.KERNEL32(?,00000000,00000064), ref: 0122361A
MulDiv.KERNEL32(00000000,00000000,00000064), ref: 01223637

Strings

d, xrefs: 01223212

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: DeleteH_prolog3Object
String ID: d
API String ID: 2942389277-2564639436
Opcode ID: 838f3e13e7a369ff71e9f79e829edbe0dfd46941d22ade6ed17581b74fa73e08
Instruction ID: a59f66cc5e1fc5d5a0f8c615bf60a928389e791b404d8d44a0c6e5ad182d64cb
Opcode Fuzzy Hash: 838f3e13e7a369ff71e9f79e829edbe0dfd46941d22ade6ed17581b74fa73e08
Instruction Fuzzy Hash: ECE1CC70A1022AAFDB25DFA9DD45ABE7FB4FF58305F004169F641E6281CB38D911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 013166CB Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 77%

			E013166CB(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1236;
				signed int _t1240;
				signed int* _t1241;
				signed int* _t1246;
				signed int _t1255;

				_t1236 = _t1240;
				_t1241 = _t1240 - 0x964;
				_t725 =  *0x139eff4; // 0xdde28b47
				_v8 = _t725 ^ _t1236;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E013166A1( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L6:
					_t735 = E0130BCBD( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L309;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L309;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L309;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L309;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1255 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									E01318D00(_t1037, _t1255);
									_push(_t1037);
									_push(_t1037);
									 *_t1241 = _t1255;
									_t764 = E012EA290(E01304EB0(_t1151, _t1205), _t1255);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L17:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L17;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L102:
											_t766 =  *((intOrPtr*)(_t1236 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L108:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L108;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L127:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L314();
												_t1241 =  &(_t1241[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L127;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											E012EE6E0(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1236 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1236 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1236 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1236 + _t1132 - 0x1d0))) {
														goto L102;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														E012EE6E0(_t1181,  &_v1396, 0, _t1226);
														 *(_t1236 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L129;
												}
											}
											goto L102;
										}
										L129:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L314();
										_t1246 =  &(_t1241[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L54:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = E012EA270(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1236 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L60:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L60;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L82:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L314();
												_t1241 =  &(_t1241[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L82;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1236 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1241 =  &(_t1241[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1236 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1236 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1236 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1236 + _t1086 - 0x1d0))) {
													goto L54;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = E012EA270(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L29:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L29;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L51:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L314();
														_t1241 =  &(_t1241[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L51;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1236 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1241 =  &(_t1241[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L53;
											}
											goto L54;
										}
										L53:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L314();
										_t1246 =  &(_t1241[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L250:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0x135fc24 + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L261:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L262;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1236 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1236 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1236 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L261;
																} else {
																	 *(_t1236 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0x135fb8e + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0x135fb8e + _t784 * 4) & 0x000000ff) + ( *(0x135fb8f + _t784 * 4) & 0x000000ff);
												E012EE6E0(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = E012EE160( &(( &_v1396)[_t1056]), 0x135f288 + ( *(0x135fb8c + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x135fb8f + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1246 =  &(_t1246[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L244:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L245;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1236 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L241:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L259;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L243;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L236;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1236 + _t1058 * 4 - 0x740) =  *(_t1236 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1236 + _t1058 * 4 - 0x740) =  *(_t1236 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L236;
																			}
																			while(1) {
																				L236:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L241;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L259;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1236 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1236 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1236 + _t1058 * 4 - 0x740) =  *(_t1236 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L247;
																			}
																			goto L241;
																		}
																		goto L236;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1236 + _t1215 * 4 - 0x740) =  *(_t1236 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L243;
																}
																goto L247;
																L243:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L244;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L314();
														_t1246 =  &(_t1246[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L204;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L246;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L246;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1236 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1236 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1236 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L209;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L246;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L246;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1236 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1236 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1236 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L209:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L246;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L259:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L314();
																		_t1246 =  &(_t1246[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1236 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L246;
																	}
																}
															}
														}
													} else {
														L204:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L245:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L314();
														_t1246 =  &(_t1246[4]);
														L246:
														_t843 = 1;
													}
												}
												L247:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L262:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L263;
												} else {
													goto L248;
												}
												goto L264;
												L248:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L250;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L185:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0x135fc24 + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1236 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1236 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1236 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L187;
																} else {
																	 *(_t1236 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L187:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L191;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0x135fb8e + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0x135fb8e + _t875 * 4) & 0x000000ff) + ( *(0x135fb8f + _t875 * 4) & 0x000000ff);
												E012EE6E0(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = E012EE160( &(( &_v1396)[_t1063]), 0x135f288 + ( *(0x135fb8c + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x135fb8f + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1246 =  &(_t1246[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L178:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L179;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1236 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L175:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L188;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L177;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L170;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1236 + _t1065 * 4 - 0x740) =  *(_t1236 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1236 + _t1065 * 4 - 0x740) =  *(_t1236 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L170;
																			}
																			while(1) {
																				L170:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L175;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L188:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L189;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1236 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1236 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1236 + _t1065 * 4 - 0x740) =  *(_t1236 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L182;
																			}
																			goto L175;
																		}
																		goto L170;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1236 + _t1220 * 4 - 0x740) =  *(_t1236 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L177;
																}
																goto L182;
																L177:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L178;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L314();
														_t1246 =  &(_t1246[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L181;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L181;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1236 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1236 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1236 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L150;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L180;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L181;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L181;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1236 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1236 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1236 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L150:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L181;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1236 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L181;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L189:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L314();
																		_t1246 =  &(_t1246[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L179:
														_push(_t896);
														_t897 =  &_v1860;
														L180:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L314();
														_t1246 =  &(_t1246[4]);
														L181:
														_t899 = 1;
													}
												}
												L182:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L191:
													_push( &_v2404);
													_t823 =  &_v932;
													L263:
													_push(_t1025);
													_push(_t823);
													L314();
													_t1246 =  &(_t1246[4]);
												} else {
													goto L183;
												}
												goto L264;
												L183:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L185;
										}
									}
									L264:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1236 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1236 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L314();
												_t1246 =  &(_t1246[4]);
											} else {
												 *(_t1236 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = E012FD0F0( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L283;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1236 + _t1053 * 4 - 0x3a0);
												 *(_t1236 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L314();
													_t1246 =  &(_t1246[4]);
												} else {
													 *(_t1236 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L283:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L304;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1236 + _t1049 * 4 - 0x1d0);
												 *(_t1236 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L314();
													_t1246 =  &(_t1246[4]);
												} else {
													 *(_t1236 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = E012FD0F0( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L304;
										}
									}
									L304:
									 *_t1208 = 0;
									goto L310;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L6;
					} else {
						_push("0");
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L309:
						_push(_a24);
						_push(_t1016);
						if(E012FF87C() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E012F9D17();
							asm("int3");
							_push(_t1236);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L321:
										E012EE6E0(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = E012F9217();
												_push(0x22);
												goto L325;
											}
										} else {
											_t743 = E012F9217();
											_push(0x16);
											L325:
											_pop(_t1199);
											 *_t743 = _t1199;
											E012F9CEA();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L321;
										} else {
											E012EE160(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = E012F9217();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									E012F9CEA();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L310:
							_t1253 = _v1936;
							if(_v1936 != 0) {
								E01318C25(_t1031, _t1253,  &_v1944);
							}
							return E012E980C(_v8 ^ _t1236);
						}
					}
				}
			}

0x013166ce
0x013166d0
0x013166d6
0x013166dd
0x013166e1
0x013166ec
0x013166ef
0x013166f5
0x013166fb
0x01316700
0x0131670f
0x01316711
0x01316713
0x01316713
0x0131671a
0x01316724
0x01316729
0x0131672c
0x01316750
0x01316754
0x01316759
0x0131675a
0x0131675c
0x0131675e
0x01316764
0x01316764
0x0131676b
0x0131676b
0x0131676e
0x01317a1e
0x00000000
0x01316774
0x01316774
0x01316774
0x01316777
0x01317a17
0x00000000
0x0131677d
0x0131677d
0x0131677d
0x01316780
0x01317a10
0x00000000
0x01316786
0x01316786
0x01316789
0x01317a09
0x00000000
0x0131678f
0x01316798
0x013167a0
0x013167a3
0x013167a6
0x013167a9
0x013167af
0x013167b7
0x013167bd
0x013167c7
0x013167c7
0x013167ca
0x013167d2
0x013167d9
0x013167d9
0x013167cc
0x013167cc
0x013167ce
0x013167e1
0x013167e7
0x013167e9
0x013167ed
0x013167f2
0x013167ff
0x01316801
0x01316807
0x0131680c
0x0131680d
0x0131680e
0x01316818
0x0131681d
0x01316823
0x01316828
0x01316831
0x01316831
0x01316833
0x0131682a
0x0131682a
0x0131682f
0x00000000
0x00000000
0x0131682f
0x01316839
0x01316841
0x01316843
0x0131684c
0x0131684d
0x01316853
0x01316855
0x01316c48
0x01316c4e
0x01316d6d
0x01316d6d
0x01316d74
0x01316d74
0x01316d74
0x01316d7b
0x01316d7e
0x01316d85
0x01316d85
0x01316d80
0x01316d80
0x01316d80
0x01316d89
0x01316d8a
0x01316d8c
0x01316d8f
0x01316d92
0x01316d95
0x01316d9b
0x01316d9e
0x01316da1
0x01316dab
0x01316dab
0x01316dab
0x01316da3
0x01316da3
0x01316da5
0x00000000
0x01316da7
0x01316da7
0x01316da7
0x01316da5
0x01316dad
0x01316daf
0x01316e50
0x01316e50
0x01316e5d
0x01316e5d
0x01316e5d
0x01316e64
0x01316e66
0x01316e6d
0x01316e72
0x01316e73
0x01316e78
0x01316db5
0x01316db5
0x01316db7
0x00000000
0x01316dbd
0x01316dbf
0x01316dc0
0x01316dc2
0x01316dc4
0x01316dc4
0x01316dc6
0x01316dc9
0x01316dd1
0x01316dd3
0x01316dd6
0x01316ddc
0x01316ddc
0x01316dde
0x01316dea
0x01316dea
0x01316dea
0x01316de0
0x01316de2
0x01316de2
0x01316df1
0x01316df4
0x01316df6
0x01316dfd
0x01316dfd
0x01316df8
0x01316df8
0x01316df8
0x01316e05
0x01316e0f
0x01316e15
0x01316e16
0x01316e1b
0x01316e21
0x01316e24
0x00000000
0x00000000
0x01316e26
0x01316e26
0x01316e2e
0x01316e2e
0x01316e34
0x01316e3b
0x01316e48
0x01316e3d
0x01316e3d
0x01316e40
0x01316e40
0x01316e3b
0x01316db7
0x01316e84
0x01316e94
0x01316ea1
0x01316ea3
0x01316eaa
0x01316c54
0x01316c54
0x01316c5d
0x01316c5e
0x01316c68
0x01316c6e
0x01316c70
0x01316c76
0x01316c76
0x01316c78
0x01316c78
0x01316c7f
0x01316c86
0x00000000
0x00000000
0x01316c8c
0x01316c8f
0x01316c92
0x00000000
0x01316c94
0x01316c94
0x01316c94
0x01316c94
0x01316c9b
0x01316c9e
0x01316ca5
0x01316ca5
0x01316ca0
0x01316ca0
0x01316ca0
0x01316ca9
0x01316cac
0x01316cae
0x01316cb0
0x01316cb6
0x01316cbc
0x01316cbe
0x01316cbe
0x01316cbe
0x01316cc5
0x01316cc5
0x01316cc7
0x01316cd3
0x01316cd3
0x01316cd3
0x01316cc9
0x01316ccb
0x01316ccb
0x01316cda
0x01316cdd
0x01316cdf
0x01316ce6
0x01316ce6
0x01316ce1
0x01316ce1
0x01316ce1
0x01316cee
0x01316cf9
0x01316cff
0x01316d00
0x01316d05
0x01316d0b
0x01316d0e
0x00000000
0x00000000
0x01316d10
0x01316d10
0x01316d1a
0x01316d25
0x01316d2d
0x01316d33
0x01316d3e
0x01316d44
0x01316d4b
0x01316d5e
0x01316d65
0x01316d65
0x00000000
0x01316c92
0x01316c78
0x00000000
0x01316c70
0x01316ead
0x01316ead
0x01316eb3
0x01316eb8
0x01316ebe
0x01316ebe
0x01316ec1
0x01316ec8
0x01316ecf
0x01316ed0
0x01316ed1
0x01316ed6
0x0131685b
0x0131685b
0x01316864
0x01316865
0x0131686f
0x01316875
0x01316877
0x01316a7d
0x01316a85
0x01316a88
0x01316a8d
0x01316a90
0x01316a98
0x01316a9c
0x01316aa2
0x01316aa8
0x01316aad
0x01316ab4
0x01316ab5
0x01316ab5
0x01316ab5
0x01316abc
0x01316abf
0x01316ac7
0x01316acd
0x01316ad2
0x01316ad2
0x01316acf
0x01316acf
0x01316acf
0x01316ad6
0x01316ad7
0x01316ad9
0x01316adc
0x01316ae2
0x01316ae8
0x01316aeb
0x01316aee
0x01316af4
0x01316af7
0x01316afa
0x01316b04
0x01316b04
0x01316b04
0x01316afc
0x01316afc
0x01316afe
0x00000000
0x01316b00
0x01316b00
0x01316b00
0x01316afe
0x01316b06
0x01316b08
0x01316bfa
0x01316bfa
0x01316bfc
0x01316c01
0x01316c02
0x01316c08
0x01316c14
0x01316c1b
0x01316c1c
0x01316c1d
0x01316c22
0x01316b0e
0x01316b0e
0x01316b10
0x00000000
0x01316b16
0x01316b18
0x01316b19
0x01316b1b
0x01316b1d
0x01316b1f
0x01316b1f
0x01316b25
0x01316b27
0x01316b2d
0x01316b30
0x01316b3e
0x01316b44
0x01316b44
0x01316b46
0x01316b49
0x01316b4f
0x01316b4f
0x01316b51
0x00000000
0x00000000
0x01316b53
0x01316b55
0x01316b5b
0x01316b5b
0x01316b57
0x01316b57
0x01316b57
0x01316b60
0x01316b62
0x01316b69
0x01316b69
0x01316b64
0x01316b64
0x01316b64
0x01316b8f
0x01316b95
0x01316b98
0x01316b9e
0x01316ba5
0x01316ba6
0x01316ba7
0x01316bad
0x01316bb0
0x01316bb2
0x00000000
0x01316bb2
0x00000000
0x01316bb0
0x01316bba
0x01316bc0
0x01316bc8
0x01316bc8
0x01316bc9
0x01316bcb
0x01316bcf
0x01316bd7
0x01316bd7
0x01316bd7
0x01316bd9
0x01316be0
0x01316be5
0x01316bf2
0x01316be7
0x01316bea
0x01316bea
0x01316be5
0x01316b10
0x01316c25
0x01316c2f
0x01316c35
0x01316c3b
0x01316c41
0x0131687d
0x0131687d
0x0131687d
0x0131687f
0x01316886
0x0131688d
0x00000000
0x00000000
0x01316893
0x01316896
0x01316899
0x00000000
0x0131689b
0x013168a3
0x013168a8
0x013168ad
0x013168ae
0x013168b0
0x013168b8
0x013168bc
0x013168c2
0x013168c8
0x013168cd
0x013168d4
0x013168d4
0x013168d5
0x013168d8
0x013168e0
0x013168e6
0x013168eb
0x013168eb
0x013168e8
0x013168e8
0x013168e8
0x013168ef
0x013168f0
0x013168f2
0x013168f5
0x013168fb
0x01316901
0x01316904
0x01316907
0x0131690d
0x01316910
0x01316913
0x0131691d
0x0131691d
0x0131691d
0x01316915
0x01316915
0x01316917
0x00000000
0x01316919
0x01316919
0x01316919
0x01316917
0x0131691f
0x01316921
0x01316a16
0x01316a16
0x01316a18
0x01316a1d
0x01316a1e
0x01316a24
0x01316a30
0x01316a37
0x01316a38
0x01316a39
0x01316a3e
0x01316927
0x01316927
0x01316929
0x00000000
0x0131692f
0x01316931
0x01316932
0x01316934
0x01316936
0x01316938
0x01316938
0x0131693e
0x01316940
0x01316946
0x01316949
0x01316957
0x0131695d
0x0131695d
0x0131695f
0x01316962
0x01316968
0x01316968
0x0131696a
0x00000000
0x00000000
0x0131696c
0x0131696e
0x01316974
0x01316974
0x01316970
0x01316970
0x01316970
0x01316979
0x0131697b
0x01316988
0x01316988
0x0131697d
0x01316983
0x01316983
0x013169a6
0x013169ae
0x013169b5
0x013169bc
0x013169bd
0x013169c0
0x013169c6
0x013169cc
0x013169cf
0x013169d1
0x00000000
0x013169d1
0x00000000
0x013169cf
0x013169d9
0x013169df
0x013169df
0x013169e5
0x013169e7
0x013169f1
0x013169f3
0x013169f3
0x013169f3
0x013169f5
0x013169fc
0x01316a01
0x01316a0e
0x01316a03
0x01316a06
0x01316a06
0x01316a01
0x01316929
0x01316a41
0x01316a4c
0x01316a4d
0x01316a4e
0x01316a54
0x01316a5a
0x01316a60
0x01316a60
0x00000000
0x01316899
0x00000000
0x0131687f
0x01316a61
0x01316a67
0x01316a6e
0x01316a6f
0x01316a70
0x01316a75
0x01316a75
0x01316ed9
0x01316ee3
0x01316ee4
0x01316eea
0x01316eec
0x01317355
0x01317357
0x01317359
0x0131735f
0x01317361
0x01317367
0x01317369
0x013176bb
0x013176bb
0x013176bd
0x013176c3
0x013176ca
0x013176d0
0x013176d2
0x01317770
0x01317770
0x01317772
0x01317773
0x01317779
0x00000000
0x013176d8
0x013176d8
0x013176db
0x013176e1
0x013176e7
0x013176e9
0x013176ef
0x013176f1
0x013176f1
0x013176f3
0x013176f3
0x013176fc
0x01317703
0x01317709
0x0131770c
0x0131770d
0x0131770f
0x0131770f
0x01317713
0x01317715
0x01317717
0x0131771d
0x01317720
0x00000000
0x01317722
0x01317722
0x01317729
0x01317729
0x01317720
0x01317715
0x013176e9
0x013176db
0x013176d2
0x0131736f
0x0131736f
0x0131736f
0x01317372
0x01317376
0x01317376
0x01317377
0x01317389
0x01317396
0x013173a5
0x013173cf
0x013173d4
0x013173da
0x013173dd
0x013173e3
0x013173e6
0x0131747f
0x01317486
0x01317504
0x0131750a
0x01317510
0x01317513
0x01317515
0x0131759e
0x0131751b
0x0131751b
0x01317521
0x01317521
0x01317527
0x0131752d
0x0131752f
0x01317531
0x01317531
0x01317537
0x0131753d
0x0131753f
0x01317547
0x01317547
0x0131754d
0x0131754f
0x01317551
0x01317557
0x01317559
0x01317670
0x01317672
0x01317678
0x01317678
0x0131767b
0x0131767c
0x00000000
0x0131755f
0x01317565
0x01317565
0x01317567
0x0131756d
0x01317570
0x01317577
0x0131757d
0x0131757f
0x013175a6
0x013175a8
0x013175aa
0x013175ac
0x013175b2
0x013175b8
0x01317652
0x01317652
0x01317655
0x00000000
0x0131765b
0x0131765b
0x01317661
0x00000000
0x01317661
0x013175be
0x013175be
0x013175be
0x013175c1
0x00000000
0x00000000
0x013175c3
0x013175c5
0x013175c7
0x013175d0
0x013175d0
0x013175d2
0x013175d8
0x013175d8
0x013175e4
0x013175ef
0x013175f2
0x013175ff
0x01317602
0x01317603
0x01317604
0x0131760a
0x0131760c
0x01317612
0x01317618
0x00000000
0x00000000
0x00000000
0x00000000
0x0131761a
0x0131761a
0x0131761a
0x0131761c
0x00000000
0x00000000
0x0131761e
0x01317621
0x00000000
0x01317627
0x01317627
0x01317629
0x0131762b
0x0131762b
0x0131762b
0x01317633
0x01317636
0x01317636
0x0131763c
0x0131763e
0x01317640
0x01317647
0x0131764d
0x0131764f
0x00000000
0x0131764f
0x00000000
0x01317621
0x00000000
0x0131761a
0x00000000
0x013175be
0x01317581
0x01317581
0x01317583
0x01317589
0x01317590
0x01317590
0x01317593
0x01317593
0x00000000
0x01317583
0x00000000
0x01317667
0x01317667
0x01317668
0x01317668
0x00000000
0x0131756d
0x01317488
0x01317488
0x01317493
0x0131749a
0x013174a0
0x013174a7
0x013174a8
0x013174a9
0x013174ae
0x013174b1
0x013174b3
0x00000000
0x013174b9
0x013174b9
0x013174bc
0x00000000
0x013174c2
0x013174c2
0x013174c9
0x00000000
0x013174cf
0x013174d5
0x013174d7
0x013174dd
0x013174dd
0x013174df
0x013174df
0x013174e1
0x013174ea
0x013174f1
0x013174f4
0x013174f5
0x013174f7
0x013174f7
0x00000000
0x013174ff
0x013174c9
0x013174bc
0x013174b3
0x013173ec
0x013173ec
0x013173f2
0x013173f4
0x01317410
0x01317413
0x00000000
0x01317419
0x01317419
0x01317420
0x00000000
0x01317426
0x0131742c
0x0131742e
0x01317434
0x01317434
0x01317436
0x01317436
0x01317438
0x01317441
0x01317448
0x0131744b
0x0131744c
0x0131744e
0x0131744e
0x01317456
0x01317456
0x01317458
0x00000000
0x0131745e
0x0131745e
0x01317464
0x01317467
0x01317731
0x01317733
0x01317734
0x0131773a
0x01317746
0x0131774d
0x0131774e
0x0131774f
0x01317754
0x01317757
0x0131746d
0x0131746d
0x01317474
0x00000000
0x01317474
0x01317467
0x01317458
0x01317420
0x013173f6
0x013173f6
0x013173f8
0x013173fe
0x01317404
0x01317405
0x01317682
0x01317682
0x01317689
0x0131768a
0x0131768b
0x01317690
0x01317693
0x01317693
0x01317693
0x013173f4
0x01317695
0x01317695
0x01317697
0x0131775e
0x01317765
0x0131776c
0x0131777f
0x01317785
0x01317786
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0131769d
0x013176a3
0x013176a3
0x013176a9
0x013176a9
0x013176b5
0x00000000
0x013176b5
0x01316ef2
0x01316ef2
0x01316ef4
0x01316efa
0x01316efc
0x01316f02
0x01316f04
0x0131727b
0x0131727b
0x0131727d
0x01317283
0x0131728a
0x0131728c
0x013172eb
0x013172ee
0x013172f4
0x013172fa
0x01317300
0x01317302
0x01317308
0x0131730a
0x0131730a
0x0131730c
0x0131730c
0x0131730e
0x01317317
0x0131731e
0x01317321
0x01317322
0x01317324
0x01317324
0x0131732c
0x0131732e
0x01317334
0x0131733a
0x0131733d
0x00000000
0x01317343
0x01317343
0x0131734a
0x0131734a
0x0131733d
0x0131732e
0x01317302
0x0131728e
0x0131728e
0x01317290
0x01317296
0x0131729c
0x00000000
0x0131729c
0x0131728c
0x01316f0a
0x01316f0a
0x01316f0a
0x01316f0d
0x01316f11
0x01316f11
0x01316f12
0x01316f24
0x01316f31
0x01316f40
0x01316f6a
0x01316f6f
0x01316f75
0x01316f78
0x01316f7e
0x01316f81
0x01316ffd
0x01317004
0x013170c8
0x013170ce
0x013170d4
0x013170d7
0x013170d9
0x01317162
0x013170df
0x013170df
0x013170e5
0x013170e5
0x013170eb
0x013170f1
0x013170f3
0x013170f5
0x013170f5
0x013170fb
0x01317101
0x01317103
0x0131710b
0x0131710b
0x01317111
0x01317113
0x01317115
0x0131711b
0x0131711d
0x01317234
0x01317236
0x0131723c
0x0131723c
0x00000000
0x01317123
0x01317129
0x01317129
0x0131712b
0x01317131
0x01317134
0x0131713b
0x01317141
0x01317143
0x0131716a
0x0131716c
0x0131716e
0x01317170
0x01317176
0x0131717c
0x01317216
0x01317216
0x01317219
0x00000000
0x0131721f
0x0131721f
0x01317225
0x00000000
0x01317225
0x01317182
0x01317182
0x01317182
0x01317185
0x00000000
0x00000000
0x01317187
0x01317189
0x0131718b
0x01317194
0x01317194
0x01317196
0x0131719c
0x0131719c
0x013171a8
0x013171b3
0x013171b6
0x013171c3
0x013171c6
0x013171c7
0x013171c8
0x013171ce
0x013171d0
0x013171d6
0x013171dc
0x00000000
0x00000000
0x00000000
0x00000000
0x013171de
0x013171de
0x013171de
0x013171e0
0x00000000
0x00000000
0x013171e2
0x013171e5
0x0131729f
0x0131729f
0x013172a1
0x013172a7
0x013172ad
0x013172ae
0x00000000
0x013171eb
0x013171eb
0x013171ed
0x013171ef
0x013171ef
0x013171ef
0x013171f7
0x013171fa
0x013171fa
0x01317200
0x01317202
0x01317204
0x0131720b
0x01317211
0x01317213
0x00000000
0x01317213
0x00000000
0x013171e5
0x00000000
0x013171de
0x00000000
0x01317182
0x01317145
0x01317145
0x01317147
0x0131714d
0x01317154
0x01317154
0x01317157
0x01317157
0x00000000
0x01317147
0x00000000
0x0131722b
0x0131722b
0x0131722c
0x0131722c
0x00000000
0x01317131
0x0131700a
0x0131700a
0x01317015
0x0131701c
0x01317022
0x01317029
0x0131702a
0x0131702b
0x01317030
0x01317033
0x01317035
0x01317051
0x01317054
0x00000000
0x0131705a
0x0131705a
0x01317061
0x00000000
0x01317067
0x0131706d
0x0131706f
0x01317075
0x01317075
0x01317077
0x01317077
0x01317079
0x01317082
0x01317089
0x0131708c
0x0131708d
0x0131708f
0x0131708f
0x00000000
0x01317077
0x01317061
0x01317037
0x01317039
0x0131703f
0x01317045
0x01317046
0x00000000
0x01317046
0x01317035
0x01316f83
0x01316f83
0x01316f89
0x01316f8b
0x01316fa0
0x01316fa3
0x00000000
0x01316fa9
0x01316fa9
0x01316fb0
0x00000000
0x01316fb6
0x01316fbc
0x01316fbe
0x01316fc4
0x01316fc4
0x01316fc6
0x01316fc6
0x01316fc8
0x01316fd1
0x01316fd8
0x01316fdb
0x01316fdc
0x01316fde
0x01316fde
0x01317097
0x01317097
0x01317099
0x00000000
0x0131709f
0x0131709f
0x013170a5
0x013170a8
0x01316feb
0x01316ff2
0x00000000
0x013170ae
0x013170b0
0x013170b6
0x013170bc
0x013170bd
0x013172b4
0x013172b4
0x013172bb
0x013172bc
0x013172bd
0x013172c2
0x013172c5
0x013172c5
0x013170a8
0x01317099
0x01316fb0
0x01316f8d
0x01316f8d
0x01316f8f
0x01316f95
0x0131723f
0x0131723f
0x01317240
0x01317246
0x01317246
0x0131724d
0x0131724e
0x0131724f
0x01317254
0x01317257
0x01317257
0x01317257
0x01316f8b
0x01317259
0x01317259
0x0131725b
0x013172c9
0x013172d0
0x013172d0
0x013172d0
0x013172d7
0x013172d9
0x013172df
0x013172e0
0x0131778c
0x0131778c
0x0131778d
0x0131778e
0x01317793
0x00000000
0x00000000
0x00000000
0x00000000
0x0131725d
0x01317263
0x01317263
0x01317269
0x01317269
0x01317275
0x00000000
0x01317275
0x01316f04
0x01317796
0x01317796
0x0131779c
0x0131779e
0x013177a4
0x013177aa
0x013177ac
0x013177ae
0x013177b0
0x013177b0
0x013177b2
0x013177b2
0x013177bb
0x013177bc
0x013177c0
0x013177c7
0x013177ca
0x013177cb
0x013177cd
0x013177cd
0x013177d1
0x013177d7
0x013177d9
0x013177df
0x013177e1
0x013177e7
0x013177ea
0x013177fd
0x013177ff
0x01317800
0x01317806
0x01317812
0x01317819
0x0131781a
0x0131781b
0x01317820
0x013177ec
0x013177ee
0x013177f5
0x013177f5
0x013177ea
0x01317823
0x01317823
0x01317833
0x0131783c
0x0131783d
0x0131783f
0x013178d6
0x013178d8
0x013178e3
0x013178e3
0x013178e5
0x013178e8
0x013178ea
0x00000000
0x013178da
0x013178e0
0x013178e0
0x01317845
0x01317845
0x0131784b
0x0131784e
0x01317854
0x01317857
0x0131785d
0x0131785f
0x01317865
0x01317867
0x01317869
0x01317869
0x0131786b
0x0131786b
0x01317878
0x0131787f
0x01317882
0x01317883
0x01317885
0x01317886
0x01317886
0x0131788a
0x01317890
0x01317892
0x01317894
0x0131789a
0x0131789d
0x013178b0
0x013178b1
0x013178b7
0x013178c3
0x013178ca
0x013178cb
0x013178cc
0x013178d1
0x0131789f
0x0131789f
0x013178a6
0x013178a6
0x0131789d
0x01317892
0x013178f0
0x013178f0
0x013178f0
0x013178fc
0x013178ff
0x01317905
0x01317907
0x01317909
0x0131790f
0x01317911
0x01317911
0x01317911
0x0131790f
0x01317916
0x01317917
0x01317919
0x0131791b
0x0131791b
0x0131791d
0x01317923
0x01317929
0x0131792b
0x01317931
0x01317931
0x01317937
0x01317939
0x00000000
0x00000000
0x0131793f
0x01317941
0x01317943
0x01317943
0x01317945
0x01317945
0x01317955
0x0131795c
0x0131795f
0x01317960
0x01317962
0x01317962
0x01317966
0x0131796c
0x0131796e
0x01317970
0x01317976
0x01317979
0x0131798a
0x0131798c
0x0131798d
0x01317993
0x0131799f
0x013179a6
0x013179a7
0x013179a8
0x013179ad
0x0131797b
0x0131797b
0x01317982
0x01317982
0x01317979
0x013179be
0x013179cd
0x013179ce
0x013179ce
0x013179d0
0x013179d2
0x013179d2
0x013179d8
0x013179db
0x013179dd
0x013179df
0x013179df
0x013179e2
0x013179e3
0x013179e3
0x013179e8
0x013179eb
0x013179ef
0x013179ef
0x013179f0
0x013179f2
0x013179f8
0x013179fe
0x00000000
0x00000000
0x00000000
0x013179fe
0x01317931
0x01317a04
0x01317a04
0x00000000
0x01317a04
0x01316789
0x01316780
0x01316777
0x0131672e
0x01316732
0x0131673a
0x00000000
0x0131673c
0x01316742
0x01316747
0x01317a23
0x01317a23
0x01317a26
0x01317a31
0x01317a5c
0x01317a5d
0x01317a5e
0x01317a5f
0x01317a60
0x01317a61
0x01317a66
0x01317a69
0x01317a6c
0x01317a6d
0x01317a70
0x01317a72
0x01317a78
0x01317a7b
0x01317a7d
0x01317a92
0x01317a93
0x01317a96
0x01317a98
0x01317aae
0x01317ab4
0x01317abc
0x01317abe
0x01317ac9
0x01317acc
0x01317ae3
0x01317ace
0x01317ace
0x01317ad3
0x00000000
0x01317ad3
0x01317ac0
0x01317ac0
0x01317ac5
0x01317ad5
0x01317ad5
0x01317ad6
0x01317ad8
0x01317add
0x01317add
0x01317a9a
0x01317a9a
0x01317a9d
0x00000000
0x01317a9f
0x01317aa2
0x01317aaa
0x01317aaa
0x01317a9d
0x01317a7f
0x01317a7f
0x01317a86
0x01317a87
0x01317a89
0x01317a8e
0x01317a8e
0x01317a74
0x01317a74
0x01317a74
0x01317ae7
0x01317a33
0x01317a33
0x01317a33
0x01317a3d
0x01317a46
0x01317a4b
0x01317a59
0x01317a59
0x01317a31
0x0131673a

APIs

__floor_pentium4.LIBCMT ref: 01316811

Strings

1#INF, xrefs: 01317A1E
1#SNAN, xrefs: 01317A10
1#IND, xrefs: 01317A09
1#QNAN, xrefs: 01317A17

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: df1239d4eb627d8747ebbd448ba86dd1cd79dabf5e60a90f270ef1f4ced70f13
Instruction ID: ab37972fd74608222433f165e91c6dc470d21eac051314b69c18a9d05e2fca8b
Opcode Fuzzy Hash: df1239d4eb627d8747ebbd448ba86dd1cd79dabf5e60a90f270ef1f4ced70f13
Instruction Fuzzy Hash: 45C27FB2E046288FDF29CE68DD417E9B7B9EB44318F1845EAD44DE7244E774AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 011F1B03 Relevance: 6.5, APIs: 4, Instructions: 504
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E011F1B03(intOrPtr __ecx, signed int __edx) {
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed char _t309;
				long long* _t321;
				signed int _t325;
				signed int _t329;
				signed int _t342;
				signed int _t343;
				signed int _t347;
				void* _t348;
				intOrPtr _t349;
				signed int* _t351;
				signed int _t353;
				long long* _t354;
				signed int _t355;
				signed int _t356;
				intOrPtr _t357;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t372;
				void* _t376;
				signed int _t378;
				signed int _t382;
				signed int _t407;
				intOrPtr _t409;
				signed int* _t410;
				signed int _t412;
				signed int _t414;
				signed char* _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t424;
				signed int _t430;
				signed int _t433;
				signed int _t439;
				intOrPtr _t440;
				signed int _t441;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int* _t447;
				signed int _t449;
				intOrPtr _t450;
				signed int _t452;
				intOrPtr _t453;
				signed int _t454;
				void* _t455;
				void* _t456;
				signed long long _t458;
				signed long long _t462;
				signed long long _t466;
				long long _t469;
				long long _t471;
				long long _t473;
				signed long long _t474;
				signed long long _t478;
				signed long long _t479;

				_t420 = __edx;
				_push(0x11c);
				E012EA0A3();
				_t450 = __ecx;
				 *((intOrPtr*)(_t455 - 0x98)) = __ecx;
				_t443 =  *(__ecx + 0x8c);
				if(_t443 != 0) {
					__eflags =  *((intOrPtr*)(__ecx + 8)) - 0x18;
					if( *((intOrPtr*)(__ecx + 8)) < 0x18) {
						goto L1;
					}
					_t458 =  *(_t455 + 8);
					asm("fldz");
					asm("fucomp st1");
					asm("fnstsw ax");
					__eflags = 0;
					if(0 != 0) {
						asm("fld1");
						asm("fucomp st1");
						asm("fnstsw ax");
						__eflags = 0;
						if(0 != 0) {
							_t296 =  *(__ecx + 0x58);
							 *(_t455 - 0x20) = _t296;
							asm("fild dword [ebp-0x20]");
							 *(_t455 - 0x3c) = _t296;
							 *(_t455 - 0x74) = _t458;
							_t462 =  *0x1334160 + st0;
							asm("fxch st0, st1");
							_t297 = E012EA290(_t296, _t462);
							_t363 =  *(_t450 + 0x54);
							 *(_t455 - 0x20) = _t363;
							asm("fild dword [ebp-0x20]");
							 *(_t455 - 0x14) = _t297;
							 *(_t455 - 0x74) = _t462;
							asm("fmulp st2, st0");
							asm("faddp st1, st0");
							_t378 = E012EA290(_t297,  *(_t455 - 0x74));
							_t299 =  *(_t455 - 0x14);
							 *(_t455 - 0x2c) = _t378;
							__eflags = _t378 -  *(_t450 + 0x54);
							if(_t378 !=  *(_t450 + 0x54)) {
								L11:
								__eflags = _t363;
								if(_t363 <= 0) {
									L7:
									_t295 = 1;
									__eflags = 1;
									L8:
									E012EA06C();
									return _t295;
								}
								__eflags =  *(_t455 - 0x3c);
								if( *(_t455 - 0x3c) <= 0) {
									goto L7;
								}
								__eflags = _t378;
								if(_t378 <= 0) {
									goto L7;
								}
								__eflags = _t299;
								if(_t299 <= 0) {
									goto L7;
								}
								_t301 =  *(_t450 + 4);
								 *(_t455 - 0x28) = _t301;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L7;
								}
								_t303 = GetObjectW(_t443, 0x18, _t455 - 0x128);
								__eflags = _t303;
								if(_t303 == 0) {
									goto L1;
								}
								_t304 = E01304A7B(_t420,  *(_t455 - 0x120));
								__eflags =  *(_t455 - 0x120);
								_t444 =  *(_t455 - 0x28);
								_t365 = 0 |  *(_t455 - 0x120) < 0x00000000;
								 *(_t455 - 0x40) =  *(_t450 + 0x54);
								 *(_t455 - 0x20) = 0;
								 *(_t455 - 0x18) = 0;
								 *(_t455 - 0x1c) = 0;
								 *(_t450 + 0xb8) =  *(_t450 + 0xb8) *  *(_t455 + 8);
								__eflags = _t444 - 1;
								if(_t444 == 1) {
									__eflags = _t304 -  *(_t450 + 0x58);
									if(_t304 >  *(_t450 + 0x58)) {
										asm("cdq");
										_t43 = _t304 %  *(_t450 + 0x58);
										__eflags = _t43;
										_t420 = _t43;
										 *(_t455 - 0x40) = 0;
										_t444 = _t304 /  *(_t450 + 0x58);
										 *(_t455 - 0x28) = _t444;
										 *(_t455 - 0x20) =  *(_t450 + 0x58);
									}
								}
								_t305 = E012204FD(_t365, _t420,  *(_t450 + 0x8c),  *(_t450 + 0xa8));
								 *(_t455 - 0x50) = _t305;
								__eflags = _t305;
								if(_t305 == 0) {
									goto L1;
								} else {
									__eflags =  *(_t455 - 0x40);
									_t306 =  *(_t455 - 0x14);
									_t382 = _t306;
									_t421 =  *(_t455 - 0x2c);
									 *(_t455 - 0x58) = _t421;
									 *(_t455 - 0x54) = _t382;
									if( *(_t455 - 0x40) <= 0) {
										_t382 = _t382 * _t444;
										__eflags = _t382;
										 *(_t455 - 0x1c) = _t306;
										 *(_t455 - 0x54) = _t382;
									} else {
										 *(_t455 - 0x18) = _t421;
										 *(_t455 - 0x58) = _t444 * _t421;
									}
									__eflags = _t365;
									if(_t365 != 0) {
										 *(_t455 - 0x54) =  ~_t382;
									}
									_t366 = E01220458(_t365, _t444, _t450, _t455 - 0x58, 0);
									 *(_t455 - 0x70) = _t366;
									_t309 = E01304A7B(_t421,  *(_t455 - 0x54));
									 *(_t455 - 0x54) = _t309;
									__eflags = _t366;
									if(_t366 != 0) {
										_t466 =  *(_t455 + 8);
										asm("fld1");
										asm("fcompp");
										asm("fnstsw ax");
										__eflags = _t309 & 0x00000041;
										if((_t309 & 0x00000041) != 0) {
											_push(6);
										} else {
											_push(5);
										}
										_pop(_t445);
										 *((intOrPtr*)(_t455 - 0xdc)) = 0;
										 *((intOrPtr*)(_t455 - 0xd0)) = 0;
										 *((intOrPtr*)(_t455 - 0xcc)) = 0;
										 *((intOrPtr*)(_t455 - 0xc8)) = 0;
										 *((intOrPtr*)(_t455 - 0xc4)) = 0;
										 *((intOrPtr*)(_t455 - 0xc0)) = 0;
										 *(_t455 - 0xbc) = 0;
										 *((intOrPtr*)(_t455 - 0xb4)) = 0;
										 *((intOrPtr*)(_t455 - 0xd8)) = 0;
										 *((intOrPtr*)(_t455 - 0xd4)) = 0;
										 *((intOrPtr*)(_t455 - 4)) = 0;
										 *((intOrPtr*)(_t455 - 0xa8)) = 0;
										 *((intOrPtr*)(_t455 - 0xa4)) = 0;
										E011F2ACC(_t366, _t455 - 0xdc, _t421, _t445, _t450,  *(_t455 - 0x50), _t455 - 0xa8);
										 *((intOrPtr*)(_t455 - 0x108)) = 0;
										 *((intOrPtr*)(_t455 - 0xfc)) = 0;
										 *((intOrPtr*)(_t455 - 0xf8)) = 0;
										 *((intOrPtr*)(_t455 - 0xf4)) = 0;
										 *((intOrPtr*)(_t455 - 0xf0)) = 0;
										 *((intOrPtr*)(_t455 - 0xec)) = 0;
										 *(_t455 - 0xe8) = 0;
										 *((intOrPtr*)(_t455 - 0xe0)) = 0;
										 *(_t455 - 0x104) = 0;
										 *((intOrPtr*)(_t455 - 0x100)) = 0;
										 *((intOrPtr*)(_t455 - 0xb0)) = 0;
										 *((intOrPtr*)(_t455 - 0xac)) = 0;
										E011F2ACC(_t366, _t455 - 0x108, _t421, _t445, _t450, _t366, _t455 - 0xb0);
										 *(_t455 - 0x10) =  *(_t455 - 0xb8) & 0x000000ff;
										 *((intOrPtr*)(_t455 - 0x90)) = 0x1339c4c;
										 *((intOrPtr*)(_t455 - 0x8c)) = 0;
										 *(_t455 - 0x88) = 0;
										 *((char*)(_t455 - 4)) = 2;
										E011EE649(0, _t455 - 0x90, _t466,  *(_t450 + 0x54),  *(_t455 - 0x2c), 0,  *(_t450 + 0x54), _t445);
										 *((intOrPtr*)(_t455 - 0x84)) = 0x1339c4c;
										 *((intOrPtr*)(_t455 - 0x80)) = 0;
										 *((intOrPtr*)(_t455 - 0x7c)) = 0;
										 *((char*)(_t455 - 4)) = 3;
										_t368 =  *(_t455 - 0x14);
										E011EE649(_t368, _t455 - 0x84, _t466,  *(_t450 + 0x58), _t368, 0,  *(_t450 + 0x58), _t445);
										_t422 = 8;
										_push( ~(__eflags > 0) |  *(_t455 - 0x10) * _t422);
										_t321 = E011A701B( ~(__eflags > 0) |  *(_t455 - 0x10) * _t422, __eflags);
										_t446 = _t321;
										 *((intOrPtr*)(_t455 - 0x60)) = _t321;
										_t424 = 8;
										_push( ~(__eflags > 0) |  *(_t455 - 0x10) * _t424);
										 *((intOrPtr*)(_t455 - 0x38)) = E011A701B( ~(__eflags > 0) |  *(_t455 - 0x10) * _t424, __eflags);
										_t325 =  *(_t455 - 0x28);
										 *((intOrPtr*)(_t455 - 0x44)) = 0;
										 *((intOrPtr*)(_t455 - 0x48)) = 0;
										__eflags = _t325;
										if(_t325 <= 0) {
											L74:
											L011A7024(_t446);
											L011A7024( *((intOrPtr*)(_t455 - 0x38)));
											DeleteObject( *(_t455 - 0x50));
											_t369 =  *(_t450 + 4);
											_t329 = E011B2E46(_t450 + 0x5c, 0, 0);
											__eflags = _t329;
											if(_t329 != 0) {
												 *(_t450 + 0x5c) =  *(_t450 + 0x54);
												 *(_t450 + 0x60) =  *(_t450 + 0x58);
											}
											_t447 = _t450 + 0x8c;
											 *(_t450 + 0x54) =  *(_t455 - 0x2c);
											 *(_t450 + 0x58) =  *(_t455 - 0x14);
											 *(_t450 + 0xa8) =  *(_t450 + 0xa8) | 0xffffffff;
											 *(_t450 + 0xac) =  *(_t450 + 0xa8);
											E011BD6C7(_t447);
											 *_t447 =  *(_t455 - 0x70);
											 *(_t450 + 4) = _t369;
											 *((intOrPtr*)(_t450 + 8)) = 0x20;
											E011F2623(_t450, 0);
											E011F2623(_t450, 1);
											__eflags =  *_t447;
											 *((intOrPtr*)(_t455 - 0x84)) = 0x1339c4c;
											E011EFBCB(_t455 - 0x84);
											 *((intOrPtr*)(_t455 - 0x90)) = 0x1339c4c;
											E011EFBCB(_t455 - 0x90);
											_t295 = 0 |  *_t447 != 0x00000000;
											goto L8;
										} else {
											_t452 =  *(_t455 - 0x10);
											 *((intOrPtr*)(_t455 - 0x4c)) = 0;
											 *(_t455 - 0x9c) = _t452 << 3;
											_t407 =  *(_t455 - 0xe8);
											 *(_t455 - 0x94) = _t407 *  *(_t455 - 0x1c);
											_t430 = _t452 *  *(_t455 - 0x18);
											__eflags = _t430;
											 *(_t455 - 0xa0) = _t430;
											 *(_t455 - 0x1c) =  *(_t455 - 0x104);
											 *((intOrPtr*)(_t455 - 0x30)) =  *((intOrPtr*)(_t455 - 0x7c));
											do {
												_t433 = 0;
												 *(_t455 - 0x24) = 0;
												__eflags = _t368;
												if(_t368 == 0) {
													goto L72;
												}
												_t342 =  *((intOrPtr*)(_t455 - 0x4c)) +  *(_t455 - 0x1c);
												__eflags = _t342;
												 *(_t455 - 0x18) = _t342;
												_t343 =  *(_t455 - 0x2c);
												do {
													 *(_t455 - 0x5c) =  *(_t455 - 0x18);
													_t446 =  *((intOrPtr*)(_t455 - 0x60));
													__eflags = _t343;
													if(_t343 == 0) {
														goto L70;
													}
													 *(_t455 - 0x34) =  *(_t455 - 0x88);
													 *(_t455 - 0x3c) = _t343;
													do {
														E012EE6E0(_t446, _t446, 0, _t452 << 3);
														_t347 =  *(_t455 - 0x24);
														_t456 = _t456 + 0xc;
														_t409 =  *((intOrPtr*)(_t455 - 0x30));
														 *(_t455 - 0x64) =  *(_t455 - 0x64) & 0x00000000;
														__eflags =  *(_t409 + _t347 * 8);
														if( *(_t409 + _t347 * 8) <= 0) {
															L51:
															__eflags = _t452 - 4;
															if(_t452 == 4) {
																asm("fcomp qword [edi]");
																asm("fnstsw ax");
																__eflags = _t347 & 0x00000041;
																if((_t347 & 0x00000041) != 0) {
																	_t469 =  *((long long*)(_t446 + 0x18));
																} else {
																	_t469 =  *_t446;
																}
																 *_t446 = _t469;
																asm("fcomp qword [edi+0x8]");
																asm("fnstsw ax");
																__eflags = _t347 & 0x00000041;
																if((_t347 & 0x00000041) != 0) {
																	_t471 =  *((long long*)(_t446 + 0x18));
																} else {
																	_t471 =  *((long long*)(_t446 + 8));
																}
																 *((long long*)(_t446 + 8)) = _t471;
																asm("fcomp qword [edi+0x10]");
																asm("fnstsw ax");
																__eflags = _t347 & 0x00000041;
																if((_t347 & 0x00000041) != 0) {
																	_t473 =  *((long long*)(_t446 + 0x18));
																} else {
																	_t473 =  *((long long*)(_t446 + 0x10));
																}
																 *((long long*)(_t446 + 0x10)) = _t473;
															}
															_t372 = 0;
															__eflags = _t452;
															if(_t452 != 0) {
																do {
																	_t474 =  *((long long*)(_t446 + _t372 * 8));
																	asm("fldz");
																	asm("fcom st0, st1");
																	asm("fnstsw ax");
																	__eflags = _t347 & 0x00000041;
																	if((_t347 & 0x00000041) == 0) {
																		L65:
																		st1 = _t474;
																		goto L67;
																	}
																	st0 = _t474;
																	_t474 =  *0x1334168;
																	asm("fcom st0, st1");
																	asm("fnstsw ax");
																	__eflags = _t347 & 0x00000005;
																	if((_t347 & 0x00000005) != 0) {
																		st0 = _t474;
																		goto L67;
																	}
																	goto L65;
																	L67:
																	_t347 = E012EA2D0();
																	_t410 =  *(_t455 - 0x5c);
																	 *_t410 = _t347;
																	_t372 = _t372 + 1;
																	 *(_t455 - 0x5c) =  &(_t410[0]);
																	__eflags = _t372 - _t452;
																} while (_t372 < _t452);
															}
															goto L68;
														}
														_t453 = 0;
														__eflags = 0;
														 *((intOrPtr*)(_t455 - 0x78)) = 0;
														do {
															_t349 =  *((intOrPtr*)(_t409 + 4 + _t347 * 8));
															 *((long long*)(_t455 - 0x110)) =  *((long long*)(_t349 + _t453 + 8));
															_t376 = ( *((intOrPtr*)(_t349 + _t453)) +  *((intOrPtr*)(_t455 - 0x48))) *  *(_t455 - 0xbc) +  *((intOrPtr*)(_t455 - 0xd8));
															E012EE6E0(_t446,  *((intOrPtr*)(_t455 - 0x38)), 0,  *(_t455 - 0x9c));
															_t351 =  *(_t455 - 0x34);
															_t456 = _t456 + 0xc;
															 *(_t455 - 0x68) =  *(_t455 - 0x68) & 0x00000000;
															__eflags =  *_t351;
															if( *_t351 <= 0) {
																L45:
																_t439 =  *(_t455 - 0x10);
																__eflags = _t439;
																if(_t439 == 0) {
																	goto L49;
																}
																_t354 = _t446;
																_t414 =  *((intOrPtr*)(_t455 - 0x38)) - _t446;
																__eflags = _t414;
																do {
																	_t478 =  *(_t414 + _t354) * st1 +  *_t354;
																	 *_t354 = _t478;
																	_t354 = _t354 + 8;
																	_t439 = _t439 - 1;
																	__eflags = _t439;
																} while (_t439 != 0);
																st0 = _t478;
																goto L49;
															}
															_t449 =  *(_t455 - 0x68);
															_t441 = 0;
															__eflags = 0;
															do {
																_t355 = _t351[1];
																_t454 = 0;
																_t479 =  *(_t355 + _t441 + 8);
																_t418 = ( *((intOrPtr*)(_t355 + _t441)) +  *((intOrPtr*)(_t455 - 0x44))) *  *(_t455 - 0x10) + _t376;
																__eflags =  *(_t455 - 0x10);
																if( *(_t455 - 0x10) <= 0) {
																	goto L43;
																} else {
																	goto L42;
																}
																do {
																	L42:
																	_t356 =  *_t418 & 0x000000ff;
																	_t418 =  &(_t418[1]);
																	 *(_t455 - 0x68) = _t356;
																	asm("fild dword [ebp-0x68]");
																	_t357 =  *((intOrPtr*)(_t455 - 0x38));
																	 *(_t455 - 0x6c) = _t479;
																	_t479 =  *(_t455 - 0x6c) * st1 +  *(_t357 + _t454 * 8);
																	 *(_t357 + _t454 * 8) = _t479;
																	_t454 = _t454 + 1;
																	__eflags = _t454 -  *(_t455 - 0x10);
																} while (_t454 <  *(_t455 - 0x10));
																L43:
																_t351 =  *(_t455 - 0x34);
																_t449 = _t449 + 1;
																_t441 = _t441 + 0x10;
																st0 = _t479;
																__eflags = _t449 -  *_t351;
															} while (_t449 <  *_t351);
															_t446 =  *((intOrPtr*)(_t455 - 0x60));
															_t453 =  *((intOrPtr*)(_t455 - 0x78));
															goto L45;
															L49:
															_t412 =  *(_t455 - 0x24);
															_t453 = _t453 + 0x10;
															_t440 =  *((intOrPtr*)(_t455 - 0x30));
															_t353 =  *(_t455 - 0x64) + 1;
															 *((intOrPtr*)(_t455 - 0x78)) = _t453;
															 *(_t455 - 0x64) = _t353;
															__eflags = _t353 -  *((intOrPtr*)(_t440 + _t412 * 8));
															_t347 = _t412;
															_t409 = _t440;
														} while (_t353 <  *((intOrPtr*)(_t440 + _t412 * 8)));
														_t452 =  *(_t455 - 0x10);
														 *((intOrPtr*)(_t455 - 0x30)) =  *((intOrPtr*)(_t455 - 0x7c));
														goto L51;
														L68:
														_t348 = 8;
														 *(_t455 - 0x34) =  *(_t455 - 0x34) + _t348;
														_t244 = _t455 - 0x3c;
														 *_t244 =  *(_t455 - 0x3c) - 1;
														__eflags =  *_t244;
													} while ( *_t244 != 0);
													_t407 =  *(_t455 - 0xe8);
													_t368 =  *(_t455 - 0x14);
													_t343 =  *(_t455 - 0x2c);
													_t433 =  *(_t455 - 0x24);
													L70:
													 *(_t455 - 0x18) =  *(_t455 - 0x18) + _t407;
													_t433 = _t433 + 1;
													 *(_t455 - 0x24) = _t433;
													__eflags = _t433 - _t368;
												} while (_t433 < _t368);
												_t325 =  *(_t455 - 0x28);
												L72:
												 *((intOrPtr*)(_t455 - 0x44)) =  *((intOrPtr*)(_t455 - 0x44)) +  *(_t455 - 0x40);
												 *((intOrPtr*)(_t455 - 0x48)) =  *((intOrPtr*)(_t455 - 0x48)) +  *(_t455 - 0x20);
												 *((intOrPtr*)(_t455 - 0x4c)) =  *((intOrPtr*)(_t455 - 0x4c)) +  *(_t455 - 0xa0);
												 *(_t455 - 0x1c) =  *(_t455 - 0x1c) +  *(_t455 - 0x94);
												_t325 = _t325 - 1;
												__eflags = _t325;
												 *(_t455 - 0x28) = _t325;
											} while (_t325 != 0);
											_t450 =  *((intOrPtr*)(_t455 - 0x98));
											goto L74;
										}
									} else {
										DeleteObject( *(_t455 - 0x50));
										goto L1;
									}
								}
							}
							__eflags = _t299 -  *(_t450 + 0x58);
							if(_t299 ==  *(_t450 + 0x58)) {
								goto L7;
							}
							goto L11;
						}
						st0 = _t458;
						goto L7;
					}
					st0 = _t458;
				}
				L1:
				_t295 = 0;
				goto L8;
			}

0x011f1b03
0x011f1b03
0x011f1b0d
0x011f1b12
0x011f1b14
0x011f1b1a
0x011f1b22
0x011f1b28
0x011f1b2c
0x00000000
0x00000000
0x011f1b2e
0x011f1b31
0x011f1b33
0x011f1b35
0x011f1b37
0x011f1b3a
0x011f1b40
0x011f1b42
0x011f1b44
0x011f1b46
0x011f1b49
0x011f1b58
0x011f1b5b
0x011f1b5e
0x011f1b61
0x011f1b64
0x011f1b72
0x011f1b74
0x011f1b76
0x011f1b7b
0x011f1b7e
0x011f1b81
0x011f1b84
0x011f1b87
0x011f1b8d
0x011f1b8f
0x011f1b96
0x011f1b98
0x011f1b9b
0x011f1b9e
0x011f1ba1
0x011f1ba8
0x011f1ba8
0x011f1baa
0x011f1b4d
0x011f1b4f
0x011f1b4f
0x011f1b50
0x011f1b50
0x011f1b55
0x011f1b55
0x011f1bac
0x011f1bb0
0x00000000
0x00000000
0x011f1bb2
0x011f1bb4
0x00000000
0x00000000
0x011f1bb6
0x011f1bb8
0x00000000
0x00000000
0x011f1bba
0x011f1bbd
0x011f1bc0
0x011f1bc2
0x00000000
0x00000000
0x011f1bce
0x011f1bd4
0x011f1bd6
0x00000000
0x00000000
0x011f1be2
0x011f1bef
0x011f1bf8
0x011f1bfb
0x011f1c02
0x011f1c07
0x011f1c0a
0x011f1c0d
0x011f1c10
0x011f1c16
0x011f1c19
0x011f1c1b
0x011f1c1e
0x011f1c20
0x011f1c21
0x011f1c21
0x011f1c21
0x011f1c24
0x011f1c27
0x011f1c2c
0x011f1c2f
0x011f1c2f
0x011f1c1e
0x011f1c3e
0x011f1c43
0x011f1c46
0x011f1c48
0x00000000
0x011f1c4e
0x011f1c4e
0x011f1c52
0x011f1c55
0x011f1c57
0x011f1c5a
0x011f1c5d
0x011f1c60
0x011f1c6f
0x011f1c6f
0x011f1c72
0x011f1c75
0x011f1c62
0x011f1c64
0x011f1c6a
0x011f1c6a
0x011f1c78
0x011f1c7a
0x011f1c7e
0x011f1c7e
0x011f1c8f
0x011f1c91
0x011f1c94
0x011f1c99
0x011f1c9d
0x011f1c9f
0x011f1caf
0x011f1cb2
0x011f1cb4
0x011f1cb6
0x011f1cb8
0x011f1cbb
0x011f1cc1
0x011f1cbd
0x011f1cbd
0x011f1cbd
0x011f1cc5
0x011f1cc6
0x011f1ccc
0x011f1cd2
0x011f1cd8
0x011f1cde
0x011f1ce4
0x011f1cea
0x011f1cf0
0x011f1cf6
0x011f1cfc
0x011f1d02
0x011f1d0b
0x011f1d11
0x011f1d21
0x011f1d28
0x011f1d2e
0x011f1d34
0x011f1d3a
0x011f1d40
0x011f1d46
0x011f1d4c
0x011f1d52
0x011f1d58
0x011f1d5e
0x011f1d64
0x011f1d70
0x011f1d7e
0x011f1d8c
0x011f1d8f
0x011f1d99
0x011f1d9f
0x011f1daf
0x011f1dba
0x011f1dbf
0x011f1dc9
0x011f1dcc
0x011f1dd9
0x011f1dde
0x011f1de5
0x011f1df1
0x011f1dfb
0x011f1dfc
0x011f1e01
0x011f1e05
0x011f1e0d
0x011f1e17
0x011f1e1f
0x011f1e22
0x011f1e25
0x011f1e28
0x011f1e2d
0x011f1e2f
0x011f20a2
0x011f20a3
0x011f20ab
0x011f20b5
0x011f20bb
0x011f20c5
0x011f20ca
0x011f20cc
0x011f20d1
0x011f20d7
0x011f20d7
0x011f20dd
0x011f20e3
0x011f20e9
0x011f20f2
0x011f20fa
0x011f2100
0x011f210c
0x011f210e
0x011f2111
0x011f2118
0x011f2121
0x011f212e
0x011f2135
0x011f213e
0x011f2149
0x011f214f
0x011f2154
0x00000000
0x011f1e35
0x011f1e35
0x011f1e3d
0x011f1e40
0x011f1e46
0x011f1e52
0x011f1e5a
0x011f1e5a
0x011f1e5e
0x011f1e6a
0x011f1e70
0x011f1e73
0x011f1e73
0x011f1e75
0x011f1e78
0x011f1e7a
0x00000000
0x00000000
0x011f1e83
0x011f1e83
0x011f1e86
0x011f1e89
0x011f1e8c
0x011f1e8f
0x011f1e92
0x011f1e95
0x011f1e97
0x00000000
0x00000000
0x011f1ea3
0x011f1ea6
0x011f1ea9
0x011f1eb2
0x011f1eb7
0x011f1eba
0x011f1ebd
0x011f1ec0
0x011f1ec4
0x011f1ec8
0x011f1fb6
0x011f1fb6
0x011f1fb9
0x011f1fbe
0x011f1fc0
0x011f1fc2
0x011f1fc5
0x011f1fcb
0x011f1fc7
0x011f1fc7
0x011f1fc7
0x011f1fce
0x011f1fd3
0x011f1fd6
0x011f1fd8
0x011f1fdb
0x011f1fe2
0x011f1fdd
0x011f1fdd
0x011f1fdd
0x011f1fe5
0x011f1feb
0x011f1fee
0x011f1ff0
0x011f1ff3
0x011f1ffa
0x011f1ff5
0x011f1ff5
0x011f1ff5
0x011f1ffd
0x011f1ffd
0x011f2000
0x011f2002
0x011f2004
0x011f2006
0x011f2006
0x011f2009
0x011f200b
0x011f200d
0x011f200f
0x011f2012
0x011f2025
0x011f2025
0x00000000
0x011f2025
0x011f2014
0x011f2016
0x011f201c
0x011f201e
0x011f2020
0x011f2023
0x011f2029
0x00000000
0x011f2029
0x00000000
0x011f202b
0x011f202b
0x011f2030
0x011f2033
0x011f2036
0x011f2037
0x011f203a
0x011f203a
0x011f2006
0x00000000
0x011f2004
0x011f1ece
0x011f1ece
0x011f1ed0
0x011f1ed3
0x011f1ed3
0x011f1ef3
0x011f1ef9
0x011f1eff
0x011f1f04
0x011f1f07
0x011f1f0a
0x011f1f0e
0x011f1f11
0x011f1f66
0x011f1f66
0x011f1f69
0x011f1f6b
0x00000000
0x00000000
0x011f1f70
0x011f1f78
0x011f1f78
0x011f1f7a
0x011f1f7f
0x011f1f81
0x011f1f83
0x011f1f86
0x011f1f86
0x011f1f86
0x011f1f8b
0x00000000
0x011f1f8b
0x011f1f13
0x011f1f16
0x011f1f16
0x011f1f18
0x011f1f18
0x011f1f1b
0x011f1f27
0x011f1f2b
0x011f1f2d
0x011f1f30
0x00000000
0x00000000
0x00000000
0x00000000
0x011f1f32
0x011f1f32
0x011f1f32
0x011f1f35
0x011f1f36
0x011f1f39
0x011f1f3c
0x011f1f3f
0x011f1f47
0x011f1f4a
0x011f1f4d
0x011f1f4e
0x011f1f4e
0x011f1f53
0x011f1f53
0x011f1f56
0x011f1f57
0x011f1f5a
0x011f1f5c
0x011f1f5c
0x011f1f60
0x011f1f63
0x00000000
0x011f1f8d
0x011f1f8d
0x011f1f90
0x011f1f93
0x011f1f99
0x011f1f9a
0x011f1f9d
0x011f1fa0
0x011f1fa3
0x011f1fa5
0x011f1fa5
0x011f1fb0
0x011f1fb3
0x00000000
0x011f203e
0x011f2040
0x011f2041
0x011f2044
0x011f2044
0x011f2044
0x011f2044
0x011f204e
0x011f2054
0x011f2057
0x011f205a
0x011f205d
0x011f205d
0x011f2060
0x011f2061
0x011f2064
0x011f2064
0x011f206c
0x011f206f
0x011f2075
0x011f207b
0x011f2084
0x011f208d
0x011f2090
0x011f2090
0x011f2093
0x011f2093
0x011f209c
0x00000000
0x011f209c
0x011f1ca1
0x011f1ca4
0x00000000
0x011f1ca4
0x011f1c9f
0x011f1c48
0x011f1ba3
0x011f1ba6
0x00000000
0x00000000
0x00000000
0x011f1ba6
0x011f1b4b
0x00000000
0x011f1b4b
0x011f1b3c
0x011f1b3c
0x011f1b24
0x011f1b24
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 011F1B0D
GetObjectW.GDI32(?,00000018,?), ref: 011F1BCE
DeleteObject.GDI32(?), ref: 011F1CA4
DeleteObject.GDI32(?), ref: 011F20B5

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$Delete$H_prolog3
String ID:
API String ID: 487261545-0
Opcode ID: a2d05499df6106c1fecc3db7150367ec4df3f599353abb7fd0984627997ed954
Instruction ID: 4a9e1f8bb13a6b3705bd5e977582ae5a2f937686b547a60a028336b2e7edf821
Opcode Fuzzy Hash: a2d05499df6106c1fecc3db7150367ec4df3f599353abb7fd0984627997ed954
Instruction Fuzzy Hash: E3223670E0061ADFDB29CFA9C980BADBBF1BF58300F1085AED649A7250DB709995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011B3AAE Relevance: 6.1, APIs: 4, Instructions: 83
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E011B3AAE(intOrPtr* __ecx, void* __eflags) {
				void* _t50;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				intOrPtr* _t66;
				void* _t67;
				void* _t74;

				_t61 = __ecx;
				_push(0x120);
				E012EA0D7();
				_t66 = __ecx;
				 *((intOrPtr*)(_t67 - 0x128)) = __ecx;
				_t62 =  *((intOrPtr*)(_t67 + 8));
				 *((intOrPtr*)(_t67 - 0x12c)) = __ecx;
				E011B2DB1(__ecx, __eflags);
				 *_t66 = 0x1330ea4;
				 *((intOrPtr*)(_t67 - 4)) = 0;
				if(_t62 == 0) {
					 *((intOrPtr*)(_t66 + 0x50)) = 0;
				} else {
					_t59 = E012FE7EB(0, _t62);
					_t61 = _t62;
					 *((intOrPtr*)(_t66 + 0x50)) = _t59;
				}
				_t63 = E011B72B6(_t66);
				if(_t63 == 0) {
					L4:
					E011B1E69(_t61);
				}
				_push(0x11b32b5);
				_t7 = _t63 + 0x74; // 0x74
				_t61 = _t7;
				_t50 = E011BEDFB(_t7);
				if(_t50 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t50 + 4)) = _t66;
				 *((intOrPtr*)(_t66 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t66 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t63 + 4)) = _t66;
				 *((intOrPtr*)(_t66 + 0x98)) = 0;
				 *((intOrPtr*)(_t66 + 0x44)) = 0;
				 *((intOrPtr*)(_t66 + 0x80)) = 0;
				 *((intOrPtr*)(_t66 + 0x68)) = 0;
				 *((intOrPtr*)(_t66 + 0x6c)) = 0;
				 *((intOrPtr*)(_t66 + 0x58)) = 0;
				 *((intOrPtr*)(_t66 + 0x64)) = 0;
				 *((intOrPtr*)(_t66 + 0x54)) = 0;
				 *((intOrPtr*)(_t66 + 0x8c)) = 0;
				 *((intOrPtr*)(_t66 + 0x5c)) = 0;
				 *((intOrPtr*)(_t66 + 0x48)) = 0;
				 *((intOrPtr*)(_t66 + 0x94)) = 0;
				 *((intOrPtr*)(_t66 + 0x90)) = 0;
				 *((intOrPtr*)(_t66 + 0x84)) = 0;
				 *((intOrPtr*)(_t66 + 0x88)) = 0;
				 *((intOrPtr*)(_t66 + 0x74)) = 0;
				 *((intOrPtr*)(_t66 + 0x78)) = 0;
				 *((intOrPtr*)(_t66 + 0x9c)) = 0;
				 *((intOrPtr*)(_t66 + 0xa4)) = 0;
				 *((intOrPtr*)(_t66 + 0x60)) = 0;
				 *((intOrPtr*)(_t66 + 0x70)) = 0;
				 *((intOrPtr*)(_t66 + 0xa0)) = 0x200;
				 *((intOrPtr*)(_t66 + 0xac)) = 0;
				 *((intOrPtr*)(_t66 + 0xb0)) = 0x493e0;
				 *((intOrPtr*)(_t66 + 0xb4)) = 1;
				 *(_t67 - 0x124) = 0x114;
				GetVersionExW(_t67 - 0x124);
				if( *((intOrPtr*)(_t67 - 0x120)) != 6) {
					L9:
					_t57 = 0;
					if(_t74 > 0) {
						goto L10;
					}
				} else {
					if( *((intOrPtr*)(_t67 - 0x11c)) >= 1) {
						L10:
						_t57 = 1;
					} else {
						_t74 =  *((intOrPtr*)(_t67 - 0x120)) - 6;
						goto L9;
					}
				}
				 *((intOrPtr*)(_t66 + 0xb8)) = _t57;
				 *((intOrPtr*)(_t66 + 0xbc)) = 0;
				 *((intOrPtr*)(_t66 + 0xc4)) = 0;
				 *((intOrPtr*)(_t66 + 0xc8)) = 0;
				 *((intOrPtr*)(_t66 + 0xc0)) = 1;
				E012EA081();
				return _t66;
			}

0x011b3aae
0x011b3aae
0x011b3ab8
0x011b3abd
0x011b3abf
0x011b3ac5
0x011b3ac8
0x011b3ace
0x011b3ad5
0x011b3adb
0x011b3ae0
0x011b3aee
0x011b3ae2
0x011b3ae3
0x011b3ae8
0x011b3ae9
0x011b3ae9
0x011b3af6
0x011b3afa
0x011b3afc
0x011b3afc
0x011b3afc
0x011b3b01
0x011b3b06
0x011b3b06
0x011b3b09
0x011b3b10
0x00000000
0x00000000
0x011b3b12
0x011b3b1b
0x011b3b24
0x011b3b29
0x011b3b2e
0x011b3b3b
0x011b3b3f
0x011b3b45
0x011b3b48
0x011b3b4b
0x011b3b4e
0x011b3b51
0x011b3b54
0x011b3b5a
0x011b3b5d
0x011b3b60
0x011b3b66
0x011b3b6c
0x011b3b72
0x011b3b78
0x011b3b7b
0x011b3b7e
0x011b3b84
0x011b3b8a
0x011b3b8d
0x011b3b90
0x011b3b9a
0x011b3ba0
0x011b3baa
0x011b3bb0
0x011b3bba
0x011b3bc7
0x011b3bd8
0x011b3bd8
0x011b3bda
0x00000000
0x00000000
0x011b3bc9
0x011b3bcf
0x011b3bdc
0x011b3bdc
0x011b3bd1
0x011b3bd1
0x00000000
0x011b3bd1
0x011b3bcf
0x011b3bde
0x011b3be6
0x011b3bec
0x011b3bf2
0x011b3bf8
0x011b3bfe
0x011b3c03

APIs

__EH_prolog3_GS.LIBCMT ref: 011B3AB8

Part of subcall function 011B2DB1: __EH_prolog3.LIBCMT ref: 011B2DB8

GetCurrentThread.KERNEL32 ref: 011B3B15
GetCurrentThreadId.KERNEL32 ref: 011B3B1E
GetVersionExW.KERNEL32 ref: 011B3BBA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CurrentThread$H_prolog3H_prolog3_Version
String ID:
API String ID: 786120064-0
Opcode ID: 9b8d6f58ea858ee6f926be5243b632e99f86f0dd4e1a4698ed53387b06e8ff8a
Instruction ID: d429dd601f7afaecd6ede53342f23d1f18bd98d2a8062cc9159a5e0f9feb6f5f
Opcode Fuzzy Hash: 9b8d6f58ea858ee6f926be5243b632e99f86f0dd4e1a4698ed53387b06e8ff8a
Instruction Fuzzy Hash: 5141A9B0911B15CFD7259F2A898479AFAF0BF48704F908A6ED2AEC7B10DB70A454CF41

Uniqueness

Uniqueness Score: -1.00%

Function 012F9B20 Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E012F9B20(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t70;
				signed int _t72;
				signed int _t74;

				_t70 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t72 = _t74;
				_t40 =  *0x139eff4; // 0xdde28b47
				_t41 = _t40 ^ _t72;
				_v8 = _t40 ^ _t72;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E012EA73B(_t41);
					_pop(_t62);
				}
				E012EE6E0(_t67,  &_v804, 0, 0x50);
				E012EE6E0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t70;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E012EA73B(_t57);
				}
				return E012E980C(_v8 ^ _t72);
			}

0x012f9b20
0x012f9b20
0x012f9b20
0x012f9b20
0x012f9b23
0x012f9b2b
0x012f9b30
0x012f9b32
0x012f9b39
0x012f9b3a
0x012f9b3c
0x012f9b3f
0x012f9b44
0x012f9b44
0x012f9b50
0x012f9b63
0x012f9b71
0x012f9b77
0x012f9b7d
0x012f9b83
0x012f9b89
0x012f9b8f
0x012f9b95
0x012f9b9b
0x012f9ba1
0x012f9ba7
0x012f9bae
0x012f9bb5
0x012f9bbc
0x012f9bc3
0x012f9bca
0x012f9bd1
0x012f9bd2
0x012f9bdb
0x012f9be1
0x012f9be4
0x012f9bea
0x012f9bf7
0x012f9c00
0x012f9c09
0x012f9c12
0x012f9c20
0x012f9c22
0x012f9c37
0x012f9c43
0x012f9c46
0x012f9c4b
0x012f9c5a

APIs

IsDebuggerPresent.KERNEL32 ref: 012F9C18
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 012F9C22
UnhandledExceptionFilter.KERNEL32(?), ref: 012F9C2F

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8a76e0f153fbbb3adda8bb22fb113c12456fa8cbb3d0bf3ed1b4d10820e3dc9a
Instruction ID: 48332e303003dbc6fb8e7b675a3190434e293dae891f5984cefc3aed084b0065
Opcode Fuzzy Hash: 8a76e0f153fbbb3adda8bb22fb113c12456fa8cbb3d0bf3ed1b4d10820e3dc9a
Instruction Fuzzy Hash: A731D3749512299BCF21EF28D988BDDBBF8BF18310F5042EAE51CA7250E7309B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 012FD0F0 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E012FD0F0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t263;
				signed int _t266;
				signed int _t267;
				void* _t268;
				intOrPtr* _t269;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int* _t282;
				signed int* _t286;
				signed int _t287;
				signed int _t288;
				intOrPtr _t290;
				void* _t294;
				signed char _t300;
				signed int _t303;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t319;
				signed int _t321;
				intOrPtr* _t322;
				signed int _t326;
				signed int _t330;
				signed int* _t336;
				signed int _t338;
				signed int _t339;
				signed int _t341;
				void* _t342;
				signed int _t344;
				signed int _t346;
				signed int _t349;
				signed int _t350;
				signed int* _t352;
				signed int _t357;
				signed int _t359;
				void* _t363;
				signed int _t367;
				signed int _t368;
				signed int _t370;
				signed int* _t376;
				signed int* _t377;
				signed int* _t378;
				signed int* _t381;

				_t263 = _a4;
				_t197 =  *_t263;
				if(_t197 != 0) {
					_t336 = _a8;
					_t275 =  *_t336;
					__eflags = _t275;
					if(_t275 != 0) {
						_t3 = _t197 - 1; // -1
						_t357 = _t3;
						_t4 = _t275 - 1; // -1
						_t198 = _t4;
						_v16 = _t357;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t357;
							if(_t198 > _t357) {
								L24:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t314 = _t357 - _t198;
								_v60 = _t46;
								_t277 = _t357;
								__eflags = _t357 - _t314;
								if(_t357 < _t314) {
									L22:
									_t314 = _t314 + 1;
									__eflags = _t314;
								} else {
									_t376 =  &(_t263[_t357 + 1]);
									_t349 =  &(( &(_t336[_t277 - _t314]))[1]);
									__eflags = _t349;
									while(1) {
										__eflags =  *_t349 -  *_t376;
										if( *_t349 !=  *_t376) {
											break;
										}
										_t277 = _t277 - 1;
										_t349 = _t349 - 4;
										_t376 = _t376 - 4;
										__eflags = _t277 - _t314;
										if(_t277 >= _t314) {
											continue;
										} else {
											goto L22;
										}
										goto L23;
									}
									_t377 = _a8;
									_t54 = (_t277 - _t314) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t377 + _t54 + 4)) -  *((intOrPtr*)(_t263 + 4 + _t277 * 4));
									if( *((intOrPtr*)(_t377 + _t54 + 4)) <  *((intOrPtr*)(_t263 + 4 + _t277 * 4))) {
										goto L22;
									}
								}
								L23:
								__eflags = _t314;
								if(__eflags != 0) {
									_t338 = _v60;
									_t200 = _a8;
									_t359 =  *(_t200 + _t338 * 4);
									_t64 = _t338 * 4; // 0xfffe58b8
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t359;
									if(__eflags == 0) {
										_t278 = 0x20;
									} else {
										_t278 = 0x1f - _t201;
									}
									_v40 = _t278;
									_v64 = 0x20 - _t278;
									__eflags = _t278;
									if(_t278 != 0) {
										_t300 = _v40;
										_v36 = _v36 << _t300;
										_v56 = _t359 << _t300 | _v36 >> _v64;
										__eflags = _t338 - 2;
										if(_t338 > 2) {
											_t79 = _t338 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t315 = _t314 + 0xffffffff;
									__eflags = _t315;
									_v32 = _t315;
									if(_t315 < 0) {
										_t339 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t263[1]); // 0x4
										_v20 =  &(_t85[_t315]);
										_t206 = _t315 + _t338;
										_t90 = _t263 - 4; // -4
										_v12 = _t206;
										_t286 = _t90 + _t206 * 4;
										_v80 = _t286;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t286[2];
											}
											__eflags = _v40;
											_t319 = _t286[1];
											_t287 =  *_t286;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t287;
											if(_v40 > 0) {
												_t326 = _v8;
												_t344 = _t287 >> _v64;
												_t230 = E012EA270(_t319, _v40, _t326);
												_t287 = _v40;
												_t207 = _t326;
												_t319 = _t344 | _t230;
												_t367 = _v24 << _t287;
												__eflags = _v12 - 3;
												_v8 = _t326;
												_v24 = _t367;
												if(_v12 >= 3) {
													_t287 = _v64;
													_t368 = _t367 |  *(_t263 + (_v60 + _v32) * 4 - 8) >> _t287;
													__eflags = _t368;
													_t207 = _v8;
													_v24 = _t368;
												}
											}
											_t208 = E01319610(_t319, _t207, _v56, 0);
											_v44 = _t263;
											_t266 = _t208;
											_v44 = 0;
											_t209 = _t319;
											_v8 = _t266;
											_v28 = _t209;
											_t341 = _t287;
											_v72 = _t266;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L41:
												_t267 = _t266 + 1;
												asm("adc eax, 0xffffffff");
												_t341 = _t341 + E012EA430(_t267, _t209, _v56, 0);
												asm("adc esi, edx");
												_t266 = _t267 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t266;
												_v72 = _t266;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t266 - 0xffffffff;
												if(_t266 > 0xffffffff) {
													goto L41;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L45;
												} else {
													__eflags = _t341 - 0xffffffff;
													if(_t341 <= 0xffffffff) {
														while(1) {
															L45:
															_v8 = _v24;
															_t228 = E012EA430(_v36, 0, _t266, _t209);
															__eflags = _t319 - _t341;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L48:
																_t209 = _v28;
																_t266 = _t266 + 0xffffffff;
																_v72 = _t266;
																asm("adc eax, 0xffffffff");
																_t341 = _t341 + _v56;
																__eflags = _t341;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t341 == 0) {
																	__eflags = _t341 - 0xffffffff;
																	if(_t341 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L48;
																}
															}
															L52:
															_v8 = _t266;
															goto L53;
														}
														_t209 = _v28;
														goto L52;
													}
												}
											}
											L53:
											__eflags = _t209;
											if(_t209 != 0) {
												L55:
												_t288 = _v60;
												_t342 = 0;
												_t363 = 0;
												__eflags = _t288;
												if(_t288 != 0) {
													_t269 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t288;
													do {
														_v44 =  *_t219;
														_t225 =  *_t269;
														_t294 = _t342 + _v72 * _v44;
														asm("adc esi, edx");
														_t342 = _t363;
														_t363 = 0;
														__eflags = _t225 - _t294;
														if(_t225 < _t294) {
															_t342 = _t342 + 1;
															asm("adc esi, esi");
														}
														 *_t269 = _t225 - _t294;
														_t269 = _t269 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t266 = _v8;
													_t288 = _v60;
												}
												__eflags = 0 - _t363;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L64:
														__eflags = _t288;
														if(_t288 != 0) {
															_t346 = _t288;
															_t322 = _v20;
															_t370 =  &(_a8[1]);
															__eflags = _t370;
															_t268 = 0;
															do {
																_t290 =  *_t322;
																_t172 = _t370 + 4; // 0xa6a5959
																_t370 = _t172;
																_t322 = _t322 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t322 - 4)) = _t290 +  *((intOrPtr*)(_t370 - 4)) + _t268;
																asm("adc eax, 0x0");
																_t268 = 0;
																_t346 = _t346 - 1;
																__eflags = _t346;
															} while (_t346 != 0);
															_t266 = _v8;
														}
														_t266 = _t266 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t342;
														if(_v52 < _t342) {
															goto L64;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t266;
												if(_t266 != 0) {
													goto L55;
												}
											}
											_t339 = 0 + _t266;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t321 = _v32 - 1;
											_t263 = _a4;
											_t286 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t339;
											_v32 = _t321;
											_v80 = _t286;
											_v12 = _t206;
											__eflags = _t321;
										} while (_t321 >= 0);
									}
									_t317 = _v16 + 1;
									_t204 = _t317;
									__eflags = _t204 -  *_t263;
									if(_t204 <  *_t263) {
										_t191 = _t204 + 1; // 0x131783a
										_t282 =  &(_t263[_t191]);
										do {
											 *_t282 = 0;
											_t194 =  &(_t282[1]); // 0x91850fc2
											_t282 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t263;
										} while (_t204 <  *_t263);
									}
									 *_t263 = _t317;
									__eflags = _t317;
									if(_t317 != 0) {
										while(1) {
											_t279 =  *_t263;
											__eflags = _t263[_t279];
											if(_t263[_t279] != 0) {
												goto L79;
											}
											_t280 = _t279 + 0xffffffff;
											__eflags = _t280;
											 *_t263 = _t280;
											if(_t280 != 0) {
												continue;
											}
											goto L79;
										}
									}
									L79:
									return _t339;
								} else {
									goto L24;
								}
							}
						} else {
							_t6 =  &(_t336[1]); // 0xfc23b5a
							_t303 =  *_t6;
							_v44 = _t303;
							__eflags = _t303 - 1;
							if(_t303 != 1) {
								__eflags = _t357;
								if(_t357 != 0) {
									_t350 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t357 - 0xffffffff;
									if(_t357 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t381 =  &(_t263[_t357 + 1]);
										do {
											_t253 = E01319610( *_t381, _t350, _t303, 0);
											_v68 = _t311;
											_t381 = _t381 - 4;
											_v20 = _t263;
											_t350 = _t303;
											_t311 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t311;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t303 = _v44;
										} while ( *_t34 != 0);
										_t263 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t263[1]); // 0x4
									_t378 = _t41;
									 *_t263 = 0;
									E01317A67(_t378, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t378 = _t350;
									_t263[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t263 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t263[1]); // 0x4
									_t352 = _t14;
									_v544 = 0;
									 *_t263 = 0;
									E01317A67(_t352, 0x1cc,  &_v540, 0);
									_t256 = _t263[1];
									_t330 = _t256 % _v44;
									__eflags = 0 - _t330;
									 *_t352 = _t330;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t263 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t263[1]); // 0x4
								_v544 = _t198;
								 *_t263 = _t198;
								E01317A67(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t263[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x012fd0fc
0x012fd0ff
0x012fd103
0x012fd10d
0x012fd110
0x012fd112
0x012fd114
0x012fd121
0x012fd121
0x012fd124
0x012fd124
0x012fd127
0x012fd12a
0x012fd12c
0x012fd25f
0x012fd261
0x012fd2aa
0x012fd2ae
0x012fd2b4
0x012fd263
0x012fd265
0x012fd268
0x012fd26a
0x012fd26d
0x012fd26f
0x012fd271
0x012fd2a5
0x012fd2a5
0x012fd2a5
0x012fd273
0x012fd278
0x012fd27e
0x012fd27e
0x012fd281
0x012fd283
0x012fd285
0x00000000
0x00000000
0x012fd287
0x012fd288
0x012fd28b
0x012fd28e
0x012fd290
0x00000000
0x012fd292
0x00000000
0x012fd292
0x00000000
0x012fd290
0x012fd294
0x012fd29b
0x012fd29f
0x012fd2a3
0x00000000
0x00000000
0x012fd2a3
0x012fd2a6
0x012fd2a6
0x012fd2a8
0x012fd2b5
0x012fd2b8
0x012fd2bb
0x012fd2be
0x012fd2be
0x012fd2c2
0x012fd2c5
0x012fd2c8
0x012fd2cb
0x012fd2d6
0x012fd2cd
0x012fd2d2
0x012fd2d2
0x012fd2e0
0x012fd2e5
0x012fd2e8
0x012fd2ea
0x012fd2f4
0x012fd2f7
0x012fd2fe
0x012fd301
0x012fd304
0x012fd30c
0x012fd312
0x012fd312
0x012fd312
0x012fd312
0x012fd304
0x012fd317
0x012fd31e
0x012fd31e
0x012fd321
0x012fd324
0x012fd556
0x012fd556
0x012fd32a
0x012fd32a
0x012fd330
0x012fd333
0x012fd336
0x012fd339
0x012fd33c
0x012fd33f
0x012fd342
0x012fd342
0x012fd345
0x012fd34c
0x012fd34c
0x012fd347
0x012fd347
0x012fd347
0x012fd34e
0x012fd352
0x012fd355
0x012fd357
0x012fd35a
0x012fd361
0x012fd364
0x012fd367
0x012fd372
0x012fd375
0x012fd37a
0x012fd37f
0x012fd386
0x012fd38b
0x012fd38d
0x012fd38f
0x012fd393
0x012fd396
0x012fd399
0x012fd3a1
0x012fd3aa
0x012fd3aa
0x012fd3ac
0x012fd3af
0x012fd3af
0x012fd399
0x012fd3b9
0x012fd3be
0x012fd3c3
0x012fd3c5
0x012fd3c8
0x012fd3ca
0x012fd3cd
0x012fd3d0
0x012fd3d2
0x012fd3d5
0x012fd3d8
0x012fd3da
0x012fd3e1
0x012fd3e6
0x012fd3e9
0x012fd3f3
0x012fd3f5
0x012fd3f7
0x012fd3fa
0x012fd3fa
0x012fd3fc
0x012fd3ff
0x012fd402
0x012fd405
0x012fd408
0x012fd3dc
0x012fd3dc
0x012fd3df
0x00000000
0x00000000
0x012fd3df
0x012fd40b
0x012fd40d
0x012fd40f
0x00000000
0x012fd411
0x012fd411
0x012fd414
0x012fd416
0x012fd416
0x012fd424
0x012fd427
0x012fd42c
0x012fd42e
0x00000000
0x00000000
0x012fd430
0x012fd437
0x012fd437
0x012fd43a
0x012fd43d
0x012fd440
0x012fd443
0x012fd443
0x012fd446
0x012fd449
0x012fd44d
0x012fd450
0x012fd452
0x012fd455
0x00000000
0x00000000
0x012fd457
0x012fd455
0x012fd432
0x012fd432
0x012fd435
0x00000000
0x00000000
0x00000000
0x00000000
0x012fd435
0x012fd45c
0x012fd45c
0x00000000
0x012fd45c
0x012fd459
0x00000000
0x012fd459
0x012fd414
0x012fd40f
0x012fd45f
0x012fd45f
0x012fd461
0x012fd46b
0x012fd46b
0x012fd46e
0x012fd470
0x012fd472
0x012fd474
0x012fd479
0x012fd47c
0x012fd47c
0x012fd47f
0x012fd482
0x012fd485
0x012fd487
0x012fd49c
0x012fd49e
0x012fd4a0
0x012fd4a2
0x012fd4a4
0x012fd4a6
0x012fd4a8
0x012fd4aa
0x012fd4ad
0x012fd4ad
0x012fd4b1
0x012fd4b3
0x012fd4b9
0x012fd4bc
0x012fd4bc
0x012fd4bc
0x012fd4c0
0x012fd4c0
0x012fd4c5
0x012fd4c8
0x012fd4c8
0x012fd4cd
0x012fd4cf
0x012fd4d1
0x012fd4d8
0x012fd4d8
0x012fd4da
0x012fd4df
0x012fd4e1
0x012fd4e4
0x012fd4e4
0x012fd4e7
0x012fd4f0
0x012fd4f0
0x012fd4f2
0x012fd4f2
0x012fd4f7
0x012fd4fd
0x012fd501
0x012fd504
0x012fd507
0x012fd509
0x012fd509
0x012fd509
0x012fd50e
0x012fd50e
0x012fd511
0x012fd514
0x012fd4d3
0x012fd4d3
0x012fd4d6
0x00000000
0x00000000
0x012fd4d6
0x012fd4d1
0x012fd51b
0x012fd51b
0x012fd51c
0x012fd463
0x012fd463
0x012fd465
0x00000000
0x00000000
0x012fd465
0x012fd52c
0x012fd531
0x012fd534
0x012fd538
0x012fd539
0x012fd53c
0x012fd53f
0x012fd540
0x012fd543
0x012fd546
0x012fd549
0x012fd54c
0x012fd54c
0x012fd554
0x012fd55b
0x012fd55c
0x012fd55e
0x012fd560
0x012fd562
0x012fd565
0x012fd570
0x012fd570
0x012fd576
0x012fd576
0x012fd579
0x012fd57a
0x012fd57a
0x012fd570
0x012fd57e
0x012fd580
0x012fd582
0x012fd584
0x012fd584
0x012fd586
0x012fd58a
0x00000000
0x00000000
0x012fd58c
0x012fd58c
0x012fd58f
0x012fd591
0x00000000
0x00000000
0x00000000
0x012fd591
0x012fd584
0x012fd593
0x012fd59d
0x00000000
0x00000000
0x00000000
0x012fd2a8
0x012fd132
0x012fd132
0x012fd132
0x012fd135
0x012fd138
0x012fd13b
0x012fd16c
0x012fd16e
0x012fd1b9
0x012fd1bb
0x012fd1c2
0x012fd1c9
0x012fd1cc
0x012fd1cf
0x012fd1d5
0x012fd1d5
0x012fd1d6
0x012fd1d9
0x012fd1e0
0x012fd1e9
0x012fd1ee
0x012fd1f1
0x012fd1f6
0x012fd1f9
0x012fd1fb
0x012fd200
0x012fd203
0x012fd206
0x012fd206
0x012fd206
0x012fd20a
0x012fd20d
0x012fd20d
0x012fd212
0x012fd212
0x012fd21d
0x012fd228
0x012fd228
0x012fd22b
0x012fd237
0x012fd23c
0x012fd247
0x012fd249
0x012fd24b
0x012fd251
0x012fd256
0x012fd258
0x012fd25e
0x012fd170
0x012fd17c
0x012fd17c
0x012fd17f
0x012fd18f
0x012fd195
0x012fd19c
0x012fd19e
0x012fd1a6
0x012fd1a8
0x012fd1aa
0x012fd1af
0x012fd1b2
0x012fd1b8
0x012fd1b8
0x012fd13d
0x012fd140
0x012fd144
0x012fd14a
0x012fd159
0x012fd163
0x012fd16b
0x012fd16b
0x012fd13b
0x012fd116
0x012fd119
0x012fd11f
0x012fd11f
0x012fd105
0x012fd10b
0x012fd10b

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f848c032c1a96baeb696b4900009e6e033a3a218cf58148eb7d67143230428
Instruction ID: b87dfa932d1730aad78d17b644c4e68efd75af7a224c3011ba9310c4bbe4127f
Opcode Fuzzy Hash: 58f848c032c1a96baeb696b4900009e6e033a3a218cf58148eb7d67143230428
Instruction Fuzzy Hash: FF022C71E1011A9BDF15CFA9D8806AEFBF1EF88324F15426DDA19E7341D731AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0117B1A0 Relevance: 2.9, Strings: 1, Instructions: 1603COMMON

Download Yara Rule

Strings

, xrefs: 0117B3D2

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 58368e97d5def484adb7ea1aaf64d134fbace547cb10a2e18d81dfab60e04242
Instruction ID: 6ea048ba134077da595b7fd4b8f53d52b826323a7719eecc37ae54669c12ea12
Opcode Fuzzy Hash: 58368e97d5def484adb7ea1aaf64d134fbace547cb10a2e18d81dfab60e04242
Instruction Fuzzy Hash: 36F2D574E0420ADFCF18CF98C590AAEBBB2FF89304F248199D815AB345D735AA41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0130E36A Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E0130E36A(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0130E83C(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0130E7A2(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x0130e378
0x0130e37f
0x0130e384
0x0130e38a
0x0130e38d
0x0130e393
0x0130e398
0x0130e39d
0x0130e39d
0x0130e3a3
0x0130e3a8
0x0130e3ad
0x0130e3ad
0x0130e3b4
0x0130e3b9
0x0130e3be
0x0130e3be
0x0130e3c5
0x0130e3ca
0x0130e3cf
0x0130e3cf
0x0130e3d6
0x0130e3db
0x0130e3e0
0x0130e3e0
0x0130e3e8
0x0130e3f8
0x0130e40a
0x0130e41c
0x0130e42f
0x0130e441
0x0130e449
0x0130e44e
0x0130e453
0x0130e453
0x0130e45a
0x0130e45f
0x0130e45f
0x0130e466
0x0130e46b
0x0130e46b
0x0130e472
0x0130e477
0x0130e477
0x0130e47e
0x0130e483
0x0130e483
0x0130e48d
0x0130e48f
0x0130e4c9
0x0130e491
0x0130e496
0x0130e4ba
0x0130e4c2
0x0130e4b6
0x0130e4b6
0x0130e4cc
0x0130e4d3
0x0130e4d5
0x0130e4f7
0x0130e4ff
0x0130e502
0x0130e502
0x0130e504
0x0130e504
0x0130e50f
0x0130e515
0x0130e51a
0x0130e521
0x0130e55b
0x0130e566
0x0130e56c
0x0130e56f
0x0130e572
0x0130e57e
0x0130e586
0x0130e523
0x0130e526
0x0130e532
0x0130e538
0x0130e53e
0x0130e541
0x0130e54a
0x0130e54a
0x0130e589
0x0130e597
0x0130e59d
0x0130e5a4
0x0130e5a6
0x0130e5a6
0x0130e5ad
0x0130e5af
0x0130e5af
0x0130e5b6
0x0130e5b8
0x0130e5b8
0x0130e5bf
0x0130e5c1
0x0130e5c1
0x0130e5c8
0x0130e5ca
0x0130e5ca
0x0130e5d7
0x0130e5da
0x0130e611
0x0130e5dc
0x0130e5dc
0x0130e5df
0x0130e60a
0x0130e5ff
0x0130e5ff
0x0130e613
0x0130e61b
0x0130e61e
0x0130e63d
0x0130e642
0x0130e642
0x0130e644
0x0130e649
0x0130e655
0x0130e64b
0x0130e64e
0x0130e64e
0x0130e65a
0x0130e65a
0x0130e620
0x0130e623
0x0130e632
0x00000000
0x0130e632
0x0130e625
0x0130e628
0x0130e62a
0x0130e62a
0x00000000
0x0130e628
0x0130e5e1
0x0130e5e4
0x0130e5fa
0x00000000
0x0130e5fa
0x0130e5e9
0x0130e5eb
0x0130e5eb
0x0130e5e9
0x00000000
0x0130e5da
0x0130e4dc
0x0130e4ea
0x0130e4f2
0x00000000
0x0130e4f2
0x0130e4e0
0x0130e4e5
0x0130e4e5
0x00000000
0x0130e4e0
0x0130e49d
0x0130e4ab
0x0130e4b3
0x00000000
0x0130e4b3
0x0130e4a1
0x0130e4a6
0x0130e4a6
0x0130e4a1

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0130E365,?,?,00000008,?,?,013185A3,00000000), ref: 0130E597

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8fbee617682f00b85c53bafd0128a2476f92783c56d44d1dc3e2a2f7bd346d28
Instruction ID: 2b1ffedfa0fde4bdd8fd083b1d000482af386db443b5215f66d1ccb9075b9cdf
Opcode Fuzzy Hash: 8fbee617682f00b85c53bafd0128a2476f92783c56d44d1dc3e2a2f7bd346d28
Instruction Fuzzy Hash: 60B11A316106099FE716CF2CC49AB557BE0FB45368F298AA8E999CF2E1D335D981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 011A2690 Relevance: 1.7, Strings: 1, Instructions: 480
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E011A2690(intOrPtr __ecx, signed int* __edx, void* _a4, signed int** _a8, unsigned int _a12, void* _a16) {
				signed int* _v8;
				signed char _v12;
				signed int* _v16;
				void* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				intOrPtr _v32;
				signed int _v36;
				unsigned int _v40;
				signed char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v56;
				signed char _t199;
				void _t206;
				void* _t211;
				unsigned int _t221;
				signed int _t222;
				signed char _t224;
				signed int* _t225;
				void* _t228;
				void* _t230;
				signed char _t234;
				signed char _t237;
				void* _t238;
				void* _t250;
				void** _t251;
				void* _t256;
				unsigned int _t257;
				signed int _t258;
				void* _t259;
				void* _t260;
				void* _t264;
				void* _t265;
				unsigned int _t281;
				void* _t289;
				void* _t291;
				signed char _t297;
				void* _t298;
				intOrPtr _t299;
				void* _t301;
				signed int* _t302;
				void _t303;
				unsigned int _t304;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t314;
				void* _t315;
				signed int _t316;
				void _t317;
				signed int* _t324;
				signed int _t325;
				signed char _t326;
				signed int _t327;
				signed int _t328;
				void* _t336;
				signed int _t337;
				unsigned int _t338;
				unsigned int _t339;
				signed int* _t340;
				signed int _t341;
				void** _t342;
				short* _t344;
				void* _t345;
				signed int _t346;
				unsigned int _t348;
				signed int _t349;
				signed int _t350;
				unsigned int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t359;
				signed int _t360;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				intOrPtr _t371;
				signed int _t373;
				signed char _t375;
				intOrPtr _t378;
				void* _t384;
				void* _t385;
				void* _t390;
				intOrPtr _t391;
				void* _t392;
				void* _t395;
				void _t396;
				void* _t398;
				void _t399;
				void* _t401;
				void* _t403;
				void* _t408;
				short* _t409;
				intOrPtr _t416;
				signed int* _t417;
				unsigned int _t418;
				signed int* _t421;
				signed int* _t422;
				unsigned int _t423;
				void* _t429;

				_t417 = __edx;
				_t368 = __ecx;
				_v8 = __edx;
				_v24 = __ecx;
				_t324 =  *_a8;
				_v16 = __edx;
				_t297 = _t324 + __edx;
				_v12 = _t297;
				_t298 = _a4;
				_t401 = _t298;
				_t299 = _t298 + _a12;
				_v52 = _t299;
				_v32 = _t297 - 5;
				_v20 = _t401;
				_v48 = _t299 + 0xfffffff5;
				if(_a12 >= 1) {
					__eflags = _t324 - 0x7e000000;
					if(_t324 > 0x7e000000) {
						goto L1;
					} else {
						_t301 = _a16;
						__eflags = _t301 - 2;
						if(_t301 != 2) {
							L5:
							__eflags = _t324 - 0xd;
							if(_t324 < 0xd) {
								_t302 = _t417;
							} else {
								 *_a8 = 0;
								_t221 =  *_t417 * 0x9e3779b1;
								__eflags = _t301 - 2;
								if(_t301 != 2) {
									_t222 = _t221 >> 0x14;
									__eflags = _t222;
								} else {
									_t222 = _t221 >> 0x13;
								}
								_t336 = _t301;
								__eflags = _t336;
								if(_t336 == 0) {
									 *(_t368 + _t222 * 4) = _t417;
								} else {
									_t365 = _t336 - 1;
									__eflags = _t365;
									if(_t365 == 0) {
										 *(_t368 + _t222 * 4) = 0;
									} else {
										_t366 = _t365 - 1;
										__eflags = _t366;
										if(_t366 == 0) {
											 *(_t368 + _t222 * 2) = _t366;
										}
									}
								}
								_t421 =  &(_t417[0]);
								_t337 = _t417[0] * 0x9e3779b1;
								__eflags = _t301 - 2;
								L16:
								while(1) {
									L16:
									if(__eflags != 0) {
										_t338 = _t337 >> 0x14;
										__eflags = _t338;
									} else {
										_t338 = _t337 >> 0x13;
									}
									_v56 = _t401;
									_t224 = _t421;
									_t304 = 1;
									_v28 = 0x40;
									while(1) {
										_t378 = _v24;
										_t422 = _t224;
										_t225 = _t224 + _t304;
										_v36 = _t338;
										_v28 = _v28 + 1;
										_v40 = _v28 >> 6;
										_a12 = _t422;
										_v44 = _t225;
										__eflags = _t225 - _v12 + 0xfffffff4;
										if(_t225 > _v12 + 0xfffffff4) {
											break;
										}
										_t309 = _a16;
										__eflags = _t309;
										if(_t309 != 0) {
											__eflags = _t309 - 1;
											if(_t309 != 1) {
												_t310 =  *(_t378 + _t338 * 2) & 0x0000ffff;
											} else {
												_t310 =  *(_t378 + _t338 * 4);
											}
											_t311 = _t310 + _v8;
											__eflags = _t311;
										} else {
											_t311 =  *(_t378 + _t338 * 4);
										}
										_t339 =  *_t225 * 0x9e3779b1;
										__eflags = _a16 - 2;
										if(_a16 != 2) {
											_t338 = _t339 >> 0x14;
											__eflags = _t338;
										} else {
											_t338 = _t339 >> 0x13;
										}
										_t228 = _a16;
										__eflags = _t228;
										if(_t228 == 0) {
											 *(_t378 + _v36 * 4) = _t422;
											goto L39;
										} else {
											_t291 = _t228 - 1;
											__eflags = _t291;
											if(_t291 == 0) {
												 *(_t378 + _v36 * 4) = _t422 - _v8;
												_t422 = _a12;
												goto L39;
											} else {
												__eflags = _t291 == 1;
												if(_t291 == 1) {
													 *((short*)(_t378 + _v36 * 2)) = _t422 - _v8;
													_t422 = _a12;
													goto L40;
												} else {
													__eflags = _a16 - 2;
													if(_a16 == 2) {
														L40:
														__eflags =  *_t311 -  *_t422;
														_t224 = _v44;
														if( *_t311 !=  *_t422) {
															goto L20;
														} else {
															_t340 = _v16;
															__eflags = _t422 - _t340;
															if(_t422 > _t340) {
																_t416 = _v8;
																while(1) {
																	__eflags = _t311 - _t416;
																	if(_t311 <= _t416) {
																		break;
																	}
																	_t340 = _v16;
																	__eflags =  *(_t422 - 1) -  *(_t311 - 1);
																	if( *(_t422 - 1) ==  *(_t311 - 1)) {
																		_t422 = _t422 - 1;
																		_t311 = _t311 - 1;
																		__eflags = _t422 - _t340;
																		if(_t422 > _t340) {
																			continue;
																		}
																	}
																	break;
																}
																_t401 = _v20;
																_a12 = _t422;
															}
															_v28 = _t401;
															_t234 = _t422 - _t340;
															_t408 = _t401 + 1;
															_v44 = _t234;
															_v20 = _t408;
															_t73 = _t234 + 0xf0; // 0xf1
															_t341 = _t73;
															_t237 = _v44;
															__eflags = (0x80808081 * _t341 >> 0x20 >> 7) + _t237 + _t408 - _v48;
															if((0x80808081 * _t341 >> 0x20 >> 7) + _t237 + _t408 > _v48) {
																_t401 = _v56;
																break;
															} else {
																_t342 = _v28;
																__eflags = _t237 - 0xf;
																if(_t237 < 0xf) {
																	_t238 = _t237 << 4;
																	__eflags = _t238;
																	 *_t342 = _t238;
																} else {
																	_t396 = _t237 - 0xf;
																	 *_t342 = 0xf0;
																	_v36 = _t396;
																	__eflags = _t396 - 0xff;
																	if(_t396 >= 0xff) {
																		_t398 = 0x80808081 * _t396 >> 0x20 >> 7;
																		_t359 = _t398;
																		_t360 = _t359 >> 2;
																		memset(_t408 + _t360, memset(_t408, 0x80808081 * _t396 | 0xffffffff, _t360 << 2), (_t359 & 0x00000003) << 0);
																		_t429 = _t429 + 0x18;
																		_t289 = _t398;
																		_t399 = _v36;
																		_t408 = _v20 + _t289;
																		__eflags = _t408;
																		do {
																			_t399 = _t399 - 0xff;
																			_t289 = _t289 - 1;
																			__eflags = _t289;
																		} while (_t289 != 0);
																		_t422 = _a12;
																	}
																	 *_t408 = _t396;
																	_t408 = _t408 + 1;
																}
																_t344 = _t408 + _v44;
																_t384 = _v16 - _t408;
																__eflags = _t384;
																do {
																	 *_t408 =  *(_t384 + _t408);
																	 *((intOrPtr*)(_t408 + 4)) =  *((intOrPtr*)(_t384 + _t408 + 4));
																	_t408 = _t408 + 8;
																	__eflags = _t408 - _t344;
																} while (_t408 < _t344);
																_t409 = _t344;
																while(1) {
																	_t98 =  &(_t422[1]); // 0x1
																	_t345 = _t98;
																	_t423 = _a12;
																	 *_t409 = _t422 - _t311;
																	_t312 = _t311 + 4;
																	_t401 = _t409 + 2;
																	_v20 = _t401;
																	_t385 = _t345;
																	__eflags = _t345 - _v32 + 0xfffffffd;
																	if(_t345 >= _v32 + 0xfffffffd) {
																		goto L62;
																	}
																	L59:
																	while(1) {
																		_t281 =  *_t345 ^  *_t312;
																		__eflags = _t281;
																		if(_t281 != 0) {
																			break;
																		}
																		_t345 = _t345 + 4;
																		_t423 = _a12;
																		_t312 = _t312 + 4;
																		__eflags = _t345 - _v32 + 0xfffffffd;
																		if(_t345 < _v32 + 0xfffffffd) {
																			continue;
																		} else {
																			goto L62;
																		}
																		L69:
																		_t346 = _t314 + 0xf0;
																		_t250 = _v52 + 0xfffffffa;
																		__eflags = _t401 + (0x80808081 * _t346 >> 0x20 >> 7) - _t250;
																		if(_t401 + (0x80808081 * _t346 >> 0x20 >> 7) > _t250) {
																			_t314 = 0xe + (_t250 - _t401) * 0xff;
																			__eflags = _t314;
																		}
																		_t251 = _v28;
																		_t422 = _t423 + 4 + _t314;
																		_a12 = _t422;
																		__eflags = _t314 - 0xf;
																		if(_t314 < 0xf) {
																			 *_t251 =  *_t251 + _t314;
																			__eflags =  *_t251;
																		} else {
																			 *_t251 =  *_t251 + 0xf;
																			_t317 = _t314 - 0xf;
																			__eflags = _t317 - 0xff;
																			if(_t317 >= 0xff) {
																				_t395 = 0x80808081 * _t317 >> 0x20 >> 7;
																				_t353 = _t395;
																				_t354 = _t353 >> 2;
																				memset(_t401 + _t354, memset(_t401, 0x80808081 * _t317 | 0xffffffff, _t354 << 2), (_t353 & 0x00000003) << 0);
																				_t429 = _t429 + 0x18;
																				_t401 = _v20 + _t395;
																				asm("o16 nop [eax+eax]");
																				do {
																					_t317 = _t317 - 0xff;
																					_t395 = _t395 - 1;
																					__eflags = _t395;
																				} while (_t395 != 0);
																				_t422 = _a12;
																			}
																			 *_t401 = _t317;
																			_t401 = _t401 + 1;
																			_v20 = _t401;
																		}
																		_t302 = _t422;
																		_v16 = _t302;
																		__eflags = _t422 - _v12 + 0xfffffff4;
																		if(_t422 <= _v12 + 0xfffffff4) {
																			__eflags = _t401 - _v48 - 1;
																			if(_t401 <= _v48 - 1) {
																				_t128 = _t422 - 2; // -5
																				_t256 = _t128;
																				_t315 = _a16;
																				_t348 =  *(_t422 - 2) * 0x9e3779b1;
																				__eflags = _t315 - 2;
																				if(_t315 != 2) {
																					_t349 = _t348 >> 0x14;
																					__eflags = _t349;
																				} else {
																					_t349 = _t348 >> 0x13;
																				}
																				_t390 = _t315;
																				__eflags = _t390;
																				if(_t390 == 0) {
																					L89:
																					_t391 = _v24;
																					 *(_t391 + _t349 * 4) = _t256;
																				} else {
																					_t392 = _t390 - 1;
																					__eflags = _t392;
																					if(_t392 == 0) {
																						_t256 = _t256 - _v8;
																						__eflags = _t256;
																						goto L89;
																					} else {
																						__eflags = _t392 == 1;
																						_t391 = _v24;
																						if(_t392 == 1) {
																							 *((short*)(_t391 + _t349 * 2)) = _t256 - _v8;
																						}
																					}
																				}
																				_t350 =  *_t422;
																				_t257 = _t350 * 0x9e3779b1;
																				__eflags = _t315 - 2;
																				if(_t315 != 2) {
																					_t258 = _t257 >> 0x14;
																					__eflags = _t315;
																					if(_t315 != 0) {
																						__eflags = _t315 - 1;
																						if(_t315 != 1) {
																							goto L92;
																						} else {
																							_t316 =  *(_t391 + _t258 * 4);
																							goto L93;
																						}
																						goto L114;
																					} else {
																						_t311 =  *(_t391 + _t258 * 4);
																						goto L94;
																					}
																					L123:
																					_t403 = _t401 + 1;
																					E012EE160(_t403, _t302, _t326);
																					 *_a8 = _t418 - _v8;
																					_t211 = _v12 - _a4 + _t403;
																					__eflags = _t211;
																					return _t211;
																					goto L124;
																				} else {
																					_t258 = _t257 >> 0x13;
																					__eflags = _t258;
																					L92:
																					_t316 =  *(_t391 + _t258 * 2) & 0x0000ffff;
																					L93:
																					_t311 = _t316 + _v8;
																					__eflags = _t311;
																				}
																				L94:
																				_t259 = _a16;
																				_t351 = _t350 * 0x9e3779b1;
																				__eflags = _t259 - 2;
																				if(_t259 != 2) {
																					_t352 = _t351 >> 0x14;
																					__eflags = _t352;
																				} else {
																					_t352 = _t351 >> 0x13;
																				}
																				_t260 = _t259;
																				__eflags = _t260;
																				if(_t260 == 0) {
																					 *(_t391 + _t352 * 4) = _t422;
																				} else {
																					_t265 = _t260 - 1;
																					__eflags = _t265;
																					if(_t265 == 0) {
																						 *(_t391 + _t352 * 4) = _t422 - _v8;
																					} else {
																						__eflags = _t265 == 1;
																						if(_t265 == 1) {
																							 *((short*)(_t391 + _t352 * 2)) = _t422 - _v8;
																						}
																					}
																				}
																				_t154 = _t311 + 0xffff; // 0xffff
																				__eflags = _t154 - _t422;
																				if(_t154 < _t422) {
																					L110:
																					_t421 =  &(_t422[0]);
																					_t337 = _t422[0] * 0x9e3779b1;
																					__eflags = _a16 - 2;
																					goto L16;
																				} else {
																					__eflags =  *_t311 -  *_t422;
																					if( *_t311 !=  *_t422) {
																						goto L110;
																					} else {
																						_t264 = _t401;
																						_t409 = _t401 + 1;
																						_v28 = _t264;
																						 *_t264 = 0;
																						_t98 =  &(_t422[1]); // 0x1
																						_t345 = _t98;
																						_t423 = _a12;
																						 *_t409 = _t422 - _t311;
																						_t312 = _t311 + 4;
																						_t401 = _t409 + 2;
																						_v20 = _t401;
																						_t385 = _t345;
																						__eflags = _t345 - _v32 + 0xfffffffd;
																						if(_t345 >= _v32 + 0xfffffffd) {
																							goto L62;
																						}
																						goto L69;
																					}
																				}
																			}
																		}
																		goto L114;
																	}
																	asm("bsf eax, eax");
																	_a12 = _t281;
																	_t314 = (_t281 >> 3) - _t385 + _t345;
																	goto L69;
																	L62:
																	__eflags = _t345 - _v32 - 1;
																	if(_t345 < _v32 - 1) {
																		__eflags =  *_t312 -  *_t345;
																		if( *_t312 ==  *_t345) {
																			_t345 = _t345 + 2;
																			_t312 = _t312 + 2;
																			__eflags = _t312;
																		}
																	}
																	__eflags = _t345 - _v32;
																	if(_t345 < _v32) {
																		__eflags =  *_t312 -  *_t345;
																		if( *_t312 ==  *_t345) {
																			_t345 = _t345 + 1;
																			__eflags = _t345;
																		}
																	}
																	_t314 = _t345 - _t385;
																	__eflags = _t314;
																	goto L69;
																}
															}
														}
													} else {
														L39:
														_t60 = _t311 + 0xffff; // 0x10001
														_t230 = _t60;
														__eflags = _t230 - _t422;
														asm("sbb eax, eax");
														_t224 = _v44;
														if(_t230 != _t422) {
															L20:
															_t304 = _v40;
															continue;
														} else {
															goto L40;
														}
													}
												}
											}
										}
										goto L114;
									}
									_t302 = _v16;
									goto L114;
								}
							}
							L114:
							_t199 = _v12 - _t302;
							_v12 = _t199;
							_t325 = _t199 + 0xf0;
							_t326 = _v12;
							_t371 = _v52;
							__eflags = _t326 + 1 + (0x80808081 * _t325 >> 0x20 >> 7) + _t401 - _t371;
							if(_t326 + 1 + (0x80808081 * _t325 >> 0x20 >> 7) + _t401 > _t371) {
								_t375 = _t371 - _t401 - 1;
								_v12 = _t375;
								_t326 = _v12 - (0x80808081 * (_t375 + 0xf0) >> 0x20 >> 7);
								__eflags = _t326;
								_v12 = _t326;
							}
							_t418 = _t302 + _t326;
							_a12 = _t418;
							__eflags = _t326 - 0xf;
							if(_t326 < 0xf) {
								_t206 = _t326 << 4;
								__eflags = _t206;
								 *_t401 = _t206;
							} else {
								_t303 = _t326 - 0xf;
								 *_t401 = 0xf0;
								_t401 = _t401 + 1;
								_v20 = _t401;
								__eflags = _t303 - 0xff;
								if(_t303 >= 0xff) {
									_t373 = 0x80808081 * _t303 >> 0x20 >> 7;
									_t327 = _t373;
									_t328 = _t327 >> 2;
									memset(_t401 + _t328, memset(_t401, 0x80808081 * _t303 | 0xffffffff, _t328 << 2), (_t327 & 0x00000003) << 0);
									_t429 = _t429 + 0x18;
									_t401 = _v20 + _t373;
									__eflags = _t401;
									do {
										_t303 = _t303 - 0xff;
										_t373 = _t373 - 1;
										__eflags = _t373;
									} while (_t373 != 0);
									_t418 = _a12;
									_t326 = _v12;
								}
								 *_t401 = _t303;
								_t302 = _v16;
							}
							goto L123;
						} else {
							__eflags = _t324 - 0x1000b;
							if(_t324 >= 0x1000b) {
								goto L1;
							} else {
								goto L5;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
				L124:
			}

0x011a2698
0x011a269a
0x011a26a0
0x011a26a3
0x011a26a6
0x011a26a8
0x011a26ab
0x011a26b1
0x011a26b4
0x011a26b7
0x011a26b9
0x011a26bc
0x011a26c6
0x011a26c9
0x011a26cc
0x011a26cf
0x011a26da
0x011a26e0
0x00000000
0x011a26e2
0x011a26e2
0x011a26e5
0x011a26e8
0x011a26f2
0x011a26f2
0x011a26f5
0x011a2b00
0x011a26fb
0x011a26fe
0x011a2706
0x011a270c
0x011a270f
0x011a2716
0x011a2716
0x011a2711
0x011a2711
0x011a2711
0x011a271b
0x011a271b
0x011a271e
0x011a2739
0x011a2720
0x011a2720
0x011a2720
0x011a2723
0x011a2730
0x011a2725
0x011a2725
0x011a2725
0x011a2728
0x011a272a
0x011a272a
0x011a2728
0x011a2723
0x011a273f
0x011a2740
0x011a2746
0x00000000
0x011a2749
0x011a2749
0x011a2749
0x011a2750
0x011a2750
0x011a274b
0x011a274b
0x011a274b
0x011a2753
0x011a2756
0x011a2758
0x011a275d
0x011a2769
0x011a2769
0x011a276c
0x011a276e
0x011a2770
0x011a2776
0x011a277c
0x011a2785
0x011a2788
0x011a278b
0x011a278d
0x00000000
0x00000000
0x011a2793
0x011a2796
0x011a2798
0x011a279f
0x011a27a2
0x011a27a9
0x011a27a4
0x011a27a4
0x011a27a4
0x011a27ad
0x011a27ad
0x011a279a
0x011a279a
0x011a279a
0x011a27b2
0x011a27b8
0x011a27bc
0x011a27c3
0x011a27c3
0x011a27be
0x011a27be
0x011a27be
0x011a27c9
0x011a27c9
0x011a27cc
0x011a2804
0x00000000
0x011a27ce
0x011a27ce
0x011a27ce
0x011a27d1
0x011a27f9
0x011a27fc
0x00000000
0x011a27d3
0x011a27d3
0x011a27d6
0x011a27e8
0x011a27ec
0x00000000
0x011a27d8
0x011a27d8
0x011a27dc
0x011a281c
0x011a281e
0x011a2820
0x011a2823
0x00000000
0x011a2829
0x011a2829
0x011a282c
0x011a282e
0x011a2830
0x011a2833
0x011a2833
0x011a2835
0x00000000
0x00000000
0x011a283a
0x011a283d
0x011a2840
0x011a2842
0x011a2843
0x011a2844
0x011a2846
0x00000000
0x00000000
0x011a2846
0x00000000
0x011a2840
0x011a2848
0x011a284b
0x011a284b
0x011a2850
0x011a2853
0x011a2855
0x011a2856
0x011a2859
0x011a285c
0x011a285c
0x011a2869
0x011a2873
0x011a2876
0x011a2af8
0x00000000
0x011a287c
0x011a287c
0x011a287f
0x011a2882
0x011a28d3
0x011a28d3
0x011a28d6
0x011a2884
0x011a2884
0x011a2887
0x011a288a
0x011a288d
0x011a2893
0x011a289f
0x011a28a2
0x011a28a6
0x011a28b0
0x011a28b0
0x011a28b5
0x011a28b7
0x011a28ba
0x011a28ba
0x011a28c0
0x011a28c0
0x011a28c6
0x011a28c6
0x011a28c6
0x011a28cb
0x011a28cb
0x011a28ce
0x011a28d0
0x011a28d0
0x011a28de
0x011a28e0
0x011a28e0
0x011a28e2
0x011a28e5
0x011a28eb
0x011a28ee
0x011a28f1
0x011a28f1
0x011a28f5
0x011a28f7
0x011a28f9
0x011a28f9
0x011a28fc
0x011a2901
0x011a2904
0x011a290a
0x011a2910
0x011a2913
0x011a2915
0x011a2917
0x00000000
0x00000000
0x00000000
0x011a2920
0x011a2922
0x011a2922
0x011a2924
0x00000000
0x00000000
0x011a292d
0x011a2930
0x011a2936
0x011a2939
0x011a293b
0x00000000
0x00000000
0x00000000
0x00000000
0x011a2963
0x011a2963
0x011a2976
0x011a297b
0x011a297d
0x011a2987
0x011a2987
0x011a2987
0x011a298a
0x011a2990
0x011a2992
0x011a2995
0x011a2998
0x011a29fa
0x011a29fa
0x011a299a
0x011a299a
0x011a299d
0x011a29a0
0x011a29a6
0x011a29b2
0x011a29b5
0x011a29b9
0x011a29c3
0x011a29c3
0x011a29c8
0x011a29ca
0x011a29d0
0x011a29d0
0x011a29d6
0x011a29d6
0x011a29d6
0x011a29db
0x011a29db
0x011a29de
0x011a29e0
0x011a29e1
0x011a29e1
0x011a29ff
0x011a2a04
0x011a2a07
0x011a2a09
0x011a2a13
0x011a2a15
0x011a2a1e
0x011a2a1e
0x011a2a21
0x011a2a24
0x011a2a2a
0x011a2a2d
0x011a2a34
0x011a2a34
0x011a2a2f
0x011a2a2f
0x011a2a2f
0x011a2a39
0x011a2a39
0x011a2a3c
0x011a2a57
0x011a2a57
0x011a2a5a
0x011a2a3e
0x011a2a3e
0x011a2a3e
0x011a2a41
0x011a2a54
0x011a2a54
0x00000000
0x011a2a43
0x011a2a43
0x011a2a46
0x011a2a49
0x011a2a4e
0x011a2a4e
0x011a2a49
0x011a2a41
0x011a2a5d
0x011a2a5f
0x011a2a65
0x011a2a68
0x011a2a87
0x011a2a8a
0x011a2a8c
0x011a2a93
0x011a2a96
0x00000000
0x011a2a98
0x011a2a98
0x00000000
0x011a2a98
0x00000000
0x011a2a8e
0x011a2a8e
0x00000000
0x011a2a8e
0x011a2baf
0x011a2bb0
0x011a2bb3
0x011a2bc1
0x011a2bc9
0x011a2bc9
0x011a2bd1
0x00000000
0x011a2a6a
0x011a2a6a
0x011a2a6a
0x011a2a6d
0x011a2a6d
0x011a2a71
0x011a2a71
0x011a2a71
0x011a2a71
0x011a2a74
0x011a2a74
0x011a2a77
0x011a2a7d
0x011a2a80
0x011a2a9d
0x011a2a9d
0x011a2a82
0x011a2a82
0x011a2a82
0x011a2aa0
0x011a2aa0
0x011a2aa3
0x011a2ac4
0x011a2aa5
0x011a2aa5
0x011a2aa5
0x011a2aa8
0x011a2abf
0x011a2aaa
0x011a2aaa
0x011a2aad
0x011a2ab4
0x011a2ab4
0x011a2aad
0x011a2aa8
0x011a2ac7
0x011a2acd
0x011a2acf
0x011a2ae5
0x011a2ae8
0x011a2ae9
0x011a2aef
0x00000000
0x011a2ad1
0x011a2ad3
0x011a2ad5
0x00000000
0x011a2ad7
0x011a2ad7
0x011a2ad9
0x011a2ada
0x011a2add
0x011a28f9
0x011a28f9
0x011a28fc
0x011a2901
0x011a2904
0x011a290a
0x011a2910
0x011a2913
0x011a2915
0x011a2917
0x00000000
0x00000000
0x00000000
0x011a2917
0x011a2ad5
0x011a2acf
0x011a2a15
0x00000000
0x011a2a09
0x011a29e6
0x011a29eb
0x011a29f3
0x00000000
0x011a293d
0x011a2941
0x011a2943
0x011a2948
0x011a294b
0x011a294d
0x011a2950
0x011a2950
0x011a2950
0x011a294b
0x011a2953
0x011a2956
0x011a295a
0x011a295c
0x011a295e
0x011a295e
0x011a295e
0x011a295c
0x011a2961
0x011a2961
0x00000000
0x011a2961
0x011a28f7
0x011a2876
0x011a27de
0x011a2807
0x011a2807
0x011a2807
0x011a280d
0x011a280f
0x011a2813
0x011a2816
0x011a2766
0x011a2766
0x00000000
0x00000000
0x00000000
0x00000000
0x011a2816
0x011a27dc
0x011a27d6
0x011a27d1
0x00000000
0x011a27cc
0x011a2afb
0x00000000
0x011a2afb
0x011a2749
0x011a2b02
0x011a2b05
0x011a2b07
0x011a2b0a
0x011a2b17
0x011a2b22
0x011a2b27
0x011a2b29
0x011a2b32
0x011a2b33
0x011a2b44
0x011a2b44
0x011a2b46
0x011a2b46
0x011a2b49
0x011a2b4c
0x011a2b4f
0x011a2b52
0x011a2baa
0x011a2baa
0x011a2bad
0x011a2b54
0x011a2b54
0x011a2b57
0x011a2b5a
0x011a2b5b
0x011a2b5e
0x011a2b64
0x011a2b70
0x011a2b73
0x011a2b77
0x011a2b81
0x011a2b81
0x011a2b86
0x011a2b86
0x011a2b90
0x011a2b90
0x011a2b96
0x011a2b96
0x011a2b96
0x011a2b9b
0x011a2b9e
0x011a2b9e
0x011a2ba1
0x011a2ba3
0x011a2ba3
0x00000000
0x011a26ea
0x011a26ea
0x011a26f0
0x00000000
0x00000000
0x00000000
0x00000000
0x011a26f0
0x011a26e8
0x011a26d1
0x011a26d1
0x011a26d9
0x011a26d9
0x00000000

Strings

@, xrefs: 011A275D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 485a8fb891c64948d6ef92aa6b7f3867a8147a4e9a51a8c560eac2088c7f37b6
Instruction ID: 466a52add4588bc0a96a313d70f768994473bc7f770abbfd6a29e337f91bdffd
Opcode Fuzzy Hash: 485a8fb891c64948d6ef92aa6b7f3867a8147a4e9a51a8c560eac2088c7f37b6
Instruction Fuzzy Hash: 6702CF79A0021A8BCB2CCFACC9906BDBFF1FF45310F954269E852AB752D3319941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01179380 Relevance: 1.6, Strings: 1, Instructions: 380
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01179380(signed int _a4, signed char* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int* _v12;
				signed int _t280;
				signed int _t288;
				signed int _t296;
				signed int _t304;
				signed int _t312;
				signed int _t320;
				signed int _t328;
				signed int _t336;
				intOrPtr _t369;
				signed int _t372;
				signed int _t543;
				signed int _t546;
				signed int _t549;
				signed int _t552;
				signed int _t555;
				signed int _t558;
				signed int _t561;
				signed int _t564;
				signed int _t567;

				_v8 = (_a4 >> 0x00000018 & 0x000000ff) + (_a4 >> 0x00000008 & 0x0000ff00) + ((_a4 & 0x0000ff00) << 8) + ((_a4 & 0x000000ff) << 0x18);
				_v8 =  !_v8;
				while(_a12 != 0 && (_a8 & 0x00000003) != 0) {
					_t14 = (_v8 >> 0x00000018 ^  *_a8 & 0x000000ff) * 4; // 0x0
					_v8 = _v8 << 0x00000008 ^  *((0x400 << 2) + _t14 + 0x136ed48);
					_a8 =  &(_a8[1]);
					_a12 = _a12 - 1;
				}
				_v12 = _a8;
				_v12 = _v12 - 4;
				while(_a12 >= 0x20) {
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t280 = _v8 & 0x000000ff;
					_t546 = _v8 >> 0x00000008 & 0x000000ff;
					_t34 = _t280 * 4; // 0x0
					_t37 = _t546 * 4; // 0x0
					_t41 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t45 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t34 + 0x136ed48) ^  *(0x1400 + _t37 + 0x136ed48) ^  *(0x1800 + _t41 + 0x136ed48) ^  *(0x1c00 + _t45 + 0x136ed48);
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t288 = _v8 & 0x000000ff;
					_t549 = _v8 >> 0x00000008 & 0x000000ff;
					_t56 = _t288 * 4; // 0x0
					_t59 = _t549 * 4; // 0x0
					_t63 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t67 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t56 + 0x136ed48) ^  *(0x1400 + _t59 + 0x136ed48) ^  *(0x1800 + _t63 + 0x136ed48) ^  *(0x1c00 + _t67 + 0x136ed48);
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t296 = _v8 & 0x000000ff;
					_t552 = _v8 >> 0x00000008 & 0x000000ff;
					_t78 = _t296 * 4; // 0x0
					_t81 = _t552 * 4; // 0x0
					_t85 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t89 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t78 + 0x136ed48) ^  *(0x1400 + _t81 + 0x136ed48) ^  *(0x1800 + _t85 + 0x136ed48) ^  *(0x1c00 + _t89 + 0x136ed48);
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t304 = _v8 & 0x000000ff;
					_t555 = _v8 >> 0x00000008 & 0x000000ff;
					_t100 = _t304 * 4; // 0x0
					_t103 = _t555 * 4; // 0x0
					_t107 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t111 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t100 + 0x136ed48) ^  *(0x1400 + _t103 + 0x136ed48) ^  *(0x1800 + _t107 + 0x136ed48) ^  *(0x1c00 + _t111 + 0x136ed48);
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t312 = _v8 & 0x000000ff;
					_t558 = _v8 >> 0x00000008 & 0x000000ff;
					_t122 = _t312 * 4; // 0x0
					_t125 = _t558 * 4; // 0x0
					_t129 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t133 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t122 + 0x136ed48) ^  *(0x1400 + _t125 + 0x136ed48) ^  *(0x1800 + _t129 + 0x136ed48) ^  *(0x1c00 + _t133 + 0x136ed48);
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t320 = _v8 & 0x000000ff;
					_t561 = _v8 >> 0x00000008 & 0x000000ff;
					_t144 = _t320 * 4; // 0x0
					_t147 = _t561 * 4; // 0x0
					_t151 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t155 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t144 + 0x136ed48) ^  *(0x1400 + _t147 + 0x136ed48) ^  *(0x1800 + _t151 + 0x136ed48) ^  *(0x1c00 + _t155 + 0x136ed48);
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t328 = _v8 & 0x000000ff;
					_t564 = _v8 >> 0x00000008 & 0x000000ff;
					_t166 = _t328 * 4; // 0x0
					_t169 = _t564 * 4; // 0x0
					_t173 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t177 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t166 + 0x136ed48) ^  *(0x1400 + _t169 + 0x136ed48) ^  *(0x1800 + _t173 + 0x136ed48) ^  *(0x1c00 + _t177 + 0x136ed48);
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t336 = _v8 & 0x000000ff;
					_t567 = _v8 >> 0x00000008 & 0x000000ff;
					_t188 = _t336 * 4; // 0x0
					_t191 = _t567 * 4; // 0x0
					_t195 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t199 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t188 + 0x136ed48) ^  *(0x1400 + _t191 + 0x136ed48) ^  *(0x1800 + _t195 + 0x136ed48) ^  *(0x1c00 + _t199 + 0x136ed48);
					_a12 = _a12 - 0x20;
				}
				while(_a12 >= 4) {
					_v12 =  &(_v12[1]);
					_v8 = _v8 ^  *_v12;
					_t372 = _v8 & 0x000000ff;
					_t543 = _v8 >> 0x00000008 & 0x000000ff;
					_t213 = _t372 * 4; // 0x0
					_t216 = _t543 * 4; // 0x0
					_t220 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t224 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *((0x400 << 2) + _t213 + 0x136ed48) ^  *(0x1400 + _t216 + 0x136ed48) ^  *(0x1800 + _t220 + 0x136ed48) ^  *(0x1c00 + _t224 + 0x136ed48);
					_a12 = _a12 - 4;
				}
				_v12 =  &(_v12[1]);
				_a8 = _v12;
				if(_a12 != 0) {
					do {
						_t238 = (_v8 >> 0x00000018 ^  *_a8 & 0x000000ff) * 4; // 0x0
						_v8 = _v8 << 0x00000008 ^  *((0x400 << 2) + _t238 + 0x136ed48);
						_a8 = _a8 + 1;
						_t369 = _a12 - 1;
						_a12 = _t369;
					} while (_t369 != 0);
				}
				_v8 =  !_v8;
				return (_v8 >> 0x00000018 & 0x000000ff) + (_v8 >> 0x00000008 & 0x0000ff00) + ((_v8 & 0x0000ff00) << 8) + ((_v8 & 0x000000ff) << 0x18);
			}

0x011793bc
0x011793c4
0x011793c7
0x011793f1
0x011793f8
0x01179401
0x0117940a
0x0117940a
0x01179412
0x0117941b
0x0117941e
0x0117942e
0x01179439
0x01179447
0x0117945a
0x01179460
0x01179467
0x01179481
0x01179496
0x0117949d
0x011794a6
0x011794b1
0x011794bf
0x011794d2
0x011794d8
0x011794df
0x011794f9
0x0117950e
0x01179515
0x0117951e
0x01179529
0x01179537
0x0117954a
0x01179550
0x01179557
0x01179571
0x01179586
0x0117958d
0x01179596
0x011795a1
0x011795af
0x011795c2
0x011795c8
0x011795cf
0x011795e9
0x011795fe
0x01179605
0x0117960e
0x01179619
0x01179627
0x0117963a
0x01179640
0x01179647
0x01179661
0x01179676
0x0117967d
0x01179686
0x01179691
0x0117969f
0x011796b2
0x011796b8
0x011796bf
0x011796d9
0x011796ee
0x011796f5
0x011796fe
0x01179709
0x01179717
0x0117972a
0x01179730
0x01179737
0x01179751
0x01179766
0x0117976d
0x01179776
0x01179781
0x0117978f
0x011797a2
0x011797a8
0x011797af
0x011797c9
0x011797de
0x011797e5
0x011797ee
0x011797ee
0x011797f6
0x01179806
0x01179811
0x0117981f
0x01179833
0x01179839
0x01179840
0x0117985b
0x01179870
0x01179877
0x01179880
0x01179880
0x0117988e
0x01179894
0x0117989b
0x0117989d
0x011798b9
0x011798c0
0x011798c9
0x011798cf
0x011798d2
0x011798d2
0x0117989d
0x011798dc
0x01179918

Strings

, xrefs: 0117941E

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e1d28145c5ba23c90402bdfc6eb211ca1fd5994b539bff4405ded5159d3c9373
Instruction ID: a0e3e326b82336f488e121afcb9c49f6a00b97772b0aa355f13794243354539e
Opcode Fuzzy Hash: e1d28145c5ba23c90402bdfc6eb211ca1fd5994b539bff4405ded5159d3c9373
Instruction Fuzzy Hash: 920251B6A00109DFEB18CF5CC551A6DB7B2EF94344F1981BCD602AFB85C635AB52DB80

Uniqueness

Uniqueness Score: -1.00%

Function 01178E50 Relevance: 1.6, Strings: 1, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01178E50(signed int _a4, signed char* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int* _v12;
				signed int _t252;
				intOrPtr _t334;
				signed int _t422;
				signed int _t431;
				signed int _t440;
				signed int _t449;
				signed int _t458;
				signed int _t467;
				signed int _t476;
				signed int _t485;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t508;
				signed int _t511;
				signed int _t514;
				signed int _t517;
				signed int _t520;
				signed int _t523;

				_v8 = _a4;
				_v8 =  !_v8;
				while(_a12 != 0 && (_a8 & 0x00000003) != 0) {
					_t11 = (( *_a8 & 0x000000ff ^ _v8) & 0x000000ff) * 4; // 0x0
					_v8 = _v8 >> 0x00000008 ^  *(0 + _t11 + 0x136ed48);
					_a8 =  &(_a8[1]);
					_a12 = _a12 - 1;
				}
				_v12 = _a8;
				while(_a12 >= 0x20) {
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t422 = _v8 & 0x000000ff;
					_t502 = _v8 >> 0x00000008 & 0x000000ff;
					_t29 = _t422 * 4; // 0x96000000
					_t32 = _t502 * 4; // 0x0
					_t36 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t40 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t29 + 0x136ed48) ^  *((0x400 << 1) + _t32 + 0x136ed48) ^  *((0x400 << 0) + _t36 + 0x136ed48) ^  *(0 + _t40 + 0x136ed48);
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t431 = _v8 & 0x000000ff;
					_t505 = _v8 >> 0x00000008 & 0x000000ff;
					_t51 = _t431 * 4; // 0x96000000
					_t54 = _t505 * 4; // 0x0
					_t58 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t62 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t51 + 0x136ed48) ^  *((0x400 << 1) + _t54 + 0x136ed48) ^  *((0x400 << 0) + _t58 + 0x136ed48) ^  *(0 + _t62 + 0x136ed48);
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t440 = _v8 & 0x000000ff;
					_t508 = _v8 >> 0x00000008 & 0x000000ff;
					_t73 = _t440 * 4; // 0x96000000
					_t76 = _t508 * 4; // 0x0
					_t80 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t84 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t73 + 0x136ed48) ^  *((0x400 << 1) + _t76 + 0x136ed48) ^  *((0x400 << 0) + _t80 + 0x136ed48) ^  *(0 + _t84 + 0x136ed48);
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t449 = _v8 & 0x000000ff;
					_t511 = _v8 >> 0x00000008 & 0x000000ff;
					_t95 = _t449 * 4; // 0x96000000
					_t98 = _t511 * 4; // 0x0
					_t102 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t106 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t95 + 0x136ed48) ^  *((0x400 << 1) + _t98 + 0x136ed48) ^  *((0x400 << 0) + _t102 + 0x136ed48) ^  *(0 + _t106 + 0x136ed48);
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t458 = _v8 & 0x000000ff;
					_t514 = _v8 >> 0x00000008 & 0x000000ff;
					_t117 = _t458 * 4; // 0x96000000
					_t120 = _t514 * 4; // 0x0
					_t124 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t128 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t117 + 0x136ed48) ^  *((0x400 << 1) + _t120 + 0x136ed48) ^  *((0x400 << 0) + _t124 + 0x136ed48) ^  *(0 + _t128 + 0x136ed48);
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t467 = _v8 & 0x000000ff;
					_t517 = _v8 >> 0x00000008 & 0x000000ff;
					_t139 = _t467 * 4; // 0x96000000
					_t142 = _t517 * 4; // 0x0
					_t146 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t150 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t139 + 0x136ed48) ^  *((0x400 << 1) + _t142 + 0x136ed48) ^  *((0x400 << 0) + _t146 + 0x136ed48) ^  *(0 + _t150 + 0x136ed48);
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t476 = _v8 & 0x000000ff;
					_t520 = _v8 >> 0x00000008 & 0x000000ff;
					_t161 = _t476 * 4; // 0x96000000
					_t164 = _t520 * 4; // 0x0
					_t168 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t172 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t161 + 0x136ed48) ^  *((0x400 << 1) + _t164 + 0x136ed48) ^  *((0x400 << 0) + _t168 + 0x136ed48) ^  *(0 + _t172 + 0x136ed48);
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t485 = _v8 & 0x000000ff;
					_t523 = _v8 >> 0x00000008 & 0x000000ff;
					_t183 = _t485 * 4; // 0x96000000
					_t186 = _t523 * 4; // 0x0
					_t190 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t194 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t183 + 0x136ed48) ^  *((0x400 << 1) + _t186 + 0x136ed48) ^  *((0x400 << 0) + _t190 + 0x136ed48) ^  *(0 + _t194 + 0x136ed48);
					_a12 = _a12 - 0x20;
				}
				while(_a12 >= 4) {
					_v8 = _v8 ^  *_v12;
					_v12 =  &(_v12[1]);
					_t252 = _v8 & 0x000000ff;
					_t499 = _v8 >> 0x00000008 & 0x000000ff;
					_t208 = _t252 * 4; // 0x96000000
					_t211 = _t499 * 4; // 0x0
					_t215 = (_v8 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t219 = (_v8 >> 0x18) * 4; // 0x96000000
					_v8 =  *(0xc00 + _t208 + 0x136ed48) ^  *((0x400 << 1) + _t211 + 0x136ed48) ^  *((0x400 << 0) + _t215 + 0x136ed48) ^  *(0 + _t219 + 0x136ed48);
					_a12 = _a12 - 4;
				}
				_a8 = _v12;
				if(_a12 != 0) {
					do {
						_t231 = (( *_a8 & 0x000000ff ^ _v8) & 0x000000ff) * 4; // 0x96000000
						_v8 = _v8 >> 0x00000008 ^  *(0 + _t231 + 0x136ed48);
						_a8 = _a8 + 1;
						_t334 = _a12 - 1;
						_a12 = _t334;
					} while (_t334 != 0);
				}
				_v8 =  !_v8;
				return _v8;
			}

0x01178e5a
0x01178e62
0x01178e65
0x01178e8f
0x01178e96
0x01178e9f
0x01178ea8
0x01178ea8
0x01178eb0
0x01178eb3
0x01178ec5
0x01178ece
0x01178edc
0x01178eef
0x01178ef5
0x01178efc
0x01178f16
0x01178f2b
0x01178f32
0x01178f3d
0x01178f46
0x01178f54
0x01178f67
0x01178f6d
0x01178f74
0x01178f8e
0x01178fa3
0x01178faa
0x01178fb5
0x01178fbe
0x01178fcc
0x01178fdf
0x01178fe5
0x01178fec
0x01179006
0x0117901b
0x01179022
0x0117902d
0x01179036
0x01179044
0x01179057
0x0117905d
0x01179064
0x0117907e
0x01179093
0x0117909a
0x011790a5
0x011790ae
0x011790bc
0x011790cf
0x011790d5
0x011790dc
0x011790f6
0x0117910b
0x01179112
0x0117911d
0x01179126
0x01179134
0x01179147
0x0117914d
0x01179154
0x0117916e
0x01179183
0x0117918a
0x01179195
0x0117919e
0x011791ac
0x011791bf
0x011791c5
0x011791cc
0x011791e6
0x011791fb
0x01179202
0x0117920d
0x01179216
0x01179224
0x01179237
0x0117923d
0x01179244
0x0117925e
0x01179273
0x0117927a
0x01179283
0x01179283
0x0117928b
0x0117929d
0x011792a6
0x011792b4
0x011792c6
0x011792cc
0x011792d3
0x011792ee
0x01179303
0x0117930a
0x01179313
0x01179313
0x0117931e
0x01179325
0x01179327
0x01179343
0x0117934a
0x01179353
0x01179359
0x0117935c
0x0117935c
0x01179327
0x01179366
0x01179370

Strings

, xrefs: 01178EB3

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4419a4eee57c1631f0380e93faeee5497f7c79306b888f121d7aba68b590abf5
Instruction ID: 209d24ddfbf18dbd6977130e77a1684585209aa9dd844854d6c818344f1e8232
Opcode Fuzzy Hash: 4419a4eee57c1631f0380e93faeee5497f7c79306b888f121d7aba68b590abf5
Instruction Fuzzy Hash: D7F17D79900119DFEB08CF5CC550BADB7B2EF94344F2881B9D601AFB85C635AB52DB84

Uniqueness

Uniqueness Score: -1.00%

Function 012F7A8A Relevance: 1.5, Strings: 1, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E012F7A8A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E012F88A7(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E012F69B8(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E012F8D4B(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E012F69B8(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E012F8B72(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E012F69B8(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E012F86B2(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E012F888F(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E012F82BE(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E012F87FC(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E012F8870(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E012F81F8(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E012F858A(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x012f7a8f
0x012f7a92
0x012f7a96
0x012f7a99
0x012f7a9d
0x012f7aa0
0x012f7b0e
0x012f7b11
0x012f7b60
0x012f7b60
0x012f7b63
0x012f7ad0
0x012f7ad2
0x012f7ad7
0x012f7ad9
0x012f7b7e
0x012f7b82
0x012f7b8b
0x012f7b90
0x012f7b91
0x012f7b95
0x012f7b97
0x012f7b9c
0x012f7b9f
0x012f7ba1
0x012f7bca
0x012f7bca
0x012f7bcd
0x012f7bd0
0x012f7bd7
0x012f7bd9
0x012f7bdc
0x012f7bde
0x012f7be2
0x012f7be2
0x012f7be5
0x012f7bf0
0x012f7bf0
0x012f7bf2
0x012f7bf2
0x012f7bf4
0x012f7bfa
0x012f7bfa
0x012f7bff
0x012f7c02
0x012f7c0d
0x012f7c0d
0x012f7c0f
0x012f7c0f
0x012f7c1a
0x012f7c1e
0x012f7c1e
0x012f7c21
0x012f7c27
0x012f7c29
0x012f7c2c
0x012f7c3c
0x012f7c41
0x012f7c41
0x012f7c56
0x012f7c5b
0x012f7c5e
0x012f7c63
0x012f7c66
0x012f7c68
0x012f7c6a
0x012f7c6d
0x012f7c70
0x012f7c7d
0x012f7c82
0x012f7c82
0x012f7c70
0x012f7c89
0x012f7c8e
0x012f7c91
0x012f7c96
0x012f7c99
0x012f7c9b
0x012f7ca8
0x012f7cad
0x012f7c9b
0x012f7cb0
0x012f7cb3
0x012f7cb8
0x012f7cb8
0x012f7c04
0x012f7c07
0x00000000
0x00000000
0x012f7c09
0x00000000
0x012f7c09
0x012f7bf6
0x012f7bf8
0x00000000
0x00000000
0x00000000
0x012f7bf8
0x012f7be7
0x012f7bea
0x00000000
0x00000000
0x012f7bec
0x00000000
0x012f7bec
0x012f7be0
0x012f7be0
0x012f7be0
0x00000000
0x012f7be0
0x012f7bd2
0x012f7bd5
0x00000000
0x00000000
0x00000000
0x012f7bd5
0x012f7ba5
0x012f7ba8
0x012f7baa
0x012f7bb2
0x012f7bb4
0x012f7bbe
0x012f7bc0
0x012f7bc2
0x00000000
0x00000000
0x012f7bc4
0x012f7bc8
0x012f7bc8
0x00000000
0x012f7bc8
0x012f7bb6
0x00000000
0x012f7bb6
0x012f7bac
0x00000000
0x012f7bac
0x012f7b84
0x00000000
0x012f7b84
0x012f7adf
0x012f7adf
0x00000000
0x012f7adf
0x012f7b6a
0x012f7b6a
0x012f7b6d
0x012f7b3f
0x012f7b3f
0x012f7b40
0x012f7b42
0x012f7b44
0x00000000
0x012f7b44
0x012f7b6f
0x012f7b72
0x00000000
0x00000000
0x012f7b78
0x012f7ae7
0x012f7ae7
0x00000000
0x012f7ae7
0x012f7b13
0x012f7b56
0x00000000
0x012f7b56
0x012f7b15
0x012f7b18
0x012f7b4b
0x012f7b4d
0x00000000
0x012f7b4d
0x012f7b1a
0x012f7b1d
0x012f7b3b
0x012f7b3b
0x012f7b3b
0x012f7b3b
0x00000000
0x012f7b3b
0x012f7b1f
0x012f7b22
0x012f7b34
0x00000000
0x012f7b34
0x012f7b24
0x012f7b27
0x00000000
0x00000000
0x012f7b2b
0x00000000
0x012f7b2b
0x012f7aa2
0x00000000
0x00000000
0x012f7aa8
0x012f7aab
0x012f7aeb
0x012f7aeb
0x012f7aee
0x012f7b07
0x00000000
0x012f7b07
0x012f7af0
0x012f7af0
0x012f7af3
0x00000000
0x00000000
0x012f7af6
0x012f7af9
0x00000000
0x00000000
0x012f7afb
0x012f7afe
0x00000000
0x012f7afe
0x012f7aad
0x012f7ae6
0x00000000
0x012f7ae6
0x012f7ab2
0x00000000
0x00000000
0x012f7abb
0x00000000
0x00000000
0x012f7ac0
0x00000000
0x00000000
0x012f7ac5
0x00000000
0x00000000
0x012f7ace
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 012F7BFA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4a5a689a3d5ae6b7ac2341519e6e1239a0176fb841357277ba68be06fc1cbf0d
Instruction ID: 15b55ace262520edaa205cb8cd0f55e61d69c0ec7f272ab1fe060ff449bb2249
Opcode Fuzzy Hash: 4a5a689a3d5ae6b7ac2341519e6e1239a0176fb841357277ba68be06fc1cbf0d
Instruction Fuzzy Hash: D051236023064F56EB398ABCC595BFFFB95DB17300F08093DDB82C7282E655DA498392

Uniqueness

Uniqueness Score: -1.00%

Function 011A57A0 Relevance: 1.0, Instructions: 982
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E011A57A0(void* __ebx, void* __edi, void* __esi, signed char* _a4, signed int _a8, signed int _a12, signed char* _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v76;
				signed int _v80;
				signed char* _v84;
				signed char* _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed char* _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _t380;
				intOrPtr _t382;
				signed int _t383;
				signed int _t404;
				signed char _t415;
				signed char* _t417;
				unsigned int _t421;
				signed char _t422;
				intOrPtr _t442;
				signed int _t446;
				signed char* _t453;
				signed int _t465;
				intOrPtr _t476;
				signed char* _t478;
				unsigned int _t482;
				signed char _t483;
				signed int _t495;
				signed char* _t502;
				signed int _t508;
				intOrPtr _t519;
				signed char* _t521;
				signed int _t525;
				signed char _t526;
				signed int _t538;
				signed char* _t540;
				signed int _t546;
				intOrPtr _t557;
				signed char* _t559;
				signed int _t563;
				signed char _t564;
				signed int _t576;
				signed int _t579;
				unsigned int _t583;
				signed int _t586;
				void* _t587;
				signed char* _t590;
				signed char* _t591;
				void* _t592;
				void* _t594;
				void* _t595;
				void* _t596;
				unsigned int _t597;
				unsigned int _t603;
				unsigned int _t604;
				signed int* _t612;
				signed int _t613;
				void* _t615;
				intOrPtr* _t616;
				unsigned int _t617;
				void* _t620;
				unsigned int _t625;
				signed char* _t626;
				signed int* _t627;
				signed int _t628;
				void* _t630;
				intOrPtr* _t631;
				signed int _t632;
				signed int _t633;
				void* _t635;
				unsigned int _t636;
				signed int* _t637;
				signed int _t638;
				void* _t640;
				intOrPtr* _t641;
				signed int _t642;
				signed int _t643;
				void* _t645;
				signed int _t646;
				unsigned int _t649;
				signed char* _t655;
				signed char* _t656;
				signed int _t657;
				signed char* _t658;
				void* _t659;
				signed int* _t667;
				signed char* _t672;
				signed int _t673;
				signed int _t679;
				signed char* _t680;
				signed int _t681;
				signed char* _t683;
				signed int _t684;
				signed int _t686;
				signed int _t687;
				signed char* _t688;
				signed char* _t689;
				signed int _t690;
				signed char* _t691;
				unsigned int _t694;
				signed int _t695;
				signed char* _t697;
				signed short* _t698;
				signed char* _t700;
				signed char* _t701;
				signed int _t702;
				signed char* _t703;
				signed short* _t705;
				signed char* _t707;
				signed char* _t708;
				signed int _t709;
				signed char* _t710;
				signed short* _t712;
				signed char* _t714;
				signed char* _t715;
				signed int _t716;
				signed char* _t717;
				signed char* _t719;
				void* _t723;
				signed short* _t724;
				signed int _t727;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				intOrPtr* _t736;
				signed int _t737;
				void* _t738;
				signed int _t739;
				signed int _t745;
				signed int _t746;
				signed int _t747;
				intOrPtr* _t749;
				signed int _t750;
				void* _t751;
				signed int _t752;
				signed int _t754;
				signed int _t755;
				signed int _t756;
				intOrPtr* _t758;
				signed int _t759;
				void* _t760;
				signed int _t761;
				signed int _t763;
				signed int* _t766;
				signed char* _t769;
				unsigned int _t770;
				signed char* _t771;
				signed int _t772;
				signed char* _t775;
				signed char* _t776;
				void* _t779;
				signed short* _t780;
				void* _t783;
				signed short* _t784;
				void* _t785;
				signed short* _t786;
				signed int _t787;
				void* _t788;
				void* _t793;

				_t380 =  *0x139eff4; // 0xdde28b47
				_v8 = _t380 ^ _t787;
				asm("movaps xmm0, [0x13775b0]");
				_t646 = _a24;
				_t382 = _a20;
				_v40 = 0;
				_v36 = 1;
				_v32 = 2;
				_v28 = 1;
				_v24 = 4;
				_v20 = 4;
				_v16 = 4;
				_v12 = 4;
				_t579 = _a8;
				_v104 = _t579;
				asm("movups [ebp-0x44], xmm0");
				asm("movaps xmm0, [0x1377590]");
				_t719 = _a4;
				_v108 = _t719;
				asm("movups [ebp-0x34], xmm0");
				if(_t646 != 0) {
					_t383 = _t382 + _t646;
					_v92 = _t383;
					if(_t383 != _t579) {
						_t686 = _a12;
						_t763 = _t579;
						_v96 =  &(_t719[_t686]);
						_t386 = _a16;
						_v88 =  &(_t386[_t579]);
						_v84 = _t763;
						_v116 = _t763 - _t646;
						asm("sbb ecx, ecx");
						_v112 =  ~_t646;
						if(_t386 != 0) {
							while(1) {
								_t583 =  *_t719 & 0x000000ff;
								_t720 =  &(_t719[1]);
								_v100 = _t583;
								_t649 = _t583 >> 4;
								_v76 = _t649;
								if(_t649 != 0xf) {
									goto L131;
								}
								L127:
								_t597 = _t649;
								do {
									_t690 =  *_t720 & 0x000000ff;
									_t720 =  &(_t720[1]);
									_t597 = _t597 + _t690;
									asm("sbb ecx, ecx");
									_t649 =  ~_t649;
								} while (((0 | _t690 == 0x000000ff) & _t649) != 0);
								_t763 = _v84;
								_v76 = _t597;
								_t649 = _v76;
								_t583 = _v100;
								if(_t649 + _t763 < _t763 ||  &(_t720[_t649]) < _t720) {
									L172:
									return E012E980C(_v8 ^ _t787);
								} else {
									goto L131;
								}
								goto L173;
								L131:
								_t687 = _t649 + _t763;
								_v80 = _t687;
								if(_t687 >  &(_v88[0xfffffffffffffff4])) {
									L169:
									if( &(_t720[_t649]) != _v96 || _t687 > _v88) {
										goto L172;
									} else {
										E012EE160(_t763, _t720, _t649);
										return E012E980C(_v8 ^ _t787);
									}
								} else {
									_v84 =  &(_t720[_t649]);
									if(_v84 > _v96 + 0xfffffff8) {
										goto L169;
									} else {
										_t723 = _t720 - _t763;
										do {
											 *_t763 =  *((intOrPtr*)(_t763 + _t723));
											 *((intOrPtr*)(_t763 + 4)) =  *((intOrPtr*)(_t763 + _t723 + 4));
											_t763 = _t763 + 8;
										} while (_t763 < _t687);
										_t724 = _v84;
										_t766 = _v80;
										_t688 = _t766;
										_t404 =  *_t724 & 0x0000ffff;
										_t719 =  &(_t724[1]);
										_t655 = _t766 - _t404;
										_v76 = _t404;
										if(_v112 == 0 || _t655 >= _v116) {
											_t586 = _t583 & 0x0000000f;
											 *_t766 = _t404;
											if(_t586 != 0xf) {
												L143:
												_t587 = _t586 + 4;
												_t763 = _t766 + _t587;
												if(_t655 >= _v104) {
													_v80 = _t763;
													if(_t404 >= 8) {
														 *_t688 =  *_t655;
														_t656 =  &(_t655[8]);
														_t688[4] = _t655[4];
													} else {
														 *_t688 =  *_t655 & 0x000000ff;
														_t688[1] = _t655[1] & 0x000000ff;
														_t688[2] = _t655[2] & 0x000000ff;
														_t688[3] = _t655[3] & 0x000000ff;
														_t658 =  &(_t655[ *((intOrPtr*)(_t787 + _v76 * 4 - 0x24))]);
														_t688[4] =  *_t658;
														_t656 = _t658 -  *((intOrPtr*)(_t787 + _v76 * 4 - 0x44));
													}
													_t689 =  &(_t688[8]);
													_v76 = _t689;
													if(_t763 <=  &(_v88[0xfffffffffffffff4])) {
														 *_t689 =  *_t656;
														_t689[4] = _t656[4];
														if(_t587 <= 0x10) {
															goto L125;
														} else {
															_t769 =  &(_t689[8]);
															_t590 = _t769 - _t689 + _t656;
															_t657 = _v80;
															do {
																_t415 =  *_t590;
																_t590 =  &(_t590[8]);
																 *_t769 = _t415;
																_t769[4] =  *(_t590 - 4);
																_t769 =  &(_t769[8]);
															} while (_t769 < _t657);
															goto L124;
														}
													} else {
														_t417 = _v88;
														_t591 = _t417 - 7;
														_v84 = _t591;
														if(_t763 > _t417 + 0xfffffffb) {
															goto L172;
														} else {
															if(_t689 < _t591) {
																_t771 = _t689;
																_t594 = _t656 - _t689;
																_t691 = _v84;
																do {
																	 *_t771 = _t771[_t594];
																	_t771[4] = _t771[_t594 + 4];
																	_t771 =  &(_t771[8]);
																} while (_t771 < _t691);
																_t763 = _v80;
																_t656 =  &(_t656[_t691 - _v76]);
																_t689 = _v84;
															}
															_t592 = 0;
															_t421 =  >  ? 0 : _t763 - _t689;
															_v100 = _t421;
															if(_t421 != 0) {
																_t770 = _t421;
																do {
																	_t422 =  *_t656;
																	_t656 =  &(_t656[1]);
																	_t592 = _t592 + 1;
																	 *_t689 = _t422;
																	_t689 =  &(_t689[1]);
																} while (_t592 < _t770);
																L124:
																_t763 = _v80;
															}
															goto L125;
														}
													}
												} else {
													_v84 = _t763;
													if(_t763 >  &(_v88[0xfffffffffffffffb])) {
														goto L172;
													} else {
														_t434 = _v104;
														_t694 = _v104 - _t655;
														_v100 = _t694;
														if(_t587 > _t694) {
															_t595 = _t587 - _t694;
															_t772 = _v80;
															E012EE160(_t772, _v92 - _t694, _t694);
															_t763 = _t772 + _v100;
															_t788 = _t788 + 0xc;
															_t695 = _v104;
															if(_t595 <= _t763 - _t695) {
																E012EE160(_t763, _t695, _t595);
																_t788 = _t788 + 0xc;
																_t763 = _t763 + _t595;
																goto L125;
															} else {
																goto L148;
															}
														} else {
															E012EC2A0(_v80, _t655 - _t434 + _v92, _t587);
															_t788 = _t788 + 0xc;
															continue;
															do {
																while(1) {
																	_t583 =  *_t719 & 0x000000ff;
																	_t720 =  &(_t719[1]);
																	_v100 = _t583;
																	_t649 = _t583 >> 4;
																	_v76 = _t649;
																	if(_t649 != 0xf) {
																		goto L131;
																	}
																	goto L127;
																}
																L148:
																_t659 = 0;
																_v84 = _t763;
																_t596 =  >  ? 0 : _t595;
															} while (_t596 == 0);
															do {
																_t442 =  *((intOrPtr*)(_t659 + _t695));
																_t659 = _t659 + 1;
																 *_t763 = _t442;
																_t763 = _t763 + 1;
															} while (_t659 < _t596);
															L125:
															_v84 = _t763;
														}
														continue;
													}
												}
											} else {
												_v100 = _v96 + 0xfffffffb;
												asm("o16 nop [eax+eax]");
												while(1) {
													_t446 =  *_t719 & 0x000000ff;
													_t720 =  &(_t719[1]);
													if( &(_t719[1]) > _v100) {
														goto L172;
													}
													_t586 = _t586 + _t446;
													if(_t446 == 0xff) {
														continue;
													} else {
														if(_t766 + _t586 < _t766) {
															goto L172;
														} else {
															_t404 = _v76;
															goto L143;
														}
													}
													goto L173;
												}
												goto L172;
											}
										} else {
											goto L172;
										}
									}
								}
								goto L173;
							}
						} else {
							if(_t686 != 1) {
								L123:
								return E012E980C(_v8 ^ _t787);
							} else {
								_t386 = _t719;
								if( *_t719 != 0) {
									goto L123;
								} else {
									return E012E980C(_v8 ^ _t787);
								}
							}
						}
					} else {
						_t775 = _t719;
						if(_t646 < 0xffff) {
							_t727 = _t579;
							_v84 =  &(_t719[_a12]);
							_t453 = _a16;
							_v88 = _t579 + _t453;
							_v76 = _t727;
							_v92 = _t727 - _t646;
							if(_t453 != 0) {
								while(1) {
									_t603 =  *_t775 & 0x000000ff;
									_t776 =  &(_t775[1]);
									_v96 = _t603;
									_t604 = _t603 >> 4;
									if(_t604 != 0xf) {
										goto L90;
									}
									L86:
									do {
										_t702 =  *_t776 & 0x000000ff;
										_t776 =  &(_t776[1]);
										_t604 = _t604 + _t702;
										asm("sbb ecx, ecx");
										_t646 =  ~_t646;
									} while (((0 | _t702 == 0x000000ff) & _t646) != 0);
									_t727 = _v76;
									if(_t604 + _t727 < _t727 ||  &(_t776[_t604]) < _t776) {
										goto L45;
									} else {
										goto L90;
									}
									goto L173;
									L90:
									_t697 = _v88;
									_t667 = _t604 + _t727;
									_v80 = _t667;
									if(_t667 > _t697 - 0xc) {
										goto L42;
									} else {
										_t698 =  &(_t776[_t604]);
										if(_t698 >  &(_v84[0xfffffffffffffff8])) {
											goto L41;
										} else {
											_t779 = _t776 - _t727;
											_t612 = _t667;
											do {
												 *_t727 =  *((intOrPtr*)(_t779 + _t727));
												 *((intOrPtr*)(_t727 + 4)) =  *((intOrPtr*)(_t779 + _t727 + 4));
												_t727 = _t727 + 8;
											} while (_t727 < _t612);
											_t780 = _t698;
											_t672 = _t612;
											_t465 =  *_t780 & 0x0000ffff;
											_t776 =  &(_t780[1]);
											_t700 = _t612 - _t465;
											_v76 = _t465;
											if(_t700 < _v92) {
												goto L45;
											} else {
												_t731 = _v96 & 0x0000000f;
												 *_t612 = _t465;
												if(_t731 != 0xf) {
													L101:
													_t732 = _t731 + 4;
													_t613 = _t612 + _t732;
													_v96 = _t732;
													_v80 = _t613;
													if(_t465 >= 8) {
														 *_t672 =  *_t700;
														_t701 =  &(_t700[8]);
														_t672[4] = _t700[4];
													} else {
														 *_t672 =  *_t700 & 0x000000ff;
														_t672[1] = _t700[1] & 0x000000ff;
														_t672[2] = _t700[2] & 0x000000ff;
														_t672[3] = _t700[3] & 0x000000ff;
														_t703 =  &(_t700[ *((intOrPtr*)(_t787 + _v76 * 4 - 0x24))]);
														_t672[4] =  *_t703;
														_t701 = _t703 -  *((intOrPtr*)(_t787 + _v76 * 4 - 0x44));
													}
													_t646 =  &(_t672[8]);
													_t733 = _v96;
													_v100 = _t646;
													if(_t613 <=  &(_v88[0xfffffffffffffff4])) {
														 *_t646 =  *_t701;
														 *(_t646 + 4) = _t701[4];
														if(_t733 > 0x10) {
															_t736 = _t646 + 8;
															_t615 = _t736 - _t646;
															_t646 = _v80;
															_t616 = _t615 + _t701;
															do {
																_t476 =  *_t616;
																_t616 = _t616 + 8;
																 *_t736 = _t476;
																 *((intOrPtr*)(_t736 + 4)) =  *((intOrPtr*)(_t616 - 4));
																_t736 = _t736 + 8;
															} while (_t736 < _t646);
															_t613 = _v80;
														}
														goto L118;
													} else {
														_t478 = _v88;
														_t737 = _t478 - 7;
														_v76 = _t737;
														if(_t613 > _t478 + 0xfffffffb) {
															goto L45;
														} else {
															if(_t646 < _t737) {
																_t739 = _t646;
																_t620 = _t701 - _t646;
																_t673 = _v76;
																do {
																	 *_t739 =  *((intOrPtr*)(_t620 + _t739));
																	 *((intOrPtr*)(_t739 + 4)) =  *((intOrPtr*)(_t620 + _t739 + 4));
																	_t739 = _t739 + 8;
																} while (_t739 < _t673);
																_t613 = _v80;
																_t701 =  &(_t701[_t673 - _v100]);
																_t646 = _v76;
															}
															_t738 = 0;
															_t482 =  >  ? 0 : _t613 - _t646;
															_v100 = _t482;
															if(_t482 == 0) {
																L118:
																_t727 = _t613;
																_v76 = _t727;
															} else {
																_t617 = _t482;
																do {
																	_t483 =  *_t701;
																	_t701 =  &(_t701[1]);
																	_t738 = _t738 + 1;
																	 *_t646 = _t483;
																	_t646 = _t646 + 1;
																} while (_t738 < _t617);
																_t727 = _v80;
																_v76 = _t727;
																while(1) {
																	_t603 =  *_t775 & 0x000000ff;
																	_t776 =  &(_t775[1]);
																	_v96 = _t603;
																	_t604 = _t603 >> 4;
																	if(_t604 != 0xf) {
																		goto L90;
																	}
																	goto L86;
																}
															}
															continue;
														}
													}
												} else {
													_v96 =  &(_v84[0xfffffffffffffffb]);
													while(1) {
														_t495 =  *_t776 & 0x000000ff;
														_t776 =  &(_t776[1]);
														if(_t776 > _v96) {
															goto L45;
														}
														_t731 = _t731 + _t495;
														if(_t495 == 0xff) {
															continue;
														} else {
															if(_t612 + _t731 < _t612) {
																goto L45;
															} else {
																_t465 = _v76;
																goto L101;
															}
														}
														goto L173;
													}
													goto L45;
												}
											}
										}
									}
									goto L173;
								}
							} else {
								goto L3;
							}
						} else {
							_t679 = _a12;
							_t502 = _a16;
							_t727 = _t579;
							_v84 =  &(_t719[_t679]);
							_v76 = _t727;
							_v88 = _t579 + _t502;
							if(_t502 == 0) {
								goto L2;
							} else {
								while(1) {
									_t625 =  *_t775 & 0x000000ff;
									_t776 =  &(_t775[1]);
									_v96 = _t625;
									_t604 = _t625 >> 4;
									if(_t604 != 0xf) {
										goto L54;
									}
									L50:
									asm("o16 nop [eax+eax]");
									do {
										_t709 =  *_t776 & 0x000000ff;
										_t776 =  &(_t776[1]);
										_t604 = _t604 + _t709;
										asm("sbb ecx, ecx");
										_t679 =  ~_t679;
									} while (((0 | _t709 == 0x000000ff) & _t679) != 0);
									_t727 = _v76;
									if(_t604 + _t727 < _t727 ||  &(_t776[_t604]) < _t776) {
										goto L45;
									} else {
										goto L54;
									}
									goto L173;
									L54:
									_t697 = _v88;
									_t667 = _t604 + _t727;
									_v80 = _t667;
									if(_t667 > _t697 - 0xc) {
										goto L42;
									} else {
										_t705 =  &(_t776[_t604]);
										if(_t705 >  &(_v84[0xfffffffffffffff8])) {
											goto L41;
										} else {
											_t783 = _t776 - _t727;
											_t626 = _t667;
											do {
												 *_t727 =  *((intOrPtr*)(_t783 + _t727));
												 *((intOrPtr*)(_t727 + 4)) =  *((intOrPtr*)(_t783 + _t727 + 4));
												_t727 = _t727 + 8;
											} while (_t727 < _t626);
											_t784 = _t705;
											_t680 = _t626;
											_t627 = _v80;
											_t508 =  *_t784 & 0x0000ffff;
											_t776 =  &(_t784[1]);
											_t707 = _t626 - _t508;
											_v76 = _t508;
											if(_t707 < _v104 + 0xffff0000) {
												goto L45;
											} else {
												_t745 = _v96 & 0x0000000f;
												 *_t627 = _t508;
												if(_t745 != 0xf) {
													L65:
													_t746 = _t745 + 4;
													_t628 = _t627 + _t746;
													_v96 = _t746;
													_v80 = _t628;
													if(_t508 >= 8) {
														 *_t680 =  *_t707;
														_t708 =  &(_t707[8]);
														_t680[4] = _t707[4];
													} else {
														 *_t680 =  *_t707 & 0x000000ff;
														_t680[1] = _t707[1] & 0x000000ff;
														_t680[2] = _t707[2] & 0x000000ff;
														_t680[3] = _t707[3] & 0x000000ff;
														_t710 =  &(_t707[ *((intOrPtr*)(_t787 + _v76 * 4 - 0x24))]);
														_t680[4] =  *_t710;
														_t708 = _t710 -  *((intOrPtr*)(_t787 + _v76 * 4 - 0x44));
													}
													_t679 =  &(_t680[8]);
													_t747 = _v96;
													_v92 = _t679;
													if(_t628 <=  &(_v88[0xfffffffffffffff4])) {
														 *_t679 =  *_t708;
														 *(_t679 + 4) = _t708[4];
														if(_t747 > 0x10) {
															_t183 = _t679 + 8; // 0x4
															_t749 = _t183;
															_t630 = _t749 - _t679;
															_t679 = _v80;
															_t631 = _t630 + _t708;
															do {
																_t519 =  *_t631;
																_t631 = _t631 + 8;
																 *_t749 = _t519;
																 *((intOrPtr*)(_t749 + 4)) =  *((intOrPtr*)(_t631 - 4));
																_t749 = _t749 + 8;
															} while (_t749 < _t679);
															_t628 = _v80;
														}
														goto L82;
													} else {
														_t521 = _v88;
														_t750 = _t521 - 7;
														_v76 = _t750;
														if(_t628 > _t521 + 0xfffffffb) {
															goto L45;
														} else {
															if(_t679 < _t750) {
																_t752 = _t679;
																_t635 = _t708 - _t679;
																_t681 = _v76;
																do {
																	 *_t752 =  *((intOrPtr*)(_t635 + _t752));
																	 *((intOrPtr*)(_t752 + 4)) =  *((intOrPtr*)(_t635 + _t752 + 4));
																	_t752 = _t752 + 8;
																} while (_t752 < _t681);
																_t628 = _v80;
																_t708 =  &(_t708[_t681 - _v92]);
																_t679 = _v76;
															}
															_t751 = 0;
															_t525 =  >  ? 0 : _t628 - _t679;
															_v92 = _t525;
															if(_t525 == 0) {
																L82:
																_t727 = _t628;
																_v76 = _t628;
															} else {
																_t632 = _t525;
																do {
																	_t526 =  *_t708;
																	_t708 =  &(_t708[1]);
																	_t751 = _t751 + 1;
																	 *_t679 = _t526;
																	_t679 = _t679 + 1;
																} while (_t751 < _t632);
																_t633 = _v80;
																_t727 = _t633;
																_v76 = _t633;
																while(1) {
																	_t625 =  *_t775 & 0x000000ff;
																	_t776 =  &(_t775[1]);
																	_v96 = _t625;
																	_t604 = _t625 >> 4;
																	if(_t604 != 0xf) {
																		goto L54;
																	}
																	goto L50;
																}
															}
															continue;
														}
													}
												} else {
													_v92 =  &(_v84[0xfffffffffffffffb]);
													while(1) {
														_t538 =  *_t776 & 0x000000ff;
														_t776 =  &(_t776[1]);
														if(_t776 > _v92) {
															goto L45;
														}
														_t745 = _t745 + _t538;
														if(_t538 == 0xff) {
															continue;
														} else {
															if(_t627 + _t745 < _t627) {
																goto L45;
															} else {
																_t508 = _v76;
																goto L65;
															}
														}
														goto L173;
													}
													goto L45;
												}
											}
										}
									}
									goto L173;
								}
							}
						}
					}
				} else {
					_t679 = _a12;
					_t775 = _t719;
					_t540 = _a16;
					_t727 = _t579;
					_v84 =  &(_t719[_t679]);
					_v76 = _t727;
					_v88 =  &(_t540[_t579]);
					if(_t540 != 0) {
						while(1) {
							_t636 =  *_t775 & 0x000000ff;
							_t776 =  &(_t775[1]);
							_v96 = _t636;
							_t604 = _t636 >> 4;
							if(_t604 != 0xf) {
								goto L12;
							} else {
							}
							do {
								L9:
								_t716 =  *_t776 & 0x000000ff;
								_t776 =  &(_t776[1]);
								_t604 = _t604 + _t716;
								asm("sbb ecx, ecx");
								_t679 =  ~_t679;
							} while (((0 | _t716 == 0x000000ff) & _t679) != 0);
							_t727 = _v76;
							if(_t604 + _t727 < _t727 ||  &(_t776[_t604]) < _t776) {
								L45:
								return E012E980C(_v8 ^ _t787);
							} else {
								goto L12;
							}
							goto L173;
							L12:
							_t697 = _v88;
							_t667 = _t604 + _t727;
							_v80 = _t667;
							if(_t667 > _t697 - 0xc) {
								L42:
								if( &(_t776[_t604]) != _v84 || _t667 > _t697) {
									goto L45;
								} else {
									E012EE160(_t727, _t776, _t604);
									return E012E980C(_v8 ^ _t787);
								}
							} else {
								_t712 =  &(_t776[_t604]);
								if(_t712 >  &(_v84[0xfffffffffffffff8])) {
									L41:
									_t697 = _v88;
									goto L42;
								} else {
									_t785 = _t776 - _t727;
									_t637 = _t667;
									do {
										 *_t727 =  *((intOrPtr*)(_t785 + _t727));
										 *((intOrPtr*)(_t727 + 4)) =  *((intOrPtr*)(_t785 + _t727 + 4));
										_t727 = _t727 + 8;
									} while (_t727 < _t637);
									_t786 = _t712;
									_t683 = _t637;
									_t546 =  *_t786 & 0x0000ffff;
									_t776 =  &(_t786[1]);
									_t714 = _t637 - _t546;
									_v76 = _t546;
									if(_t714 < _v104) {
										goto L45;
									} else {
										_t754 = _v96 & 0x0000000f;
										 *_t637 = _t546;
										if(_t754 != 0xf) {
											L23:
											_t755 = _t754 + 4;
											_t638 = _t637 + _t755;
											_v96 = _t755;
											_v80 = _t638;
											if(_t546 >= 8) {
												 *_t683 =  *_t714;
												_t715 =  &(_t714[8]);
												_t683[4] = _t714[4];
											} else {
												 *_t683 =  *_t714 & 0x000000ff;
												_t683[1] = _t714[1] & 0x000000ff;
												_t683[2] = _t714[2] & 0x000000ff;
												_t683[3] = _t714[3] & 0x000000ff;
												_t717 =  &(_t714[ *((intOrPtr*)(_t787 + _v76 * 4 - 0x24))]);
												_t683[4] =  *_t717;
												_t715 = _t717 -  *((intOrPtr*)(_t787 + _v76 * 4 - 0x44));
											}
											_t679 =  &(_t683[8]);
											_t756 = _v96;
											_v92 = _t679;
											if(_t638 <=  &(_v88[0xfffffffffffffff4])) {
												 *_t679 =  *_t715;
												 *(_t679 + 4) = _t715[4];
												if(_t756 > 0x10) {
													_t92 = _t679 + 8; // 0x4
													_t758 = _t92;
													_t640 = _t758 - _t679;
													_t679 = _v80;
													_t641 = _t640 + _t715;
													asm("o16 nop [eax+eax]");
													do {
														_t557 =  *_t641;
														_t641 = _t641 + 8;
														 *_t758 = _t557;
														 *((intOrPtr*)(_t758 + 4)) =  *((intOrPtr*)(_t641 - 4));
														_t758 = _t758 + 8;
													} while (_t758 < _t679);
													_t638 = _v80;
												}
												goto L40;
											} else {
												_t559 = _v88;
												_t759 = _t559 - 7;
												_v76 = _t759;
												if(_t638 >  &(_t559[0xfffffffffffffffb])) {
													goto L45;
												} else {
													if(_t679 < _t759) {
														_t761 = _t679;
														_t645 = _t715 - _t679;
														_t684 = _v76;
														do {
															 *_t761 =  *((intOrPtr*)(_t645 + _t761));
															 *((intOrPtr*)(_t761 + 4)) =  *((intOrPtr*)(_t645 + _t761 + 4));
															_t761 = _t761 + 8;
														} while (_t761 < _t684);
														_t638 = _v80;
														_t715 =  &(_t715[_t684 - _v92]);
														_t679 = _v76;
													}
													_t760 = 0;
													_t563 =  >  ? 0 : _t638 - _t679;
													_v92 = _t563;
													if(_t563 == 0) {
														L40:
														_t727 = _t638;
														_v76 = _t638;
													} else {
														_t642 = _t563;
														do {
															_t564 =  *_t715;
															_t715 =  &(_t715[1]);
															_t760 = _t760 + 1;
															 *_t679 = _t564;
															_t679 = _t679 + 1;
														} while (_t760 < _t642);
														_t643 = _v80;
														_t727 = _t643;
														_v76 = _t643;
														while(1) {
															_t636 =  *_t775 & 0x000000ff;
															_t776 =  &(_t775[1]);
															_v96 = _t636;
															_t604 = _t636 >> 4;
															if(_t604 != 0xf) {
																goto L12;
															} else {
															}
															goto L9;
														}
													}
													continue;
												}
											}
										} else {
											_v92 =  &(_v84[0xfffffffffffffffb]);
											while(1) {
												_t576 =  *_t776 & 0x000000ff;
												_t776 =  &(_t776[1]);
												if(_t776 > _v92) {
													goto L45;
												}
												_t754 = _t754 + _t576;
												if(_t576 == 0xff) {
													continue;
												} else {
													if(_t637 + _t754 < _t637) {
														goto L45;
													} else {
														_t546 = _v76;
														goto L23;
													}
												}
												goto L173;
											}
											goto L45;
										}
									}
								}
							}
							goto L173;
						}
					} else {
						L2:
						_t793 = _t679 - 1;
						L3:
						if(_t793 != 0 ||  *_t775 != 0) {
							return E012E980C(_v8 ^ _t787);
						} else {
							return E012E980C(_v8 ^ _t787);
						}
					}
				}
				L173:
			}

0x011a57a6
0x011a57ad
0x011a57b0
0x011a57b7
0x011a57ba
0x011a57bd
0x011a57c4
0x011a57cb
0x011a57d2
0x011a57d9
0x011a57e0
0x011a57e7
0x011a57ee
0x011a57f6
0x011a57f9
0x011a57fd
0x011a5802
0x011a5809
0x011a580c
0x011a580f
0x011a5815
0x011a5aaf
0x011a5ab1
0x011a5ab6
0x011a5f01
0x011a5f08
0x011a5f0a
0x011a5f0d
0x011a5f12
0x011a5f19
0x011a5f22
0x011a5f25
0x011a5f29
0x011a5f2e
0x011a5f70
0x011a5f70
0x011a5f73
0x011a5f76
0x011a5f79
0x011a5f7c
0x011a5f82
0x00000000
0x00000000
0x011a5f84
0x011a5f87
0x011a5f90
0x011a5f90
0x011a5f93
0x011a5f94
0x011a5f98
0x011a5f9c
0x011a5fa7
0x011a5fab
0x011a5fae
0x011a5fb1
0x011a5fb4
0x011a5fbc
0x011a624a
0x011a6260
0x00000000
0x00000000
0x00000000
0x00000000
0x011a5fcd
0x011a5fd0
0x011a5fd6
0x011a5fdb
0x011a6219
0x011a621f
0x00000000
0x011a6226
0x011a6229
0x011a6249
0x011a6249
0x011a5fe1
0x011a5fe4
0x011a5ff0
0x00000000
0x011a5ff6
0x011a5ff6
0x011a6000
0x011a6003
0x011a6009
0x011a600c
0x011a600f
0x011a6013
0x011a6016
0x011a6019
0x011a601d
0x011a6020
0x011a6023
0x011a6025
0x011a602c
0x011a6037
0x011a603a
0x011a603f
0x011a6074
0x011a6074
0x011a6077
0x011a607c
0x011a6113
0x011a6119
0x011a614c
0x011a6151
0x011a6154
0x011a611b
0x011a611e
0x011a6124
0x011a612b
0x011a6132
0x011a6138
0x011a613e
0x011a6144
0x011a6144
0x011a615a
0x011a6160
0x011a6165
0x011a61dc
0x011a61e1
0x011a61e7
0x00000000
0x011a61ed
0x011a61ed
0x011a61f4
0x011a61f6
0x011a6200
0x011a6200
0x011a6202
0x011a6205
0x011a620a
0x011a620d
0x011a6210
0x00000000
0x011a6214
0x011a6167
0x011a6167
0x011a616a
0x011a6170
0x011a6175
0x00000000
0x011a617b
0x011a617d
0x011a6181
0x011a6183
0x011a6185
0x011a6190
0x011a6193
0x011a6199
0x011a619c
0x011a619f
0x011a61a6
0x011a61a9
0x011a61ab
0x011a61ab
0x011a61ae
0x011a61b6
0x011a61b9
0x011a61be
0x011a61c4
0x011a61c6
0x011a61c6
0x011a61c8
0x011a61cb
0x011a61cc
0x011a61ce
0x011a61d1
0x011a5f63
0x011a5f63
0x011a5f63
0x00000000
0x011a61be
0x011a6175
0x011a6082
0x011a6088
0x011a608d
0x00000000
0x011a6093
0x011a6093
0x011a6098
0x011a609a
0x011a609f
0x011a60bc
0x011a60be
0x011a60c6
0x011a60cb
0x011a60ce
0x011a60d1
0x011a60da
0x011a6104
0x011a6109
0x011a610c
0x00000000
0x00000000
0x00000000
0x00000000
0x011a60a1
0x011a60ac
0x011a60b1
0x011a60b4
0x011a5f70
0x011a5f70
0x011a5f70
0x011a5f73
0x011a5f76
0x011a5f79
0x011a5f7c
0x011a5f82
0x00000000
0x00000000
0x00000000
0x011a5f82
0x011a60dc
0x011a60dc
0x011a60de
0x011a60e6
0x011a60e9
0x011a60f1
0x011a60f1
0x011a60f4
0x011a60f5
0x011a60f7
0x011a60f8
0x011a5f66
0x011a5f66
0x011a5f66
0x00000000
0x011a609f
0x011a608d
0x011a6041
0x011a6047
0x011a604a
0x011a6050
0x011a6050
0x011a6053
0x011a6057
0x00000000
0x00000000
0x011a605d
0x011a6064
0x00000000
0x011a6066
0x011a606b
0x00000000
0x011a6071
0x011a6071
0x00000000
0x011a6071
0x011a606b
0x00000000
0x011a6064
0x00000000
0x011a6050
0x00000000
0x00000000
0x00000000
0x011a602c
0x011a5ff0
0x00000000
0x011a5fdb
0x011a5f30
0x011a5f33
0x011a5f4f
0x011a5f62
0x011a5f35
0x011a5f35
0x011a5f3a
0x00000000
0x011a5f3c
0x011a5f4e
0x011a5f4e
0x011a5f3a
0x011a5f33
0x011a5abc
0x011a5abc
0x011a5ac4
0x011a5cea
0x011a5cec
0x011a5cef
0x011a5cf4
0x011a5cfb
0x011a5cfe
0x011a5d03
0x011a5d10
0x011a5d10
0x011a5d13
0x011a5d14
0x011a5d17
0x011a5d1d
0x00000000
0x00000000
0x011a5d1f
0x011a5d25
0x011a5d25
0x011a5d28
0x011a5d29
0x011a5d2d
0x011a5d31
0x011a5d3c
0x011a5d40
0x011a5d48
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011a5d59
0x011a5d59
0x011a5d5c
0x011a5d5f
0x011a5d67
0x00000000
0x011a5d6d
0x011a5d70
0x011a5d78
0x00000000
0x011a5d7e
0x011a5d7e
0x011a5d80
0x011a5d82
0x011a5d85
0x011a5d8b
0x011a5d8e
0x011a5d91
0x011a5d95
0x011a5d97
0x011a5d9b
0x011a5d9e
0x011a5da1
0x011a5da3
0x011a5da9
0x00000000
0x011a5daf
0x011a5db2
0x011a5db5
0x011a5dba
0x011a5de9
0x011a5de9
0x011a5dec
0x011a5dee
0x011a5df1
0x011a5df7
0x011a5e2a
0x011a5e2f
0x011a5e32
0x011a5df9
0x011a5dfc
0x011a5e02
0x011a5e09
0x011a5e10
0x011a5e16
0x011a5e1c
0x011a5e22
0x011a5e22
0x011a5e38
0x011a5e3b
0x011a5e41
0x011a5e46
0x011a5ec0
0x011a5ec5
0x011a5ecb
0x011a5ecd
0x011a5ed2
0x011a5ed4
0x011a5ed7
0x011a5ee0
0x011a5ee0
0x011a5ee2
0x011a5ee5
0x011a5eea
0x011a5eed
0x011a5ef0
0x011a5ef4
0x011a5ef4
0x00000000
0x011a5e4c
0x011a5e4c
0x011a5e4f
0x011a5e55
0x011a5e5a
0x00000000
0x011a5e60
0x011a5e62
0x011a5e66
0x011a5e68
0x011a5e6a
0x011a5e70
0x011a5e73
0x011a5e79
0x011a5e7c
0x011a5e7f
0x011a5e86
0x011a5e89
0x011a5e8b
0x011a5e8b
0x011a5e8e
0x011a5e96
0x011a5e99
0x011a5e9e
0x011a5ef7
0x011a5ef7
0x011a5ef9
0x011a5ea0
0x011a5ea0
0x011a5ea2
0x011a5ea2
0x011a5ea4
0x011a5ea7
0x011a5ea8
0x011a5eaa
0x011a5ead
0x011a5eb4
0x011a5eb6
0x011a5d10
0x011a5d10
0x011a5d13
0x011a5d14
0x011a5d17
0x011a5d1d
0x00000000
0x00000000
0x00000000
0x011a5d1d
0x011a5d10
0x00000000
0x011a5e9e
0x011a5e5a
0x011a5dbc
0x011a5dc2
0x011a5dc5
0x011a5dc5
0x011a5dc8
0x011a5dcc
0x00000000
0x00000000
0x011a5dd2
0x011a5dd9
0x00000000
0x011a5ddb
0x011a5de0
0x00000000
0x011a5de6
0x011a5de6
0x00000000
0x011a5de6
0x011a5de0
0x00000000
0x011a5dd9
0x00000000
0x011a5dc5
0x011a5dba
0x011a5da9
0x011a5d78
0x00000000
0x011a5d67
0x011a5d05
0x00000000
0x011a5d05
0x011a5aca
0x011a5aca
0x011a5acd
0x011a5ad3
0x011a5ad7
0x011a5ada
0x011a5add
0x011a5ae2
0x00000000
0x00000000
0x011a5ae8
0x011a5ae8
0x011a5aeb
0x011a5aec
0x011a5aef
0x011a5af5
0x00000000
0x00000000
0x011a5af7
0x011a5afa
0x011a5b00
0x011a5b00
0x011a5b03
0x011a5b04
0x011a5b08
0x011a5b0c
0x011a5b17
0x011a5b1b
0x011a5b23
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011a5b34
0x011a5b34
0x011a5b37
0x011a5b3a
0x011a5b42
0x00000000
0x011a5b48
0x011a5b4b
0x011a5b53
0x00000000
0x011a5b59
0x011a5b59
0x011a5b5b
0x011a5b60
0x011a5b63
0x011a5b69
0x011a5b6c
0x011a5b6f
0x011a5b76
0x011a5b80
0x011a5b82
0x011a5b85
0x011a5b88
0x011a5b8b
0x011a5b8d
0x011a5b92
0x00000000
0x011a5b98
0x011a5b9b
0x011a5b9e
0x011a5ba3
0x011a5bd4
0x011a5bd4
0x011a5bd7
0x011a5bd9
0x011a5bdc
0x011a5be2
0x011a5c15
0x011a5c1a
0x011a5c1d
0x011a5be4
0x011a5be7
0x011a5bed
0x011a5bf4
0x011a5bfb
0x011a5c01
0x011a5c07
0x011a5c0d
0x011a5c0d
0x011a5c23
0x011a5c26
0x011a5c2c
0x011a5c31
0x011a5ca7
0x011a5cac
0x011a5cb2
0x011a5cb4
0x011a5cb4
0x011a5cb9
0x011a5cbb
0x011a5cbe
0x011a5cc0
0x011a5cc0
0x011a5cc2
0x011a5cc5
0x011a5cca
0x011a5ccd
0x011a5cd0
0x011a5cd4
0x011a5cd4
0x00000000
0x011a5c33
0x011a5c33
0x011a5c36
0x011a5c3c
0x011a5c41
0x00000000
0x011a5c47
0x011a5c49
0x011a5c4d
0x011a5c4f
0x011a5c51
0x011a5c54
0x011a5c57
0x011a5c5d
0x011a5c60
0x011a5c63
0x011a5c6a
0x011a5c6d
0x011a5c6f
0x011a5c6f
0x011a5c72
0x011a5c7a
0x011a5c7d
0x011a5c82
0x011a5cd7
0x011a5cda
0x011a5cdc
0x011a5c84
0x011a5c84
0x011a5c86
0x011a5c86
0x011a5c88
0x011a5c8b
0x011a5c8c
0x011a5c8e
0x011a5c91
0x011a5c95
0x011a5c98
0x011a5c9d
0x011a5ae8
0x011a5ae8
0x011a5aeb
0x011a5aec
0x011a5aef
0x011a5af5
0x00000000
0x00000000
0x00000000
0x011a5af5
0x011a5ae8
0x00000000
0x011a5c82
0x011a5c41
0x011a5ba5
0x011a5bab
0x011a5bb0
0x011a5bb0
0x011a5bb3
0x011a5bb7
0x00000000
0x00000000
0x011a5bbd
0x011a5bc4
0x00000000
0x011a5bc6
0x011a5bcb
0x00000000
0x011a5bd1
0x011a5bd1
0x00000000
0x011a5bd1
0x011a5bcb
0x00000000
0x011a5bc4
0x00000000
0x011a5bb0
0x011a5ba3
0x011a5b92
0x011a5b53
0x00000000
0x011a5b42
0x011a5ae8
0x011a5ae2
0x011a5ac4
0x011a581b
0x011a581b
0x011a581e
0x011a5820
0x011a5826
0x011a582a
0x011a582d
0x011a5830
0x011a5835
0x011a5870
0x011a5870
0x011a5873
0x011a5874
0x011a5877
0x011a587d
0x00000000
0x011a587f
0x011a587f
0x011a5882
0x011a5882
0x011a5882
0x011a5885
0x011a5886
0x011a588a
0x011a588e
0x011a5899
0x011a589d
0x011a58a5
0x011a5a96
0x011a5aae
0x00000000
0x00000000
0x00000000
0x00000000
0x011a58b6
0x011a58b6
0x011a58b9
0x011a58bc
0x011a58c4
0x011a5a67
0x011a5a6d
0x00000000
0x011a5a73
0x011a5a76
0x011a5a95
0x011a5a95
0x011a58ca
0x011a58cd
0x011a58d5
0x011a5a64
0x011a5a64
0x00000000
0x011a58db
0x011a58db
0x011a58dd
0x011a58e0
0x011a58e3
0x011a58e9
0x011a58ec
0x011a58ef
0x011a58f3
0x011a58f5
0x011a58f9
0x011a58fc
0x011a58ff
0x011a5901
0x011a5907
0x00000000
0x011a590d
0x011a5910
0x011a5913
0x011a5918
0x011a5947
0x011a5947
0x011a594a
0x011a594c
0x011a594f
0x011a5955
0x011a5988
0x011a598d
0x011a5990
0x011a5957
0x011a595a
0x011a5960
0x011a5967
0x011a596e
0x011a5974
0x011a597a
0x011a5980
0x011a5980
0x011a5996
0x011a5999
0x011a599f
0x011a59a4
0x011a5a21
0x011a5a26
0x011a5a2c
0x011a5a2e
0x011a5a2e
0x011a5a33
0x011a5a35
0x011a5a38
0x011a5a3a
0x011a5a40
0x011a5a40
0x011a5a42
0x011a5a45
0x011a5a4a
0x011a5a4d
0x011a5a50
0x011a5a54
0x011a5a54
0x00000000
0x011a59a6
0x011a59a6
0x011a59a9
0x011a59af
0x011a59b4
0x00000000
0x011a59ba
0x011a59bc
0x011a59c0
0x011a59c2
0x011a59c4
0x011a59c7
0x011a59ca
0x011a59d0
0x011a59d3
0x011a59d6
0x011a59dd
0x011a59e0
0x011a59e2
0x011a59e2
0x011a59e5
0x011a59ed
0x011a59f0
0x011a59f5
0x011a5a57
0x011a5a5a
0x011a5a5c
0x011a59f7
0x011a59f7
0x011a5a00
0x011a5a00
0x011a5a02
0x011a5a05
0x011a5a06
0x011a5a08
0x011a5a0b
0x011a5a0f
0x011a5a12
0x011a5a17
0x011a5870
0x011a5870
0x011a5873
0x011a5874
0x011a5877
0x011a587d
0x00000000
0x011a587f
0x011a587f
0x00000000
0x011a587d
0x011a5870
0x00000000
0x011a59f5
0x011a59b4
0x011a591a
0x011a5920
0x011a5923
0x011a5923
0x011a5926
0x011a592a
0x00000000
0x00000000
0x011a5930
0x011a5937
0x00000000
0x011a5939
0x011a593e
0x00000000
0x011a5944
0x011a5944
0x00000000
0x011a5944
0x011a593e
0x00000000
0x011a5937
0x00000000
0x011a5923
0x011a5918
0x011a5907
0x011a58d5
0x00000000
0x011a58c4
0x011a5837
0x011a5837
0x011a5837
0x011a583a
0x011a583a
0x011a586d
0x011a5843
0x011a5857
0x011a5857
0x011a583a
0x011a5835
0x00000000

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27f53bb582571f03cb238e84be3e0ae890fafc33db5a1d8fccba6ae20652b5a
Instruction ID: 0cba74ef1945d7893434788fce47d3ade77709adf74d665f0dc1b556225e2012
Opcode Fuzzy Hash: c27f53bb582571f03cb238e84be3e0ae890fafc33db5a1d8fccba6ae20652b5a
Instruction Fuzzy Hash: A5829E75A0425A8FCB18CFACC8D05ACFFF2BF89314B688269D559DB346D331A946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 011A6270 Relevance: .8, Instructions: 789
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E011A6270(void* __ebx, void* __edi, void* __esi, signed char* _a4, signed int* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v76;
				signed int _v80;
				signed int _v84;
				signed char* _v88;
				signed int* _v92;
				signed int _v96;
				signed char* _v100;
				intOrPtr _v104;
				signed int _t299;
				intOrPtr _t301;
				intOrPtr _t302;
				signed int* _t304;
				signed int _t316;
				signed int _t323;
				signed char _t324;
				signed int _t326;
				signed int _t330;
				signed char _t331;
				void* _t335;
				signed int _t352;
				signed int _t354;
				intOrPtr _t358;
				signed int _t368;
				signed int _t375;
				signed char _t376;
				signed int* _t378;
				signed int _t382;
				signed char _t383;
				signed int _t393;
				signed int _t396;
				signed int _t403;
				signed char _t404;
				signed int* _t406;
				signed int _t410;
				signed char _t411;
				signed int _t421;
				intOrPtr _t422;
				signed int _t425;
				signed int _t432;
				intOrPtr _t433;
				signed int* _t435;
				signed int _t439;
				signed char _t440;
				signed int _t450;
				unsigned int _t452;
				signed int _t455;
				void* _t456;
				signed char* _t459;
				signed int _t460;
				void* _t461;
				void* _t463;
				void* _t464;
				void* _t465;
				unsigned int _t471;
				unsigned int _t472;
				signed int* _t480;
				signed int* _t481;
				signed char* _t484;
				signed int _t485;
				void* _t488;
				unsigned int _t489;
				signed int* _t490;
				signed int* _t491;
				signed char* _t494;
				signed int _t495;
				void* _t498;
				unsigned int _t499;
				signed int* _t500;
				signed int* _t501;
				intOrPtr* _t504;
				signed int _t505;
				void* _t508;
				intOrPtr _t509;
				signed int _t510;
				signed char* _t511;
				signed char* _t512;
				signed short* _t517;
				signed char* _t520;
				signed char* _t521;
				signed char* _t522;
				signed int* _t528;
				signed char* _t531;
				void* _t537;
				signed char* _t538;
				signed char* _t539;
				signed int* _t540;
				signed int _t541;
				signed char* _t543;
				void* _t545;
				signed char* _t546;
				signed char* _t547;
				signed int* _t548;
				signed int _t549;
				signed int* _t551;
				signed char* _t552;
				void* _t554;
				signed char* _t555;
				unsigned int _t556;
				signed int* _t557;
				signed int _t558;
				signed char* _t560;
				signed int _t561;
				unsigned int _t563;
				void* _t565;
				signed char* _t566;
				signed char* _t567;
				signed int _t569;
				void* _t570;
				signed char* _t572;
				signed char* _t573;
				signed char* _t574;
				signed char* _t575;
				signed char* _t576;
				signed char* _t577;
				signed char* _t578;
				signed char* _t579;
				signed char* _t580;
				signed char* _t581;
				signed int* _t583;
				signed int* _t586;
				signed char* _t587;
				signed char* _t588;
				signed int* _t589;
				signed char* _t590;
				signed char* _t592;
				signed char* _t594;
				signed char* _t599;
				signed int* _t602;
				signed int* _t605;
				signed int* _t606;
				signed int* _t607;
				signed int _t608;
				signed char* _t609;
				signed int _t615;
				void* _t616;
				signed char* _t617;
				signed int _t618;
				void* _t619;
				signed char* _t620;
				signed int _t622;
				void* _t623;
				signed char* _t624;
				signed int _t625;
				void* _t626;
				signed char* _t627;
				signed int _t629;
				void* _t630;
				intOrPtr* _t631;
				signed int _t632;
				void* _t633;
				unsigned int _t634;
				signed int _t635;
				void* _t636;

				_t299 =  *0x139eff4; // 0xdde28b47
				_v8 = _t299 ^ _t635;
				asm("movaps xmm0, [0x13775b0]");
				_t301 = _a20;
				_t560 = _a4;
				_t509 = _a16;
				_v100 = _t560;
				_v40 = 0;
				_v36 = 1;
				_v32 = 2;
				_v28 = 1;
				_v24 = 4;
				_v20 = 4;
				_v16 = 4;
				_v12 = 4;
				_t602 = _a8;
				_v92 = _t602;
				asm("movups [ebp-0x44], xmm0");
				asm("movaps xmm0, [0x1377590]");
				asm("movups [ebp-0x34], xmm0");
				if(_t301 != 0) {
					_t510 = _t509 + _t301;
					_v80 = _t510;
					if(_t510 != _t602) {
						_t302 = _a12;
						_t511 = _t560;
						_t583 = _t602;
						_t561 = _t602 + _t302;
						_v96 = _t561;
						if(_t302 != 0) {
							_v104 = _t561 - 8;
							while(1) {
								_t452 =  *_t511 & 0x000000ff;
								_t512 =  &(_t511[1]);
								_v88 = _t512;
								_t563 = _t452 >> 4;
								_v84 = _t563;
								if(_t563 != 0xf) {
									goto L99;
								}
								L96:
								do {
									_t323 =  *_t512 & 0x000000ff;
									_t512 =  &(_t512[1]);
									_t563 = _t563 + _t323;
								} while (_t323 == 0xff);
								_v84 = _t563;
								_v88 = _t512;
								L99:
								_t304 = _t583 + _t563;
								_v76 = _t304;
								if(_t304 > _v104) {
									if(_t304 != _v96) {
										goto L137;
									} else {
										E012EE160(_t583, _t512, _t563);
										return E012E980C(_v8 ^ _t635);
									}
								} else {
									_t605 = _t304;
									_t565 = _t512 - _t583;
									do {
										 *_t583 =  *(_t565 + _t583);
										_t583[1] =  *(_t565 +  &(_t583[1]));
										_t583 =  &(_t583[2]);
									} while (_t583 < _t605);
									_t517 =  &(_t512[_v84]);
									_t455 = _t452 & 0x0000000f;
									_t586 = _v76;
									_t566 = _t586;
									_t606 = _v92;
									_t316 =  *_t517 & 0x0000ffff;
									_v88 =  &(_t517[1]);
									_t520 = _t586 - _t316;
									_v84 = _t316;
									 *_t586 = _t316;
									if(_t455 == 0xf) {
										_t590 = _v88;
										do {
											_t354 =  *_t590 & 0x000000ff;
											_t590 =  &(_t590[1]);
											_t455 = _t455 + _t354;
										} while (_t354 == 0xff);
										_t316 = _v84;
										_v88 = _t590;
										_t586 = _v76;
									}
									_t456 = _t455 + 4;
									_t583 = _t586 + _t456;
									if(_t520 >= _t606) {
										_v76 = _t583;
										if(_t316 >= 8) {
											 *_t566 =  *_t520;
											_t521 =  &(_t520[8]);
											_t566[4] = _t520[4];
										} else {
											 *_t566 =  *_t520 & 0x000000ff;
											_t566[1] = _t520[1] & 0x000000ff;
											_t566[2] = _t520[2] & 0x000000ff;
											_t566[3] = _t520[3] & 0x000000ff;
											_t522 =  &(_t520[ *((intOrPtr*)(_t635 + _v84 * 4 - 0x24))]);
											_t566[4] =  *_t522;
											_t521 = _t522 -  *((intOrPtr*)(_t635 + _v84 * 4 - 0x44));
										}
										_t567 =  &(_t566[8]);
										if(_t583 <= _v96 + 0xfffffff4) {
											 *_t567 =  *_t521;
											_t567[4] = _t521[4];
											if(_t456 > 0x10) {
												_t607 = _v76;
												_t587 =  &(_t567[8]);
												_t459 = _t587 - _t567 + _t521;
												do {
													_t324 =  *_t459;
													_t459 =  &(_t459[8]);
													 *_t587 = _t324;
													_t587[4] =  *(_t459 - 4);
													_t587 =  &(_t587[8]);
												} while (_t587 < _t607);
												_t583 = _v76;
											}
											goto L133;
										} else {
											_t326 = _v96;
											_t460 = _t326 - 7;
											_v84 = _t460;
											if(_t583 > _t326 + 0xfffffffb) {
												goto L136;
											} else {
												if(_t567 < _t460) {
													_t609 = _v84;
													_t588 = _t567;
													_t463 = _t521 - _t567;
													asm("o16 nop [eax+eax]");
													do {
														 *_t588 =  *(_t463 + _t588);
														_t588[4] =  *(_t463 +  &(_t588[4]));
														_t588 =  &(_t588[8]);
													} while (_t588 < _t609);
													_t583 = _v76;
													_t335 = _t609 - _t567;
													_t567 = _t609;
													_t521 =  &(_t521[_t335]);
												}
												_t461 = 0;
												_t330 =  >  ? 0 : _t583 - _t567;
												_v84 = _t330;
												if(_t330 == 0) {
													L133:
													_t511 = _v88;
												} else {
													_t608 = _t330;
													do {
														_t331 =  *_t521;
														_t521 =  &(_t521[1]);
														_t461 = _t461 + 1;
														 *_t567 = _t331;
														_t567 =  &(_t567[1]);
													} while (_t461 < _t608);
													_t511 = _v88;
												}
												continue;
											}
										}
									} else {
										if(_t583 > _v96 + 0xfffffffb) {
											L136:
											_t512 = _v88;
											L137:
											return E012E980C(_v8 ^ _t635);
										} else {
											_t569 = _t606 - _t520;
											_v84 = _t569;
											if(_t456 > _t569) {
												_t464 = _t456 - _t569;
												_t589 = _v76;
												E012EE160(_t589, _v80 - _t569, _t569);
												_t583 = _t589 + _v84;
												_t636 = _t636 + 0xc;
												if(_t464 <= _t583 - _t606) {
													E012EE160(_t583, _t606, _t464);
													_t511 = _v88;
													_t636 = _t636 + 0xc;
													_t583 = _t583 + _t464;
													while(1) {
														_t452 =  *_t511 & 0x000000ff;
														_t512 =  &(_t511[1]);
														_v88 = _t512;
														_t563 = _t452 >> 4;
														_v84 = _t563;
														if(_t563 != 0xf) {
															goto L99;
														}
														goto L96;
													}
												} else {
													L111:
													_t570 = 0;
													_t465 =  >  ? 0 : _t464;
													_t511 = _v88;
													if(_t465 == 0) {
														continue;
														do {
															while(1) {
																_t452 =  *_t511 & 0x000000ff;
																_t512 =  &(_t511[1]);
																_v88 = _t512;
																_t563 = _t452 >> 4;
																_v84 = _t563;
																if(_t563 != 0xf) {
																	goto L99;
																}
																goto L96;
															}
															goto L111;
														} while (_t465 == 0);
														goto L112;
													} else {
														L112:
														do {
															_t352 =  *((intOrPtr*)(_t570 + _t606));
															_t570 = _t570 + 1;
															 *_t583 = _t352;
															_t583 =  &(_t583[0]);
														} while (_t570 < _t465);
														_t511 = _v88;
														while(1) {
															_t452 =  *_t511 & 0x000000ff;
															_t512 =  &(_t511[1]);
															_v88 = _t512;
															_t563 = _t452 >> 4;
															_v84 = _t563;
															if(_t563 != 0xf) {
																goto L99;
															}
															goto L96;
														}
													}
												}
											} else {
												E012EC2A0(_v76, _t520 - _t606 + _v80, _t456);
												_t511 = _v88;
												_t636 = _t636 + 0xc;
												while(1) {
													_t452 =  *_t511 & 0x000000ff;
													_t512 =  &(_t511[1]);
													_v88 = _t512;
													_t563 = _t452 >> 4;
													_v84 = _t563;
													if(_t563 != 0xf) {
														goto L99;
													}
													goto L96;
												}
											}
										}
									}
								}
								goto L138;
							}
						} else {
							return E012E980C(_v8 ^ _t635);
						}
					} else {
						_t592 = _t560;
						_t358 = _a12;
						_t528 = _t602 + _t358;
						_v92 = _t528;
						if(_t301 < 0xffff) {
							if(_t358 == 0) {
								goto L2;
							} else {
								_t531 = _t528 + 0xfffffff8;
								_v88 = _t531;
								while(1) {
									_t471 =  *_t592 & 0x000000ff;
									_t594 =  &(_t592[1]);
									_v80 = _t471;
									_t472 = _t471 >> 4;
									if(_t472 != 0xf) {
										goto L68;
									}
									L66:
									do {
										_t375 =  *_t594 & 0x000000ff;
										_t594 =  &(_t594[1]);
										_t472 = _t472 + _t375;
									} while (_t375 == 0xff);
									L68:
									_t572 = _t602 + _t472;
									_v76 = _t572;
									if(_t572 > _t531) {
										goto L30;
									} else {
										_t537 = _t594 - _t602;
										do {
											 *_t602 =  *(_t537 + _t602);
											_t602[1] =  *(_t537 +  &(_t602[1]));
											_t602 =  &(_t602[2]);
										} while (_t602 < _t572);
										_t368 = _t594[_t472] & 0x0000ffff;
										_t480 = _v76;
										_t538 = _t572;
										_t592 =  &(( &(_t594[_t472]))[2]);
										_t615 = _v80 & 0x0000000f;
										_v96 = _t368;
										_t573 = _t572 - _t368;
										 *_t480 = _t368;
										if(_t615 == 0xf) {
											do {
												_t393 =  *_t592 & 0x000000ff;
												_t592 =  &(_t592[1]);
												_t615 = _t615 + _t393;
											} while (_t393 == 0xff);
											_t368 = _v96;
										}
										_t616 = _t615 + 4;
										_t481 = _t480 + _t616;
										_v76 = _t481;
										if(_t368 >= 8) {
											 *_t538 =  *_t573;
											_t574 =  &(_t573[8]);
											_t538[4] = _t573[4];
										} else {
											 *_t538 =  *_t573 & 0x000000ff;
											_t538[1] = _t573[1] & 0x000000ff;
											_t538[2] = _t573[2] & 0x000000ff;
											_t538[3] = _t573[3] & 0x000000ff;
											_t575 =  &(_t573[ *((intOrPtr*)(_t635 + _v96 * 4 - 0x24))]);
											_t538[4] =  *_t575;
											_t574 = _t575 -  *((intOrPtr*)(_t635 + _v96 * 4 - 0x44));
										}
										_t539 =  &(_t538[8]);
										_v80 = _t539;
										if(_t481 <=  &(_v92[0xfffffffffffffffd])) {
											 *_t539 =  *_t574;
											_t539[4] = _t574[4];
											if(_t616 > 0x10) {
												_t617 =  &(_t539[8]);
												_t540 = _v76;
												_t484 = _t617 - _t539 + _t574;
												asm("o16 nop [eax+eax]");
												do {
													_t376 =  *_t484;
													_t484 =  &(_t484[8]);
													 *_t617 = _t376;
													_t617[4] =  *(_t484 - 4);
													_t617 =  &(_t617[8]);
												} while (_t617 < _t540);
												_t481 = _v76;
											}
											goto L91;
										} else {
											_t378 = _v92;
											_t618 = _t378 - 7;
											_v84 = _t618;
											if(_t481 > _t378 + 0xfffffffb) {
												goto L32;
											} else {
												if(_t539 < _t618) {
													_t620 = _t539;
													_t488 = _t574 - _t539;
													_t541 = _v84;
													do {
														 *_t620 =  *(_t488 + _t620);
														_t620[4] =  *(_t488 +  &(_t620[4]));
														_t620 =  &(_t620[8]);
													} while (_t620 < _t541);
													_t481 = _v76;
													_t574 =  &(_t574[_t541 - _v80]);
													_t539 = _v84;
												}
												_t619 = 0;
												_t382 =  >  ? 0 : _t481 - _t539;
												_v80 = _t382;
												if(_t382 == 0) {
													L91:
													_t531 = _v88;
													_t602 = _t481;
													continue;
												} else {
													_t485 = _t382;
													do {
														_t383 =  *_t574;
														_t574 =  &(_t574[1]);
														_t619 = _t619 + 1;
														 *_t539 = _t383;
														_t539 =  &(_t539[1]);
													} while (_t619 < _t485);
													_t602 = _v76;
													_t531 = _v88;
													while(1) {
														_t471 =  *_t592 & 0x000000ff;
														_t594 =  &(_t592[1]);
														_v80 = _t471;
														_t472 = _t471 >> 4;
														if(_t472 != 0xf) {
															goto L68;
														}
														goto L66;
													}
												}
											}
										}
									}
									goto L138;
								}
							}
						} else {
							if(_t358 == 0) {
								goto L2;
							} else {
								_t543 = _t528 + 0xfffffff8;
								_v88 = _t543;
								while(1) {
									_t489 =  *_t592 & 0x000000ff;
									_t594 =  &(_t592[1]);
									_v80 = _t489;
									_t472 = _t489 >> 4;
									if(_t472 != 0xf) {
										goto L39;
									}
									do {
										L38:
										_t403 =  *_t594 & 0x000000ff;
										_t594 =  &(_t594[1]);
										_t472 = _t472 + _t403;
									} while (_t403 == 0xff);
									L39:
									_t572 = _t602 + _t472;
									_v76 = _t572;
									if(_t572 > _t543) {
										goto L30;
									} else {
										_t545 = _t594 - _t602;
										do {
											 *_t602 =  *(_t545 + _t602);
											_t602[1] =  *(_t545 +  &(_t602[1]));
											_t602 =  &(_t602[2]);
										} while (_t602 < _t572);
										_t396 = _t594[_t472] & 0x0000ffff;
										_t490 = _v76;
										_t546 = _t572;
										_t592 =  &(( &(_t594[_t472]))[2]);
										_t622 = _v80 & 0x0000000f;
										_v96 = _t396;
										_t576 = _t572 - _t396;
										 *_t490 = _t396;
										if(_t622 == 0xf) {
											do {
												_t421 =  *_t592 & 0x000000ff;
												_t592 =  &(_t592[1]);
												_t622 = _t622 + _t421;
											} while (_t421 == 0xff);
											_t396 = _v96;
										}
										_t623 = _t622 + 4;
										_t491 = _t490 + _t623;
										_v76 = _t491;
										if(_t396 >= 8) {
											 *_t546 =  *_t576;
											_t577 =  &(_t576[8]);
											_t546[4] = _t576[4];
										} else {
											 *_t546 =  *_t576 & 0x000000ff;
											_t546[1] = _t576[1] & 0x000000ff;
											_t546[2] = _t576[2] & 0x000000ff;
											_t546[3] = _t576[3] & 0x000000ff;
											_t578 =  &(_t576[ *((intOrPtr*)(_t635 + _v96 * 4 - 0x24))]);
											_t546[4] =  *_t578;
											_t577 = _t578 -  *((intOrPtr*)(_t635 + _v96 * 4 - 0x44));
										}
										_t547 =  &(_t546[8]);
										_v80 = _t547;
										if(_t491 <=  &(_v92[0xfffffffffffffffd])) {
											 *_t547 =  *_t577;
											_t547[4] = _t577[4];
											if(_t623 > 0x10) {
												_t624 =  &(_t547[8]);
												_t548 = _v76;
												_t494 = _t624 - _t547 + _t577;
												do {
													_t404 =  *_t494;
													_t494 =  &(_t494[8]);
													 *_t624 = _t404;
													_t624[4] =  *(_t494 - 4);
													_t624 =  &(_t624[8]);
												} while (_t624 < _t548);
												_t491 = _v76;
											}
											goto L62;
										} else {
											_t406 = _v92;
											_t625 = _t406 - 7;
											_v84 = _t625;
											if(_t491 > _t406 + 0xfffffffb) {
												goto L32;
											} else {
												if(_t547 < _t625) {
													_t627 = _t547;
													_t498 = _t577 - _t547;
													_t549 = _v84;
													do {
														 *_t627 =  *(_t498 + _t627);
														_t627[4] =  *(_t498 +  &(_t627[4]));
														_t627 =  &(_t627[8]);
													} while (_t627 < _t549);
													_t491 = _v76;
													_t577 =  &(_t577[_t549 - _v80]);
													_t547 = _v84;
												}
												_t626 = 0;
												_t410 =  >  ? 0 : _t491 - _t547;
												_v80 = _t410;
												if(_t410 == 0) {
													L62:
													_t543 = _v88;
													_t602 = _t491;
													continue;
												} else {
													_t495 = _t410;
													do {
														_t411 =  *_t577;
														_t577 =  &(_t577[1]);
														_t626 = _t626 + 1;
														 *_t547 = _t411;
														_t547 =  &(_t547[1]);
													} while (_t626 < _t495);
													_t602 = _v76;
													_t543 = _v88;
													while(1) {
														_t489 =  *_t592 & 0x000000ff;
														_t594 =  &(_t592[1]);
														_v80 = _t489;
														_t472 = _t489 >> 4;
														if(_t472 != 0xf) {
															goto L39;
														}
														goto L38;
													}
												}
											}
										}
									}
									goto L138;
								}
							}
						}
					}
				} else {
					_t422 = _a12;
					_t599 = _t560;
					_t551 = _t602 + _t422;
					_v92 = _t551;
					if(_t422 != 0) {
						_t552 = _t551 + 0xfffffff8;
						_v88 = _t552;
						while(1) {
							_t499 =  *_t599 & 0x000000ff;
							_t594 =  &(_t599[1]);
							_v80 = _t499;
							_t472 = _t499 >> 4;
							if(_t472 != 0xf) {
								goto L6;
							}
							do {
								L5:
								_t432 =  *_t594 & 0x000000ff;
								_t594 =  &(_t594[1]);
								_t472 = _t472 + _t432;
							} while (_t432 == 0xff);
							L6:
							_t572 = _t602 + _t472;
							_v76 = _t572;
							if(_t572 > _t552) {
								L30:
								if(_t572 != _v92) {
									goto L32;
								} else {
									E012EE160(_t602, _t594, _t472);
									return E012E980C(_v8 ^ _t635);
								}
							} else {
								_t554 = _t594 - _t602;
								do {
									 *_t602 =  *(_t554 + _t602);
									_t602[1] =  *(_t554 +  &(_t602[1]));
									_t602 =  &(_t602[2]);
								} while (_t602 < _t572);
								_t425 = _t594[_t472] & 0x0000ffff;
								_t500 = _v76;
								_t555 = _t572;
								_t599 =  &(( &(_t594[_t472]))[1]);
								_t629 = _v80 & 0x0000000f;
								_v96 = _t425;
								_t579 = _t572 - _t425;
								 *_t500 = _t425;
								if(_t629 == 0xf) {
									do {
										_t450 =  *_t599 & 0x000000ff;
										_t599 =  &(_t599[1]);
										_t629 = _t629 + _t450;
									} while (_t450 == 0xff);
									_t425 = _v96;
								}
								_t630 = _t629 + 4;
								_t501 = _t500 + _t630;
								_v76 = _t501;
								if(_t425 >= 8) {
									 *_t555 =  *_t579;
									_t580 =  &(_t579[8]);
									_t555[4] = _t579[4];
								} else {
									 *_t555 =  *_t579 & 0x000000ff;
									_t555[1] = _t579[1] & 0x000000ff;
									_t555[2] = _t579[2] & 0x000000ff;
									_t555[3] = _t579[3] & 0x000000ff;
									_t581 =  &(_t579[ *((intOrPtr*)(_t635 + _v96 * 4 - 0x24))]);
									_t555[4] =  *_t581;
									_t580 = _t581 -  *((intOrPtr*)(_t635 + _v96 * 4 - 0x44));
								}
								_t556 =  &(_t555[8]);
								_v80 = _t556;
								if(_t501 <=  &(_v92[0xfffffffffffffffd])) {
									 *_t556 =  *_t580;
									 *(_t556 + 4) = _t580[4];
									if(_t630 > 0x10) {
										_t631 = _t556 + 8;
										_t557 = _v76;
										_t504 = _t631 - _t556 + _t580;
										do {
											_t433 =  *_t504;
											_t504 = _t504 + 8;
											 *_t631 = _t433;
											 *((intOrPtr*)(_t631 + 4)) =  *((intOrPtr*)(_t504 - 4));
											_t631 = _t631 + 8;
										} while (_t631 < _t557);
										_t501 = _v76;
									}
									goto L29;
								} else {
									_t435 = _v92;
									_t632 = _t435 - 7;
									_v84 = _t632;
									if(_t501 >  &(_t435[0xffffffffffffffff])) {
										L32:
										return E012E980C(_v8 ^ _t635);
									} else {
										if(_t556 < _t632) {
											_t634 = _t556;
											_t508 = _t580 - _t556;
											_t558 = _v84;
											do {
												 *_t634 =  *((intOrPtr*)(_t508 + _t634));
												 *((intOrPtr*)(_t634 + 4)) =  *((intOrPtr*)(_t508 + _t634 + 4));
												_t634 = _t634 + 8;
											} while (_t634 < _t558);
											_t501 = _v76;
											_t580 =  &(_t580[_t558 - _v80]);
											_t556 = _v84;
										}
										_t633 = 0;
										_t439 =  >  ? 0 : _t501 - _t556;
										_v80 = _t439;
										if(_t439 == 0) {
											L29:
											_t552 = _v88;
											_t602 = _t501;
											continue;
										} else {
											_t505 = _t439;
											do {
												_t440 =  *_t580;
												_t580 =  &(_t580[1]);
												_t633 = _t633 + 1;
												 *_t556 = _t440;
												_t556 = _t556 + 1;
											} while (_t633 < _t505);
											_t602 = _v76;
											_t552 = _v88;
											while(1) {
												_t499 =  *_t599 & 0x000000ff;
												_t594 =  &(_t599[1]);
												_v80 = _t499;
												_t472 = _t499 >> 4;
												if(_t472 != 0xf) {
													goto L6;
												}
												goto L5;
											}
										}
									}
								}
							}
							goto L138;
						}
					} else {
						L2:
						return E012E980C(_v8 ^ _t635);
					}
				}
				L138:
			}

0x011a6276
0x011a627d
0x011a6280
0x011a6287
0x011a628a
0x011a628d
0x011a6290
0x011a6293
0x011a629a
0x011a62a1
0x011a62a8
0x011a62af
0x011a62b6
0x011a62bd
0x011a62c4
0x011a62cd
0x011a62d0
0x011a62d3
0x011a62d8
0x011a62df
0x011a62e5
0x011a64e2
0x011a64e4
0x011a64e9
0x011a6821
0x011a6824
0x011a6826
0x011a6828
0x011a682b
0x011a6830
0x011a6854
0x011a6857
0x011a6857
0x011a685a
0x011a685d
0x011a6860
0x011a6863
0x011a6869
0x00000000
0x00000000
0x00000000
0x011a6870
0x011a6870
0x011a6873
0x011a6874
0x011a6876
0x011a687d
0x011a6880
0x011a6883
0x011a6883
0x011a6886
0x011a688c
0x011a6a96
0x00000000
0x011a6a98
0x011a6a9b
0x011a6abc
0x011a6abc
0x011a6892
0x011a6894
0x011a6896
0x011a68a0
0x011a68a3
0x011a68a9
0x011a68ac
0x011a68af
0x011a68b3
0x011a68b6
0x011a68b9
0x011a68bc
0x011a68be
0x011a68c1
0x011a68c7
0x011a68cc
0x011a68ce
0x011a68d1
0x011a68d6
0x011a68d8
0x011a68e0
0x011a68e0
0x011a68e3
0x011a68e4
0x011a68e6
0x011a68ed
0x011a68f0
0x011a68f3
0x011a68f3
0x011a68f6
0x011a68f9
0x011a68fd
0x011a6998
0x011a699e
0x011a69d1
0x011a69d6
0x011a69d9
0x011a69a0
0x011a69a3
0x011a69a9
0x011a69b0
0x011a69b7
0x011a69bd
0x011a69c3
0x011a69c9
0x011a69c9
0x011a69df
0x011a69e7
0x011a6a5b
0x011a6a60
0x011a6a66
0x011a6a68
0x011a6a6b
0x011a6a72
0x011a6a74
0x011a6a74
0x011a6a76
0x011a6a79
0x011a6a7e
0x011a6a81
0x011a6a84
0x011a6a88
0x011a6a88
0x00000000
0x011a69e9
0x011a69e9
0x011a69ec
0x011a69f2
0x011a69f7
0x00000000
0x011a69fd
0x011a69ff
0x011a6a01
0x011a6a06
0x011a6a08
0x011a6a0a
0x011a6a10
0x011a6a13
0x011a6a19
0x011a6a1c
0x011a6a1f
0x011a6a23
0x011a6a28
0x011a6a2a
0x011a6a2c
0x011a6a2c
0x011a6a2e
0x011a6a36
0x011a6a39
0x011a6a3e
0x011a6a8b
0x011a6a8b
0x011a6a40
0x011a6a40
0x011a6a42
0x011a6a42
0x011a6a44
0x011a6a47
0x011a6a48
0x011a6a4a
0x011a6a4d
0x011a6a51
0x011a6a51
0x00000000
0x011a6a3e
0x011a69f7
0x011a6903
0x011a690b
0x011a6abd
0x011a6abd
0x011a6ac0
0x011a6ad6
0x011a6911
0x011a6913
0x011a6915
0x011a691a
0x011a6939
0x011a693b
0x011a6943
0x011a6948
0x011a694b
0x011a6954
0x011a6986
0x011a698b
0x011a698e
0x011a6991
0x011a6857
0x011a6857
0x011a685a
0x011a685d
0x011a6860
0x011a6863
0x011a6869
0x00000000
0x00000000
0x00000000
0x011a6869
0x011a6956
0x011a6956
0x011a695b
0x011a695f
0x011a6962
0x011a6967
0x00000000
0x011a6857
0x011a6857
0x011a6857
0x011a685a
0x011a685d
0x011a6860
0x011a6863
0x011a6869
0x00000000
0x00000000
0x00000000
0x011a6869
0x00000000
0x011a6857
0x00000000
0x011a6970
0x00000000
0x011a6970
0x011a6970
0x011a6973
0x011a6974
0x011a6976
0x011a6977
0x011a697b
0x011a6857
0x011a6857
0x011a685a
0x011a685d
0x011a6860
0x011a6863
0x011a6869
0x00000000
0x00000000
0x00000000
0x011a6869
0x011a6857
0x011a6967
0x011a691c
0x011a6926
0x011a692b
0x011a692e
0x011a6857
0x011a6857
0x011a685a
0x011a685d
0x011a6860
0x011a6863
0x011a6869
0x00000000
0x00000000
0x00000000
0x011a6869
0x011a6857
0x011a691a
0x011a690b
0x011a68fd
0x00000000
0x011a688c
0x011a6832
0x011a6850
0x011a6850
0x011a64ef
0x011a64f4
0x011a64f6
0x011a64f9
0x011a64fc
0x011a64ff
0x011a6693
0x00000000
0x011a6699
0x011a6699
0x011a669c
0x011a66a0
0x011a66a0
0x011a66a3
0x011a66a4
0x011a66a7
0x011a66ad
0x00000000
0x00000000
0x00000000
0x011a66b0
0x011a66b0
0x011a66b3
0x011a66b4
0x011a66b6
0x011a66bd
0x011a66bd
0x011a66c0
0x011a66c5
0x00000000
0x011a66cb
0x011a66cd
0x011a66d0
0x011a66d3
0x011a66d9
0x011a66dc
0x011a66df
0x011a66e3
0x011a66e9
0x011a66ec
0x011a66f1
0x011a66f4
0x011a66f7
0x011a66fa
0x011a66fc
0x011a6701
0x011a6703
0x011a6703
0x011a6706
0x011a6707
0x011a6709
0x011a6710
0x011a6710
0x011a6713
0x011a6716
0x011a6718
0x011a671e
0x011a6751
0x011a6756
0x011a6759
0x011a6720
0x011a6723
0x011a6729
0x011a6730
0x011a6737
0x011a673d
0x011a6743
0x011a6749
0x011a6749
0x011a675f
0x011a6765
0x011a676a
0x011a67e1
0x011a67e6
0x011a67ec
0x011a67ee
0x011a67f5
0x011a67f8
0x011a67fa
0x011a6800
0x011a6800
0x011a6802
0x011a6805
0x011a680a
0x011a680d
0x011a6810
0x011a6814
0x011a6814
0x00000000
0x011a6770
0x011a6770
0x011a6773
0x011a6779
0x011a677e
0x00000000
0x011a6784
0x011a6786
0x011a678a
0x011a678c
0x011a678e
0x011a6791
0x011a6794
0x011a679a
0x011a679d
0x011a67a0
0x011a67a7
0x011a67aa
0x011a67ac
0x011a67ac
0x011a67af
0x011a67b7
0x011a67ba
0x011a67bf
0x011a6817
0x011a6817
0x011a681a
0x00000000
0x011a67c1
0x011a67c1
0x011a67c3
0x011a67c3
0x011a67c5
0x011a67c8
0x011a67c9
0x011a67cb
0x011a67ce
0x011a67d5
0x011a67d7
0x011a66a0
0x011a66a0
0x011a66a3
0x011a66a4
0x011a66a7
0x011a66ad
0x00000000
0x00000000
0x00000000
0x011a66ad
0x011a66a0
0x011a67bf
0x011a677e
0x011a676a
0x00000000
0x011a66c5
0x011a66a0
0x011a6505
0x011a6507
0x00000000
0x011a650d
0x011a650d
0x011a6510
0x011a6513
0x011a6513
0x011a6516
0x011a6517
0x011a651a
0x011a6520
0x00000000
0x00000000
0x011a6522
0x011a6522
0x011a6522
0x011a6525
0x011a6526
0x011a6528
0x011a652f
0x011a652f
0x011a6532
0x011a6537
0x00000000
0x011a653d
0x011a653f
0x011a6541
0x011a6544
0x011a654a
0x011a654d
0x011a6550
0x011a6554
0x011a655a
0x011a655d
0x011a6562
0x011a6565
0x011a6568
0x011a656b
0x011a656d
0x011a6572
0x011a6574
0x011a6574
0x011a6577
0x011a6578
0x011a657a
0x011a6581
0x011a6581
0x011a6584
0x011a6587
0x011a6589
0x011a658f
0x011a65c2
0x011a65c7
0x011a65ca
0x011a6591
0x011a6594
0x011a659a
0x011a65a1
0x011a65a8
0x011a65ae
0x011a65b4
0x011a65ba
0x011a65ba
0x011a65d0
0x011a65d6
0x011a65db
0x011a6652
0x011a6657
0x011a665d
0x011a665f
0x011a6666
0x011a6669
0x011a6670
0x011a6670
0x011a6672
0x011a6675
0x011a667a
0x011a667d
0x011a6680
0x011a6684
0x011a6684
0x00000000
0x011a65e1
0x011a65e1
0x011a65e4
0x011a65ea
0x011a65ef
0x00000000
0x011a65f5
0x011a65f7
0x011a65fb
0x011a65fd
0x011a65ff
0x011a6602
0x011a6605
0x011a660b
0x011a660e
0x011a6611
0x011a6618
0x011a661b
0x011a661d
0x011a661d
0x011a6620
0x011a6628
0x011a662b
0x011a6630
0x011a6687
0x011a6687
0x011a668a
0x00000000
0x011a6632
0x011a6632
0x011a6634
0x011a6634
0x011a6636
0x011a6639
0x011a663a
0x011a663c
0x011a663f
0x011a6646
0x011a6648
0x011a6513
0x011a6513
0x011a6516
0x011a6517
0x011a651a
0x011a6520
0x00000000
0x00000000
0x00000000
0x011a6520
0x011a6513
0x011a6630
0x011a65ef
0x011a65db
0x00000000
0x011a6537
0x011a6513
0x011a6507
0x011a64ff
0x011a62eb
0x011a62eb
0x011a62ee
0x011a62f0
0x011a62f3
0x011a62f8
0x011a631b
0x011a631e
0x011a6321
0x011a6321
0x011a6324
0x011a6325
0x011a6328
0x011a632e
0x00000000
0x00000000
0x011a6330
0x011a6330
0x011a6330
0x011a6333
0x011a6334
0x011a6336
0x011a633d
0x011a633d
0x011a6340
0x011a6345
0x011a64a1
0x011a64a4
0x00000000
0x011a64a6
0x011a64a9
0x011a64c8
0x011a64c8
0x011a634b
0x011a634d
0x011a6350
0x011a6353
0x011a6359
0x011a635c
0x011a635f
0x011a6363
0x011a6369
0x011a636c
0x011a6371
0x011a6374
0x011a6377
0x011a637a
0x011a637c
0x011a6381
0x011a6383
0x011a6383
0x011a6386
0x011a6387
0x011a6389
0x011a6390
0x011a6390
0x011a6393
0x011a6396
0x011a6398
0x011a639e
0x011a63d1
0x011a63d6
0x011a63d9
0x011a63a0
0x011a63a3
0x011a63a9
0x011a63b0
0x011a63b7
0x011a63bd
0x011a63c3
0x011a63c9
0x011a63c9
0x011a63df
0x011a63e5
0x011a63ea
0x011a6460
0x011a6465
0x011a646b
0x011a646d
0x011a6474
0x011a6477
0x011a6480
0x011a6480
0x011a6482
0x011a6485
0x011a648a
0x011a648d
0x011a6490
0x011a6494
0x011a6494
0x00000000
0x011a63ec
0x011a63ec
0x011a63ef
0x011a63f5
0x011a63fa
0x011a64c9
0x011a64e1
0x011a6400
0x011a6402
0x011a6406
0x011a6408
0x011a640a
0x011a6410
0x011a6413
0x011a6419
0x011a641c
0x011a641f
0x011a6426
0x011a6429
0x011a642b
0x011a642b
0x011a642e
0x011a6436
0x011a6439
0x011a643e
0x011a6497
0x011a6497
0x011a649a
0x00000000
0x011a6440
0x011a6440
0x011a6442
0x011a6442
0x011a6444
0x011a6447
0x011a6448
0x011a644a
0x011a644d
0x011a6454
0x011a6456
0x011a6321
0x011a6321
0x011a6324
0x011a6325
0x011a6328
0x011a632e
0x00000000
0x00000000
0x00000000
0x011a632e
0x011a6321
0x011a643e
0x011a63fa
0x011a63ea
0x00000000
0x011a6345
0x011a62fa
0x011a62fa
0x011a631a
0x011a631a
0x011a62f8
0x00000000

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abf1a3c7b7df0e3f810907e2a4cfb915cbf55da75b296250c26e2c7a75a30e5
Instruction ID: c5f1a31833b557ba7b226053d04fd3062058e59ee043fa2c65990674408f1b8d
Opcode Fuzzy Hash: 7abf1a3c7b7df0e3f810907e2a4cfb915cbf55da75b296250c26e2c7a75a30e5
Instruction Fuzzy Hash: 2C62AC79E002568FCB19CFACC8905ACFFF1BF49314B598269D859DB346D731A946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 011A4AB0 Relevance: .6, Instructions: 634
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E011A4AB0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed char* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed char* _v92;
				signed int _v96;
				signed int _v100;
				signed char* _v104;
				signed char* _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v120;
				signed int _t237;
				signed int _t239;
				intOrPtr _t242;
				signed int _t245;
				signed int _t254;
				signed char _t265;
				intOrPtr _t267;
				signed int _t271;
				signed char _t272;
				signed char _t292;
				signed int _t296;
				intOrPtr _t304;
				intOrPtr _t307;
				signed int _t315;
				signed char _t326;
				intOrPtr _t328;
				signed int _t332;
				signed char _t333;
				signed char _t353;
				signed int _t357;
				signed char* _t360;
				signed char* _t361;
				void* _t363;
				signed short* _t364;
				signed char* _t367;
				void* _t369;
				signed short* _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr _t376;
				signed char* _t378;
				signed char* _t379;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed char* _t392;
				signed char* _t393;
				intOrPtr* _t396;
				intOrPtr _t397;
				intOrPtr _t398;
				signed short* _t399;
				signed char* _t400;
				signed char* _t401;
				signed int _t402;
				signed char* _t403;
				signed int _t406;
				void* _t407;
				intOrPtr _t408;
				signed short* _t409;
				signed char* _t410;
				signed char* _t411;
				signed int _t412;
				signed int _t413;
				signed int _t416;
				void* _t417;
				signed int _t419;
				unsigned int _t423;
				unsigned int _t424;
				intOrPtr _t427;
				signed int _t431;
				void* _t432;
				signed char* _t435;
				signed char* _t436;
				void* _t437;
				void* _t439;
				void* _t440;
				void* _t441;
				unsigned int _t451;
				unsigned int _t452;
				signed int _t458;
				void* _t459;
				signed char* _t462;
				signed int _t463;
				void* _t464;
				void* _t466;
				void* _t467;
				void* _t468;
				signed char* _t470;
				signed int _t471;
				signed int* _t473;
				signed char* _t476;
				signed int _t477;
				signed char* _t478;
				signed int _t479;
				signed int _t482;
				signed int* _t484;
				signed char* _t487;
				signed int _t488;
				signed char* _t489;
				signed int _t490;
				signed int _t491;
				void* _t492;

				_t237 =  *0x139eff4; // 0xdde28b47
				_v8 = _t237 ^ _t491;
				_t396 = _a4;
				asm("movaps xmm0, [0x13775b0]");
				_t239 =  *((intOrPtr*)(_t396 + 8));
				_t470 = _a8;
				_t360 = _t470;
				_t419 = _a12;
				_v112 = _t396;
				_v108 = _t470;
				_v100 = _t419;
				_v96 = _t239;
				_v40 = 0;
				_v36 = 1;
				_v32 = 2;
				_v28 = 1;
				_v24 = 4;
				_v20 = 4;
				_v16 = 4;
				_v12 = 4;
				asm("movups [ebp-0x44], xmm0");
				asm("movaps xmm0, [0x1377590]");
				asm("movups [ebp-0x34], xmm0");
				if(_t239 != _t419) {
					_t371 =  *(_t396 + 0xc);
					 *(_t396 + 4) = _t371;
					 *_t396 = _t239 - _t371;
					_t397 = _a16;
					_t471 = _t419;
					_v92 =  &(_t470[_t397]);
					_t242 = _a20;
					_v88 = _t419 + _t242;
					_v80 = _t471;
					_v116 = _t471 - _t371;
					asm("sbb ecx, ecx");
					_t372 =  ~_t371;
					_v120 = _t372;
					if(_t242 != 0) {
						while(1) {
							_t423 =  *_t360 & 0x000000ff;
							_t361 =  &(_t360[1]);
							_v76 = _t423;
							_t424 = _t423 >> 4;
							if(_t424 != 0xf) {
								goto L67;
							}
							L63:
							do {
								_t402 =  *_t361 & 0x000000ff;
								_t361 =  &(_t361[1]);
								_t424 = _t424 + _t402;
								asm("sbb ecx, ecx");
								_t372 =  ~_t372;
							} while (((0 | _t402 == 0x000000ff) & _t372) != 0);
							_t471 = _v80;
							if(_t424 + _t471 < _t471 ||  &(_t361[_t424]) < _t361) {
								L109:
								_t245 = _v100;
								_t427 = _v108 - _t361 - 1;
							} else {
								goto L67;
							}
							L110:
							if(_t427 > 0) {
								_t376 = _v112;
								 *((intOrPtr*)(_t376 + 0xc)) = _t427;
								 *((intOrPtr*)(_t376 + 8)) = _t245 + _t427;
							}
							goto L112;
							L67:
							_t398 = _v88;
							_t373 = _t424 + _t471;
							_v84 = _t373;
							if(_t373 > _t398 - 0xc) {
								L106:
								if( &(_t361[_t424]) != _v92 || _t373 > _t398) {
									goto L109;
								} else {
									E012EE160(_t471, _t361, _t424);
									_t245 = _v100;
									_t427 = _t424 - _t245 + _t471;
								}
							} else {
								_t399 =  &(_t361[_t424]);
								if(_t399 >  &(_v92[0xfffffffffffffff8])) {
									_t398 = _v88;
									goto L106;
								} else {
									_t363 = _t361 - _t471;
									do {
										 *_t471 =  *((intOrPtr*)(_t363 + _t471));
										 *((intOrPtr*)(_t471 + 4)) =  *((intOrPtr*)(_t363 + _t471 + 4));
										_t471 = _t471 + 8;
									} while (_t471 < _t373);
									_t473 = _v84;
									_t364 = _t399;
									_t400 = _t473;
									_t254 =  *_t364 & 0x0000ffff;
									_t360 =  &(_t364[1]);
									_t378 = _t473 - _t254;
									_v80 = _t254;
									if(_v120 == 0 || _t378 >= _v116) {
										_t431 = _v76 & 0x0000000f;
										 *_t473 = _t254;
										if(_t431 != 0xf) {
											L79:
											_t432 = _t431 + 4;
											_t471 = _t473 + _t432;
											if(_t378 >= _v100) {
												_v84 = _t471;
												if(_t254 >= 8) {
													 *_t400 =  *_t378;
													_t372 =  &(_t378[8]);
													_t400[4] = _t378[4];
												} else {
													 *_t400 =  *_t378 & 0x000000ff;
													_t400[1] = _t378[1] & 0x000000ff;
													_t400[2] = _t378[2] & 0x000000ff;
													_t400[3] = _t378[3] & 0x000000ff;
													_t379 =  &(_t378[ *((intOrPtr*)(_t491 + _v80 * 4 - 0x24))]);
													_t400[4] =  *_t379;
													_t372 = _t379 -  *((intOrPtr*)(_t491 + _v80 * 4 - 0x44));
												}
												_t401 =  &(_t400[8]);
												_v76 = _t401;
												if(_t471 <= _v88 + 0xfffffff4) {
													 *_t401 =  *_t372;
													_t401[4] =  *(_t372 + 4);
													if(_t432 <= 0x10) {
														goto L61;
													} else {
														_t476 =  &(_t401[8]);
														_t435 = _t476 - _t401 + _t372;
														_t372 = _v84;
														do {
															_t265 =  *_t435;
															_t435 =  &(_t435[8]);
															 *_t476 = _t265;
															_t476[4] =  *(_t435 - 4);
															_t476 =  &(_t476[8]);
														} while (_t476 < _t372);
														goto L60;
													}
												} else {
													_t267 = _v88;
													_t436 = _t267 - 7;
													_v104 = _t436;
													if(_t471 > _t267 + 0xfffffffb) {
														goto L109;
													} else {
														if(_t401 < _t436) {
															_t478 = _t401;
															_t439 = _t372 - _t401;
															_t403 = _v104;
															asm("o16 nop [eax+eax]");
															do {
																 *_t478 =  *(_t439 + _t478);
																_t478[4] =  *(_t439 +  &(_t478[4]));
																_t478 =  &(_t478[8]);
															} while (_t478 < _t403);
															_t471 = _v84;
															_t372 = _t372 + _t403 - _v76;
															_t401 = _v104;
														}
														_t437 = 0;
														_t271 =  >  ? 0 : _t471 - _t401;
														_v76 = _t271;
														if(_t271 != 0) {
															_t477 = _t271;
															do {
																_t272 =  *_t372;
																_t372 = _t372 + 1;
																_t437 = _t437 + 1;
																 *_t401 = _t272;
																_t401 =  &(_t401[1]);
															} while (_t437 < _t477);
															L60:
															_t471 = _v84;
														}
														goto L61;
													}
												}
											} else {
												_v80 = _t471;
												if(_t471 > _v88 + 0xfffffffb) {
													goto L109;
												} else {
													_t284 = _v100;
													_t406 = _v100 - _t378;
													_v76 = _t406;
													if(_t432 > _t406) {
														_t440 = _t432 - _t406;
														_t479 = _v84;
														E012EE160(_t479, _v96 - _t406, _t406);
														_t471 = _t479 + _v76;
														_t492 = _t492 + 0xc;
														_t372 = _v100;
														if(_t440 <= _t471 - _t372) {
															E012EE160(_t471, _t372, _t440);
															_t492 = _t492 + 0xc;
															_t471 = _t471 + _t440;
															goto L61;
														} else {
															goto L84;
														}
													} else {
														_t372 = _v84;
														E012EC2A0(_t372, _t378 - _t284 + _v96, _t432);
														_t492 = _t492 + 0xc;
														continue;
														do {
															while(1) {
																_t423 =  *_t360 & 0x000000ff;
																_t361 =  &(_t360[1]);
																_v76 = _t423;
																_t424 = _t423 >> 4;
																if(_t424 != 0xf) {
																	goto L67;
																}
																goto L63;
															}
															L84:
															_t407 = 0;
															_v80 = _t471;
															_t441 =  >  ? 0 : _t440;
														} while (_t441 == 0);
														do {
															_t292 =  *_t372;
															_t372 = _t372 + 1;
															 *_t471 = _t292;
															_t407 = _t407 + 1;
															_t471 = _t471 + 1;
														} while (_t407 < _t441);
														L61:
														_v80 = _t471;
														continue;
													}
													goto L112;
												}
											}
										} else {
											_v76 =  &(_v92[0xfffffffffffffffb]);
											while(1) {
												_t296 =  *_t360 & 0x000000ff;
												_t361 =  &(_t360[1]);
												if(_t361 > _v76) {
													goto L109;
												}
												_t431 = _t431 + _t296;
												if(_t296 == 0xff) {
													continue;
												} else {
													if(_t473 + _t431 < _t473) {
														goto L109;
													} else {
														_t254 = _v80;
														goto L79;
													}
												}
												goto L110;
											}
											goto L109;
										}
									} else {
										goto L109;
									}
								}
							}
							goto L110;
						}
					} else {
						goto L2;
					}
				} else {
					_t386 =  *(_t396 + 4);
					_t397 = _a16;
					_v96 = _t239 -  *(_t396 + 0xc);
					_t482 = _t419;
					_v92 =  &(_t470[_t397]);
					_t304 = _a20;
					_v88 = _t419 + _t304;
					_v80 = _t482;
					_v120 = _v96 - _t386;
					_v104 =  *_v112 + _t386;
					asm("sbb ecx, ecx");
					_t387 =  ~_t386;
					_v116 = _t387;
					if(_t304 != 0) {
						while(1) {
							_t451 =  *_t360 & 0x000000ff;
							_t367 =  &(_t360[1]);
							_v76 = _t451;
							_t452 = _t451 >> 4;
							if(_t452 != 0xf) {
								goto L13;
							} else {
							}
							do {
								L10:
								_t412 =  *_t367 & 0x000000ff;
								_t367 =  &(_t367[1]);
								_t452 = _t452 + _t412;
								asm("sbb ecx, ecx");
								_t387 =  ~_t387;
							} while (((0 | _t412 == 0x000000ff) & _t387) != 0);
							_t482 = _v80;
							if(_t452 + _t482 < _t482 ||  &(_t367[_t452]) < _t367) {
								L55:
								_t427 = _v108 - _t367 - 1;
							} else {
								goto L13;
							}
							L56:
							if(_t427 <= 0) {
								L112:
								return E012E980C(_v8 ^ _t491);
							} else {
								_t307 = _v112;
								 *((intOrPtr*)(_t307 + 0xc)) =  *((intOrPtr*)(_t307 + 0xc)) + _t427;
								 *((intOrPtr*)(_t307 + 8)) =  *((intOrPtr*)(_t307 + 8)) + _t427;
								return E012E980C(_v8 ^ _t491);
							}
							goto L113;
							L13:
							_t408 = _v88;
							_t388 = _t452 + _t482;
							_v84 = _t388;
							if(_t388 > _t408 - 0xc) {
								L52:
								if( &(_t367[_t452]) != _v92 || _t388 > _t408) {
									goto L55;
								} else {
									E012EE160(_t482, _t367, _t452);
									_t427 = _t452 - _v100 + _t482;
								}
							} else {
								_t409 =  &(_t367[_t452]);
								if(_t409 >  &(_v92[0xfffffffffffffff8])) {
									_t408 = _v88;
									goto L52;
								} else {
									_t369 = _t367 - _t482;
									do {
										 *_t482 =  *((intOrPtr*)(_t369 + _t482));
										 *((intOrPtr*)(_t482 + 4)) =  *((intOrPtr*)(_t369 + _t482 + 4));
										_t482 = _t482 + 8;
									} while (_t482 < _t388);
									_t484 = _v84;
									_t370 = _t409;
									_t410 = _t484;
									_t315 =  *_t370 & 0x0000ffff;
									_t360 =  &(_t370[1]);
									_t392 = _t484 - _t315;
									_v80 = _t315;
									if(_v116 == 0 || _t392 >= _v120) {
										_t458 = _v76 & 0x0000000f;
										 *_t484 = _t315;
										if(_t458 != 0xf) {
											L25:
											_t459 = _t458 + 4;
											_t482 = _t484 + _t459;
											if(_t392 >= _v96) {
												_v84 = _t482;
												if(_t315 >= 8) {
													 *_t410 =  *_t392;
													_t387 =  &(_t392[8]);
													_t410[4] = _t392[4];
												} else {
													 *_t410 =  *_t392 & 0x000000ff;
													_t410[1] = _t392[1] & 0x000000ff;
													_t410[2] = _t392[2] & 0x000000ff;
													_t410[3] = _t392[3] & 0x000000ff;
													_t393 =  &(_t392[ *((intOrPtr*)(_t491 + _v80 * 4 - 0x24))]);
													_t410[4] =  *_t393;
													_t387 = _t393 -  *((intOrPtr*)(_t491 + _v80 * 4 - 0x44));
												}
												_t411 =  &(_t410[8]);
												_v80 = _t411;
												if(_t482 <= _v88 + 0xfffffff4) {
													 *_t411 =  *_t387;
													_t411[4] =  *(_t387 + 4);
													if(_t459 <= 0x10) {
														goto L7;
													} else {
														_t487 =  &(_t411[8]);
														_t462 = _t487 - _t411 + _t387;
														_t387 = _v84;
														do {
															_t326 =  *_t462;
															_t462 =  &(_t462[8]);
															 *_t487 = _t326;
															_t487[4] =  *(_t462 - 4);
															_t487 =  &(_t487[8]);
														} while (_t487 < _t387);
														goto L6;
													}
												} else {
													_t328 = _v88;
													_t463 = _t328 - 7;
													_v76 = _t463;
													if(_t482 > _t328 + 0xfffffffb) {
														goto L55;
													} else {
														if(_t411 < _t463) {
															_t489 = _t411;
															_t466 = _t387 - _t411;
															_t413 = _v76;
															asm("o16 nop [eax+eax]");
															do {
																 *_t489 =  *(_t466 + _t489);
																_t489[4] =  *(_t466 +  &(_t489[4]));
																_t489 =  &(_t489[8]);
															} while (_t489 < _t413);
															_t482 = _v84;
															_t387 = _t387 + _t413 - _v80;
															_t411 = _v76;
														}
														_t464 = 0;
														_t332 =  >  ? 0 : _t482 - _t411;
														_v76 = _t332;
														if(_t332 != 0) {
															_t488 = _t332;
															do {
																_t333 =  *_t387;
																_t387 = _t387 + 1;
																_t464 = _t464 + 1;
																 *_t411 = _t333;
																_t411 =  &(_t411[1]);
															} while (_t464 < _t488);
															L6:
															_t482 = _v84;
														}
														goto L7;
													}
												}
											} else {
												_v80 = _t482;
												if(_t482 > _v88 + 0xfffffffb) {
													goto L55;
												} else {
													_t345 = _v96;
													_t416 = _v96 - _t392;
													_v76 = _t416;
													if(_t459 > _t416) {
														_t467 = _t459 - _t416;
														_t490 = _v84;
														E012EE160(_t490, _v104 - _t416, _t416);
														_t482 = _t490 + _v76;
														_t492 = _t492 + 0xc;
														_t387 = _v96;
														if(_t467 <= _t482 - _t387) {
															E012EE160(_t482, _t387, _t467);
															_t492 = _t492 + 0xc;
															_t482 = _t482 + _t467;
															goto L7;
														} else {
															goto L30;
														}
													} else {
														_t387 = _v84;
														E012EC2A0(_t387, _t392 - _t345 + _v104, _t459);
														_t492 = _t492 + 0xc;
														continue;
														do {
															while(1) {
																_t451 =  *_t360 & 0x000000ff;
																_t367 =  &(_t360[1]);
																_v76 = _t451;
																_t452 = _t451 >> 4;
																if(_t452 != 0xf) {
																	goto L13;
																} else {
																}
																goto L10;
															}
															L30:
															_t417 = 0;
															_v80 = _t482;
															_t468 =  >  ? 0 : _t467;
														} while (_t468 == 0);
														do {
															_t353 =  *_t387;
															_t387 = _t387 + 1;
															 *_t482 = _t353;
															_t417 = _t417 + 1;
															_t482 = _t482 + 1;
														} while (_t417 < _t468);
														L7:
														_v80 = _t482;
														continue;
													}
													goto L113;
												}
											}
										} else {
											_v76 =  &(_v92[0xfffffffffffffffb]);
											while(1) {
												_t357 =  *_t360 & 0x000000ff;
												_t367 =  &(_t360[1]);
												if(_t367 > _v76) {
													goto L55;
												}
												_t458 = _t458 + _t357;
												if(_t357 == 0xff) {
													continue;
												} else {
													if(_t484 + _t458 < _t484) {
														goto L55;
													} else {
														_t315 = _v80;
														goto L25;
													}
												}
												goto L56;
											}
											goto L55;
										}
									} else {
										goto L55;
									}
								}
							}
							goto L56;
						}
					} else {
						L2:
						if(_t397 != 1 ||  *_t360 != 0) {
							return E012E980C(_v8 ^ _t491);
						} else {
							return E012E980C(_v8 ^ _t491);
						}
					}
				}
				L113:
			}

0x011a4ab6
0x011a4abd
0x011a4ac0
0x011a4ac3
0x011a4acc
0x011a4acf
0x011a4ad2
0x011a4ad5
0x011a4ad8
0x011a4adb
0x011a4ade
0x011a4ae1
0x011a4ae4
0x011a4aeb
0x011a4af2
0x011a4af9
0x011a4b00
0x011a4b07
0x011a4b0e
0x011a4b15
0x011a4b1c
0x011a4b20
0x011a4b27
0x011a4b2d
0x011a4e84
0x011a4e89
0x011a4e8c
0x011a4e8e
0x011a4e94
0x011a4e96
0x011a4e99
0x011a4e9e
0x011a4ea5
0x011a4eae
0x011a4eb1
0x011a4eb3
0x011a4eb5
0x011a4eba
0x011a4ec7
0x011a4ec7
0x011a4eca
0x011a4ecb
0x011a4ece
0x011a4ed4
0x00000000
0x00000000
0x011a4ed6
0x011a4ee0
0x011a4ee0
0x011a4ee3
0x011a4ee4
0x011a4ee8
0x011a4eec
0x011a4ef7
0x011a4efb
0x011a4f03
0x011a517c
0x011a517f
0x011a5184
0x00000000
0x00000000
0x00000000
0x011a5185
0x011a5187
0x011a5189
0x011a518e
0x011a5191
0x011a5191
0x00000000
0x011a4f14
0x011a4f14
0x011a4f17
0x011a4f1a
0x011a4f22
0x011a515c
0x011a5162
0x00000000
0x011a5168
0x011a516b
0x011a5170
0x011a5178
0x011a5178
0x011a4f28
0x011a4f2b
0x011a4f33
0x011a5159
0x00000000
0x011a4f39
0x011a4f39
0x011a4f40
0x011a4f43
0x011a4f49
0x011a4f4c
0x011a4f4f
0x011a4f53
0x011a4f56
0x011a4f5a
0x011a4f5c
0x011a4f5f
0x011a4f62
0x011a4f64
0x011a4f6b
0x011a4f79
0x011a4f7c
0x011a4f81
0x011a4fb4
0x011a4fb4
0x011a4fb7
0x011a4fbc
0x011a5055
0x011a505b
0x011a508e
0x011a5093
0x011a5096
0x011a505d
0x011a5060
0x011a5066
0x011a506d
0x011a5074
0x011a507a
0x011a5080
0x011a5086
0x011a5086
0x011a509c
0x011a50a2
0x011a50a7
0x011a511c
0x011a5121
0x011a5127
0x00000000
0x011a512d
0x011a512d
0x011a5134
0x011a5136
0x011a5140
0x011a5140
0x011a5142
0x011a5145
0x011a514a
0x011a514d
0x011a5150
0x00000000
0x011a5154
0x011a50a9
0x011a50a9
0x011a50ac
0x011a50b2
0x011a50b7
0x00000000
0x011a50bd
0x011a50bf
0x011a50c3
0x011a50c5
0x011a50c7
0x011a50ca
0x011a50d0
0x011a50d3
0x011a50d9
0x011a50dc
0x011a50df
0x011a50e6
0x011a50e9
0x011a50eb
0x011a50eb
0x011a50ee
0x011a50f6
0x011a50f9
0x011a50fe
0x011a5104
0x011a5106
0x011a5106
0x011a5108
0x011a510b
0x011a510c
0x011a510e
0x011a5111
0x011a4ec1
0x011a4ec1
0x011a4ec1
0x00000000
0x011a50fe
0x011a50b7
0x011a4fc2
0x011a4fc8
0x011a4fcd
0x00000000
0x011a4fd3
0x011a4fd3
0x011a4fd8
0x011a4fda
0x011a4fdf
0x011a4ffc
0x011a4ffe
0x011a5006
0x011a500b
0x011a500e
0x011a5011
0x011a501a
0x011a5046
0x011a504b
0x011a504e
0x00000000
0x00000000
0x00000000
0x00000000
0x011a4fe1
0x011a4fe8
0x011a4fec
0x011a4ff1
0x011a4ff4
0x011a4ec7
0x011a4ec7
0x011a4ec7
0x011a4eca
0x011a4ecb
0x011a4ece
0x011a4ed4
0x00000000
0x00000000
0x00000000
0x011a4ed4
0x011a501c
0x011a501c
0x011a501e
0x011a5026
0x011a5029
0x011a5031
0x011a5031
0x011a5033
0x011a5036
0x011a5038
0x011a5039
0x011a503a
0x011a4ec4
0x011a4ec4
0x00000000
0x011a4ec4
0x00000000
0x011a4fdf
0x011a4fcd
0x011a4f83
0x011a4f89
0x011a4f90
0x011a4f90
0x011a4f93
0x011a4f97
0x00000000
0x00000000
0x011a4f9d
0x011a4fa4
0x00000000
0x011a4fa6
0x011a4fab
0x00000000
0x011a4fb1
0x011a4fb1
0x00000000
0x011a4fb1
0x011a4fab
0x00000000
0x011a4fa4
0x00000000
0x011a4f90
0x00000000
0x00000000
0x00000000
0x011a4f6b
0x011a4f33
0x00000000
0x011a4f22
0x011a4ebc
0x00000000
0x011a4ebc
0x011a4b33
0x011a4b36
0x011a4b39
0x011a4b3c
0x011a4b42
0x011a4b44
0x011a4b47
0x011a4b4c
0x011a4b54
0x011a4b57
0x011a4b67
0x011a4b6a
0x011a4b6c
0x011a4b6e
0x011a4b73
0x011a4bb2
0x011a4bb2
0x011a4bb5
0x011a4bb6
0x011a4bb9
0x011a4bbf
0x00000000
0x011a4bc1
0x011a4bc4
0x011a4bc7
0x011a4bc7
0x011a4bc7
0x011a4bca
0x011a4bcb
0x011a4bcf
0x011a4bd3
0x011a4bde
0x011a4be2
0x011a4bea
0x011a4e5a
0x011a4e5f
0x00000000
0x00000000
0x00000000
0x011a4e60
0x011a4e62
0x011a5194
0x011a51a6
0x011a4e68
0x011a4e68
0x011a4e6b
0x011a4e6e
0x011a4e83
0x011a4e83
0x00000000
0x011a4bfb
0x011a4bfb
0x011a4bfe
0x011a4c01
0x011a4c09
0x011a4e3c
0x011a4e42
0x00000000
0x011a4e48
0x011a4e4b
0x011a4e56
0x011a4e56
0x011a4c0f
0x011a4c12
0x011a4c1a
0x011a4e39
0x00000000
0x011a4c20
0x011a4c20
0x011a4c22
0x011a4c25
0x011a4c2b
0x011a4c2e
0x011a4c31
0x011a4c35
0x011a4c38
0x011a4c3c
0x011a4c3e
0x011a4c41
0x011a4c44
0x011a4c46
0x011a4c4d
0x011a4c5b
0x011a4c5e
0x011a4c63
0x011a4c94
0x011a4c94
0x011a4c97
0x011a4c9c
0x011a4d35
0x011a4d3b
0x011a4d6e
0x011a4d73
0x011a4d76
0x011a4d3d
0x011a4d40
0x011a4d46
0x011a4d4d
0x011a4d54
0x011a4d5a
0x011a4d60
0x011a4d66
0x011a4d66
0x011a4d7c
0x011a4d82
0x011a4d87
0x011a4dfc
0x011a4e01
0x011a4e07
0x00000000
0x011a4e0d
0x011a4e0d
0x011a4e14
0x011a4e16
0x011a4e20
0x011a4e20
0x011a4e22
0x011a4e25
0x011a4e2a
0x011a4e2d
0x011a4e30
0x00000000
0x011a4e34
0x011a4d89
0x011a4d89
0x011a4d8c
0x011a4d92
0x011a4d97
0x00000000
0x011a4d9d
0x011a4d9f
0x011a4da3
0x011a4da5
0x011a4da7
0x011a4daa
0x011a4db0
0x011a4db3
0x011a4db9
0x011a4dbc
0x011a4dbf
0x011a4dc6
0x011a4dc9
0x011a4dcb
0x011a4dcb
0x011a4dce
0x011a4dd6
0x011a4dd9
0x011a4dde
0x011a4de4
0x011a4de6
0x011a4de6
0x011a4de8
0x011a4deb
0x011a4dec
0x011a4dee
0x011a4df1
0x011a4bac
0x011a4bac
0x011a4bac
0x00000000
0x011a4dde
0x011a4d97
0x011a4ca2
0x011a4ca8
0x011a4cad
0x00000000
0x011a4cb3
0x011a4cb3
0x011a4cb8
0x011a4cba
0x011a4cbf
0x011a4cdc
0x011a4cde
0x011a4ce6
0x011a4ceb
0x011a4cee
0x011a4cf1
0x011a4cfa
0x011a4d26
0x011a4d2b
0x011a4d2e
0x00000000
0x00000000
0x00000000
0x00000000
0x011a4cc1
0x011a4cc8
0x011a4ccc
0x011a4cd1
0x011a4cd4
0x011a4bb2
0x011a4bb2
0x011a4bb2
0x011a4bb5
0x011a4bb6
0x011a4bb9
0x011a4bbf
0x00000000
0x011a4bc1
0x011a4bc4
0x00000000
0x011a4bbf
0x011a4cfc
0x011a4cfc
0x011a4cfe
0x011a4d06
0x011a4d09
0x011a4d11
0x011a4d11
0x011a4d13
0x011a4d16
0x011a4d18
0x011a4d19
0x011a4d1a
0x011a4baf
0x011a4baf
0x00000000
0x011a4baf
0x00000000
0x011a4cbf
0x011a4cad
0x011a4c65
0x011a4c6b
0x011a4c70
0x011a4c70
0x011a4c73
0x011a4c77
0x00000000
0x00000000
0x011a4c7d
0x011a4c84
0x00000000
0x011a4c86
0x011a4c8b
0x00000000
0x011a4c91
0x011a4c91
0x00000000
0x011a4c91
0x011a4c8b
0x00000000
0x011a4c84
0x00000000
0x011a4c70
0x00000000
0x00000000
0x00000000
0x011a4c4d
0x011a4c1a
0x00000000
0x011a4c09
0x011a4b75
0x011a4b75
0x011a4b78
0x011a4bab
0x011a4b81
0x011a4b95
0x011a4b95
0x011a4b78
0x011a4b73
0x00000000

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c024283814188a45dfbeb13a8cfabba50d56389424125485d1ae89a6ba6b51
Instruction ID: 0e24fd1572a7ab88b018347b07411a0094d6281a919661d78f9430719f45bcbf
Opcode Fuzzy Hash: c2c024283814188a45dfbeb13a8cfabba50d56389424125485d1ae89a6ba6b51
Instruction Fuzzy Hash: 5732A076E002168FCB19CFACC8805ACFFF2BF85314B698269D459EB745D771A946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012F7EE8 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 83%

			E012F7EE8(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x139eff4; // 0xdde28b47
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E012F891A(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E012E980C(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E012F6A10(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E012F8E68(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E012F6A10(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E012F8CC0(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E012F6A10(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E012F86B2(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E012F888F(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E012F8418(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E012F87FC(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E012F8870(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E012F825B(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E012F861A(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x012f7ee8
0x012f7ef0
0x012f7ef7
0x012f7efc
0x012f7efe
0x012f7f02
0x012f7f05
0x012f7f09
0x012f7f0a
0x012f7f0d
0x012f7f7a
0x012f7f7d
0x012f7fcc
0x012f7fcc
0x012f7fcf
0x012f7f3b
0x012f7f3d
0x012f7f42
0x012f7f44
0x012f7fea
0x012f7fed
0x012f8133
0x012f8135
0x012f8144
0x012f8144
0x012f7ff3
0x012f7ff8
0x012f7ffb
0x012f7ffe
0x012f8002
0x012f8008
0x012f8009
0x012f800b
0x012f8035
0x012f8035
0x012f8039
0x012f803c
0x012f8046
0x012f8048
0x012f804b
0x012f804d
0x012f8053
0x012f8053
0x012f8055
0x012f8055
0x012f8058
0x012f8066
0x012f8066
0x012f8068
0x012f806a
0x012f806b
0x012f806d
0x012f8073
0x012f8075
0x012f8076
0x012f807b
0x012f807e
0x012f808c
0x012f808c
0x012f808e
0x012f808e
0x012f8099
0x012f809b
0x012f80a0
0x012f80a0
0x012f80a3
0x012f80a9
0x012f80ab
0x012f80ae
0x012f80be
0x012f80c3
0x012f80c3
0x012f80d8
0x012f80dd
0x012f80e0
0x012f80e5
0x012f80e8
0x012f80ea
0x012f80ec
0x012f80ef
0x012f80f2
0x012f80ff
0x012f8104
0x012f8104
0x012f80f2
0x012f810b
0x012f8110
0x012f8113
0x012f8118
0x012f811b
0x012f811d
0x012f812a
0x012f812f
0x012f811d
0x00000000
0x012f8132
0x012f8082
0x012f8083
0x012f8086
0x00000000
0x00000000
0x012f8088
0x00000000
0x012f8088
0x012f806f
0x012f8071
0x00000000
0x00000000
0x00000000
0x012f8071
0x012f805c
0x012f805d
0x012f8060
0x00000000
0x00000000
0x012f8062
0x00000000
0x012f8062
0x00000000
0x012f804f
0x012f8040
0x012f8041
0x012f8044
0x00000000
0x00000000
0x00000000
0x012f8044
0x012f800f
0x012f8012
0x012f8014
0x012f801f
0x012f8021
0x012f8029
0x012f802b
0x012f802d
0x00000000
0x00000000
0x012f802f
0x012f8033
0x012f8033
0x00000000
0x012f8033
0x012f8023
0x012f8018
0x012f8018
0x012f8019
0x00000000
0x012f8019
0x012f8016
0x00000000
0x012f8016
0x012f7f4a
0x00000000
0x012f7f4a
0x012f7fd6
0x012f7fd6
0x012f7fd9
0x012f7fab
0x012f7fab
0x012f7fac
0x012f7fae
0x012f7fb0
0x00000000
0x012f7fb0
0x012f7fdb
0x012f7fde
0x00000000
0x00000000
0x012f7fe4
0x012f7f53
0x012f7f53
0x00000000
0x012f7f53
0x012f7f7f
0x012f7fc2
0x00000000
0x012f7fc2
0x012f7f81
0x012f7f84
0x012f7fb7
0x012f7fb9
0x00000000
0x012f7fb9
0x012f7f86
0x012f7f89
0x012f7fa7
0x012f7fa7
0x012f7fa7
0x012f7fa7
0x00000000
0x012f7fa7
0x012f7f8b
0x012f7f8e
0x012f7fa0
0x00000000
0x012f7fa0
0x012f7f90
0x012f7f93
0x00000000
0x00000000
0x012f7f97
0x00000000
0x012f7f97
0x012f7f0f
0x00000000
0x00000000
0x012f7f15
0x012f7f17
0x012f7f57
0x012f7f57
0x012f7f5a
0x012f7f73
0x00000000
0x012f7f73
0x012f7f5c
0x012f7f5c
0x012f7f5f
0x00000000
0x00000000
0x012f7f62
0x012f7f65
0x00000000
0x00000000
0x012f7f67
0x012f7f6a
0x00000000
0x012f7f6a
0x012f7f19
0x012f7f51
0x00000000
0x012f7f51
0x012f7f1d
0x00000000
0x00000000
0x012f7f26
0x00000000
0x00000000
0x012f7f2b
0x00000000
0x00000000
0x012f7f30
0x00000000
0x00000000
0x012f7f39
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3931a301f28872e3db92e29d63ee239370fbe5cb11989d2a53b4dd970efc44f5
Instruction ID: 1716f910d9b7a18f4cb20fdb93aed7c234945ca69277564669716eb809434b40
Opcode Fuzzy Hash: 3931a301f28872e3db92e29d63ee239370fbe5cb11989d2a53b4dd970efc44f5
Instruction Fuzzy Hash: 4561863163060B67FE389E2CC891BBEF394EB11740F840A3EE782DB290D652D9468765

Uniqueness

Uniqueness Score: -1.00%

Function 01178C00 Relevance: .2, Instructions: 169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E01178C00(void* __ecx, unsigned int _a4, signed char* _a8, intOrPtr _a12) {
				signed char _v8;
				intOrPtr _t149;

				if(_a8 != 0) {
					if(1 == 0) {
						_a4 = _a4 ^ 0xffffffff;
						while(_a12 >= 8) {
							_t17 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t17 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t26 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t26 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t35 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t35 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t44 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t44 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t53 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t53 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t62 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t62 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t71 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t71 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t80 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t80 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_a12 = _a12 - 8;
						}
						if(_a12 == 0) {
							L11:
							return _a4 ^ 0xffffffff;
						} else {
							goto L10;
						}
						do {
							L10:
							_t92 = (( *_a8 & 0x000000ff ^ _a4) & 0x000000ff) * 4; // 0x0
							_a4 = _a4 >> 0x00000008 ^  *(0 + _t92 + 0x136ed48);
							_a8 =  &(_a8[1]);
							_t149 = _a12 - 1;
							_a12 = _t149;
						} while (_t149 != 0);
						goto L11;
					}
					_v8 = 1;
					if((_v8 & 0x000000ff) == 0) {
						return E01179380(_a4, _a8, _a12);
					}
					return E01178E50(_a4, _a8, _a12);
				}
				return 0;
			}

0x01178c08
0x01178c18
0x01178c63
0x01178c66
0x01178c8c
0x01178c93
0x01178c9c
0x01178cbc
0x01178cc3
0x01178ccc
0x01178cec
0x01178cf3
0x01178cfc
0x01178d1b
0x01178d22
0x01178d2b
0x01178d4b
0x01178d52
0x01178d5b
0x01178d7b
0x01178d82
0x01178d8b
0x01178daa
0x01178db1
0x01178dba
0x01178dda
0x01178de1
0x01178dea
0x01178df3
0x01178df3
0x01178dff
0x01178e3b
0x00000000
0x00000000
0x00000000
0x00000000
0x01178e01
0x01178e01
0x01178e1d
0x01178e24
0x01178e2d
0x01178e33
0x01178e36
0x01178e36
0x00000000
0x01178e01
0x01178c1a
0x01178c27
0x00000000
0x01178c55
0x00000000
0x01178c3a
0x00000000

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2904da5caa5062c2d1f3b086b52c0c04a3c3fcf70ed22f4c9fa8d4ebad666af8
Instruction ID: 710f7eb36b922aa45ba794bf622819819cd3e6c5b342f0c07f58647aaf7ff234
Opcode Fuzzy Hash: 2904da5caa5062c2d1f3b086b52c0c04a3c3fcf70ed22f4c9fa8d4ebad666af8
Instruction Fuzzy Hash: 75710871100149AFDB08DF2DC895AAA7BA2EF84354F14C12DFE298F685C339E691DF90

Uniqueness

Uniqueness Score: -1.00%

Function 011FAD55 Relevance: 66.7, APIs: 19, Strings: 19, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E011FAD55(void* __ecx) {
				void* _t39;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t45;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t48;
				void* _t49;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr _t62;
				void* _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t78;

				_t77 = __ecx;
				_t39 = E01168AF0();
				_t78 = 0;
				if(_t39 != 0) {
					_t40 =  *((intOrPtr*)(_t39 + 0x20));
				} else {
					_t40 = 0;
				}
				__imp__OpenThemeData(_t40, L"WINDOW");
				 *((intOrPtr*)(_t77 + 4)) = _t40;
				_t41 = E01168AF0();
				if(_t41 != 0) {
					_t42 =  *((intOrPtr*)(_t41 + 0x20));
				} else {
					_t42 = _t78;
				}
				__imp__OpenThemeData(_t42, L"TOOLBAR");
				 *((intOrPtr*)(_t77 + 8)) = _t42;
				_t43 = E01168AF0();
				if(_t43 != 0) {
					_t44 =  *((intOrPtr*)(_t43 + 0x20));
				} else {
					_t44 = _t78;
				}
				__imp__OpenThemeData(_t44, L"BUTTON");
				 *((intOrPtr*)(_t77 + 0x10)) = _t44;
				_t45 = E01168AF0();
				if(_t45 != 0) {
					_t46 =  *((intOrPtr*)(_t45 + 0x20));
				} else {
					_t46 = _t78;
				}
				__imp__OpenThemeData(_t46, L"STATUS");
				 *((intOrPtr*)(_t77 + 0x14)) = _t46;
				_t47 = E01168AF0();
				if(_t47 != 0) {
					_t48 =  *((intOrPtr*)(_t47 + 0x20));
				} else {
					_t48 = _t78;
				}
				__imp__OpenThemeData(_t48, L"REBAR");
				 *((intOrPtr*)(_t77 + 0xc)) = _t48;
				_t49 = E01168AF0();
				if(_t49 != 0) {
					_t50 =  *((intOrPtr*)(_t49 + 0x20));
				} else {
					_t50 = _t78;
				}
				__imp__OpenThemeData(_t50, L"COMBOBOX");
				 *((intOrPtr*)(_t77 + 0x18)) = _t50;
				_t51 = E01168AF0();
				if(_t51 != 0) {
					_t52 =  *((intOrPtr*)(_t51 + 0x20));
				} else {
					_t52 = _t78;
				}
				__imp__OpenThemeData(_t52, L"PROGRESS");
				 *((intOrPtr*)(_t77 + 0x1c)) = _t52;
				_t53 = E01168AF0();
				if(_t53 != 0) {
					_t54 =  *((intOrPtr*)(_t53 + 0x20));
				} else {
					_t54 = _t78;
				}
				__imp__OpenThemeData(_t54, L"HEADER");
				 *((intOrPtr*)(_t77 + 0x20)) = _t54;
				_t55 = E01168AF0();
				if(_t55 != 0) {
					_t56 =  *((intOrPtr*)(_t55 + 0x20));
				} else {
					_t56 = _t78;
				}
				__imp__OpenThemeData(_t56, L"SCROLLBAR");
				 *((intOrPtr*)(_t77 + 0x24)) = _t56;
				_t57 = E01168AF0();
				if(_t57 != 0) {
					_t58 =  *((intOrPtr*)(_t57 + 0x20));
				} else {
					_t58 = _t78;
				}
				__imp__OpenThemeData(_t58, L"EXPLORERBAR");
				 *((intOrPtr*)(_t77 + 0x28)) = _t58;
				_t59 = E01168AF0();
				if(_t59 != 0) {
					_t60 =  *((intOrPtr*)(_t59 + 0x20));
				} else {
					_t60 = _t78;
				}
				__imp__OpenThemeData(_t60, L"TREEVIEW");
				 *((intOrPtr*)(_t77 + 0x2c)) = _t60;
				_t61 = E01168AF0();
				if(_t61 != 0) {
					_t62 =  *((intOrPtr*)(_t61 + 0x20));
				} else {
					_t62 = _t78;
				}
				__imp__OpenThemeData(_t62, L"STARTPANEL");
				 *((intOrPtr*)(_t77 + 0x30)) = _t62;
				_t63 = E01168AF0();
				if(_t63 != 0) {
					_t64 =  *((intOrPtr*)(_t63 + 0x20));
				} else {
					_t64 = _t78;
				}
				__imp__OpenThemeData(_t64, L"TASKBAND");
				 *((intOrPtr*)(_t77 + 0x34)) = _t64;
				_t65 = E01168AF0();
				if(_t65 != 0) {
					_t66 =  *((intOrPtr*)(_t65 + 0x20));
				} else {
					_t66 = _t78;
				}
				__imp__OpenThemeData(_t66, L"TASKBAR");
				 *((intOrPtr*)(_t77 + 0x38)) = _t66;
				_t67 = E01168AF0();
				if(_t67 != 0) {
					_t68 =  *((intOrPtr*)(_t67 + 0x20));
				} else {
					_t68 = _t78;
				}
				__imp__OpenThemeData(_t68, L"SPIN");
				 *((intOrPtr*)(_t77 + 0x3c)) = _t68;
				_t69 = E01168AF0();
				if(_t69 != 0) {
					_t70 =  *((intOrPtr*)(_t69 + 0x20));
				} else {
					_t70 = _t78;
				}
				__imp__OpenThemeData(_t70, L"TAB");
				 *((intOrPtr*)(_t77 + 0x40)) = _t70;
				_t71 = E01168AF0();
				if(_t71 != 0) {
					_t72 =  *((intOrPtr*)(_t71 + 0x20));
				} else {
					_t72 = _t78;
				}
				__imp__OpenThemeData(_t72, L"TOOLTIP");
				 *((intOrPtr*)(_t77 + 0x44)) = _t72;
				_t73 = E01168AF0();
				if(_t73 != 0) {
					_t74 =  *((intOrPtr*)(_t73 + 0x20));
				} else {
					_t74 = _t78;
				}
				__imp__OpenThemeData(_t74, L"TRACKBAR");
				 *((intOrPtr*)(_t77 + 0x48)) = _t74;
				_t75 = E01168AF0();
				if(_t75 != 0) {
					_t78 =  *((intOrPtr*)(_t75 + 0x20));
				}
				__imp__OpenThemeData(_t78, L"MENU");
				 *((intOrPtr*)(_t77 + 0x4c)) = _t75;
				return _t75;
			}

0x011fad57
0x011fad59
0x011fad5e
0x011fad62
0x011fad68
0x011fad64
0x011fad64
0x011fad64
0x011fad71
0x011fad77
0x011fad7a
0x011fad81
0x011fad87
0x011fad83
0x011fad83
0x011fad83
0x011fad90
0x011fad96
0x011fad99
0x011fada0
0x011fada6
0x011fada2
0x011fada2
0x011fada2
0x011fadaf
0x011fadb5
0x011fadb8
0x011fadbf
0x011fadc5
0x011fadc1
0x011fadc1
0x011fadc1
0x011fadce
0x011fadd4
0x011fadd7
0x011fadde
0x011fade4
0x011fade0
0x011fade0
0x011fade0
0x011faded
0x011fadf3
0x011fadf6
0x011fadfd
0x011fae03
0x011fadff
0x011fadff
0x011fadff
0x011fae0c
0x011fae12
0x011fae15
0x011fae1c
0x011fae22
0x011fae1e
0x011fae1e
0x011fae1e
0x011fae2b
0x011fae31
0x011fae34
0x011fae3b
0x011fae41
0x011fae3d
0x011fae3d
0x011fae3d
0x011fae4a
0x011fae50
0x011fae53
0x011fae5a
0x011fae60
0x011fae5c
0x011fae5c
0x011fae5c
0x011fae69
0x011fae6f
0x011fae72
0x011fae79
0x011fae7f
0x011fae7b
0x011fae7b
0x011fae7b
0x011fae88
0x011fae8e
0x011fae91
0x011fae98
0x011fae9e
0x011fae9a
0x011fae9a
0x011fae9a
0x011faea7
0x011faead
0x011faeb0
0x011faeb7
0x011faebd
0x011faeb9
0x011faeb9
0x011faeb9
0x011faec6
0x011faecc
0x011faecf
0x011faed6
0x011faedc
0x011faed8
0x011faed8
0x011faed8
0x011faee5
0x011faeeb
0x011faeee
0x011faef5
0x011faefb
0x011faef7
0x011faef7
0x011faef7
0x011faf04
0x011faf0a
0x011faf0d
0x011faf14
0x011faf1a
0x011faf16
0x011faf16
0x011faf16
0x011faf23
0x011faf29
0x011faf2c
0x011faf33
0x011faf39
0x011faf35
0x011faf35
0x011faf35
0x011faf42
0x011faf48
0x011faf4b
0x011faf52
0x011faf58
0x011faf54
0x011faf54
0x011faf54
0x011faf61
0x011faf67
0x011faf6a
0x011faf71
0x011faf77
0x011faf73
0x011faf73
0x011faf73
0x011faf80
0x011faf86
0x011faf89
0x011faf90
0x011faf92
0x011faf92
0x011faf9b
0x011fafa1
0x011fafa6

APIs

OpenThemeData.UXTHEME(?,WINDOW,000000FF,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAD71
OpenThemeData.UXTHEME(?,TOOLBAR,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAD90
OpenThemeData.UXTHEME(?,BUTTON,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FADAF
OpenThemeData.UXTHEME(?,STATUS,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FADCE
OpenThemeData.UXTHEME(?,REBAR,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FADED
OpenThemeData.UXTHEME(?,COMBOBOX,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAE0C
OpenThemeData.UXTHEME(?,PROGRESS,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAE2B
OpenThemeData.UXTHEME(?,HEADER,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAE4A
OpenThemeData.UXTHEME(?,SCROLLBAR,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAE69
OpenThemeData.UXTHEME(?,EXPLORERBAR,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAE88
OpenThemeData.UXTHEME(?,TREEVIEW,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAEA7
OpenThemeData.UXTHEME(?,STARTPANEL,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAEC6
OpenThemeData.UXTHEME(?,TASKBAND,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAEE5
OpenThemeData.UXTHEME(?,TASKBAR,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAF04
OpenThemeData.UXTHEME(?,SPIN,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAF23
OpenThemeData.UXTHEME(?,TAB,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAF42
OpenThemeData.UXTHEME(?,TOOLTIP,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAF61
OpenThemeData.UXTHEME(?,TRACKBAR,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAF80
OpenThemeData.UXTHEME(00000000,MENU,?,011F2E4A,?,011F2E99,00000004,011C53C3,00000000,00000004,011F285A), ref: 011FAF9B

Strings

TRACKBAR, xrefs: 011FAF7A
COMBOBOX, xrefs: 011FAE06
TAB, xrefs: 011FAF3C
TASKBAND, xrefs: 011FAEDF
TOOLTIP, xrefs: 011FAF5B
BUTTON, xrefs: 011FADA9
HEADER, xrefs: 011FAE44
REBAR, xrefs: 011FADE7
TREEVIEW, xrefs: 011FAEA1
MENU, xrefs: 011FAF95
STARTPANEL, xrefs: 011FAEC0
PROGRESS, xrefs: 011FAE25
TOOLBAR, xrefs: 011FAD8A
WINDOW, xrefs: 011FAD6B
SCROLLBAR, xrefs: 011FAE63
TASKBAR, xrefs: 011FAEFE
SPIN, xrefs: 011FAF1D
STATUS, xrefs: 011FADC8
EXPLORERBAR, xrefs: 011FAE82

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: DataOpenTheme
String ID: BUTTON$COMBOBOX$EXPLORERBAR$HEADER$MENU$PROGRESS$REBAR$SCROLLBAR$SPIN$STARTPANEL$STATUS$TAB$TASKBAND$TASKBAR$TOOLBAR$TOOLTIP$TRACKBAR$TREEVIEW$WINDOW
API String ID: 1744092376-1233129369
Opcode ID: 9fb45615285c4f92d3177ec132e9f18b3133adc603f8d64731919e7331cfe9c9
Instruction ID: b0834dd8915d49b1406a6266be9a5bc7e03349a817bbd83c45739230d430bcfb
Opcode Fuzzy Hash: 9fb45615285c4f92d3177ec132e9f18b3133adc603f8d64731919e7331cfe9c9
Instruction Fuzzy Hash: FE6145B5B403219BC7297FB9A949C1D7AACBF1C745701097CFA4ACB342E7B8D4118B45

Uniqueness

Uniqueness Score: -1.00%

Function 011431F0 Relevance: 35.3, APIs: 10, Strings: 10, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E011431F0(void* __ebx, void* __edi, intOrPtr* _a4, char* _a8, char* _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v36;
				char _v56;
				char* _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				signed int _t66;
				void* _t71;
				signed int _t73;
				intOrPtr _t98;
				intOrPtr _t104;
				void* _t130;
				signed int _t131;
				void* _t132;
				void* _t133;
				void* _t134;

				_t130 = __edi;
				_t66 =  *0x139eff4; // 0xdde28b47
				_v8 = _t66 ^ _t131;
				if(_a8 == 0 ||  *_a8 == 0) {
					_a8 = "-";
					_v64 = 0;
					goto L5;
				} else {
					_t104 = E01309FB0(_a8, 0x8000, 0);
					_t132 = _t132 + 0xc;
					_v64 = _t104;
					if(_v64 != 0xffffffff) {
						L5:
						if(_a16 == 0) {
							if(_a12 == 0 ||  *_a12 == 0) {
								_a12 = "-";
								_v60 = 1;
								goto L12;
							} else {
								_t98 = E01309FB0(_a12, 0x8301, 0x1b6);
								_t132 = _t132 + 0xc;
								_v60 = _t98;
								if(_v60 != 0xffffffff) {
									L12:
									 *((intOrPtr*)(E012F9217())) = 0;
									E01141BE0(_t68);
									_t71 = E01143560(_a8,  &_v56);
									_t133 = _t132 + 8;
									if(_t71 >= 0) {
										 *0x13bd3c4 = _v36;
										_t73 = E01142510(_t130, _a4, _v64, _v60);
										_t134 = _t133 + 0xc;
										_v72 = _t73;
										if(_v60 > 2) {
											E0130A40C(_v60);
											_t134 = _t134 + 4;
										}
										if(_v64 > 2) {
											E0130A40C(_v64);
											_t134 = _t134 + 4;
										}
										_v68 = _v72;
										_v68 = _v68 + 5;
										if(_v68 > 5) {
											L40:
											if(_v60 > 2) {
												_push(_a12);
												E0130A527();
												_t134 = _t134 + 4;
											}
											_push("gun internal error--aborting\n");
											_push(E012F90D4(2));
											E011435C0();
											goto L44;
										} else {
											switch( *((intOrPtr*)(_v68 * 4 +  &M01143544))) {
												case 0:
													if(_v60 > 2) {
														_push(_a12);
														__eax = E0130A527();
														__esp = __esp + 4;
													}
													__eax = _a4;
													if( *_a4 == 0) {
														if( *((intOrPtr*)(E012F9217())) == 0) {
															E012F90D4(2) = E011435C0(__eax, "gun unexpected end of file on %s\n", _a8);
														} else {
															__eax = E012F9217();
															_push(__eax);
															__eax = E012F9B15(__ebx, __edi);
															__esp = __esp + 4;
															_push(__eax);
															__ecx = _a8;
															E012F90D4(2) = E011435C0(__eax, "gun read error on %s: %s\n", _a8);
														}
													} else {
														__eax = E012F9217();
														__ecx =  *__eax;
														_push( *__eax);
														__eax = E012F9B15(__ebx, __edi);
														__esp = __esp + 4;
														_push(__eax);
														E012F90D4(2) = E011435C0(__eax, "gun write error on %s: %s\n", _a12);
													}
													goto L43;
												case 1:
													if(_v60 > 2) {
														__ecx = _a12;
														_push(_a12);
														__eax = E0130A527();
														__esp = __esp + 4;
													}
													_push("gun out of memory error--aborting\n");
													_push(E012F90D4(2));
													__eax = E011435C0();
													__esp = __esp + 8;
													__eax = 1;
													goto L44;
												case 2:
													if(_v60 > 2) {
														__eax = _a12;
														_push(_a12);
														__eax = E0130A527();
														__esp = __esp + 4;
													}
													__ecx = _a4;
													_push( *((intOrPtr*)(_a4 + 0x18)));
													_a8 = E012F90D4(2);
													__eax = E011435C0(__eax, "gun data error on %s: %s\n", _a8);
													goto L43;
												case 3:
													goto L40;
												case 4:
													if(_v64 > 2 && _v60 > 2) {
														_push(_a12);
														_push(_a8);
														E011431E0(_a8);
														_push(_a8);
														E0130A527();
														_t134 = _t134 + 0xc;
													}
													if(_v72 == 0xffffffff) {
														E011435C0(E012F90D4(2), "gun warning: trailing garbage ignored in %s\n", _a8);
													}
													L43:
													L44:
													return E012E980C(_v8 ^ _t131);
											}
										}
									}
									E011435C0(E012F90D4(2), "gun cannot stat %s\n", _a8);
									E0130A40C(_v64);
									E0130A40C(_v60);
									goto L44;
								}
								E0130A40C(_v64);
								E011435C0(E012F90D4(2), "gun cannot create %s\n", _a12);
								goto L44;
							}
						}
						_v60 = 0xffffffff;
						goto L12;
					}
					E011435C0(E012F90D4(2), "gun cannot open %s\n", _a8);
					goto L44;
				}
			}

0x011431f0
0x011431f6
0x011431fd
0x01143204
0x01143210
0x01143217
0x00000000
0x01143220
0x0114322b
0x01143230
0x01143233
0x0114323a
0x0114325f
0x01143263
0x01143272
0x0114327e
0x01143285
0x00000000
0x0114328e
0x0114329c
0x011432a1
0x011432a4
0x011432ab
0x011432dc
0x011432e1
0x011432e7
0x011432f4
0x011432f9
0x011432fe
0x01143340
0x01143352
0x01143357
0x0114335a
0x01143361
0x01143367
0x0114336c
0x0114336c
0x01143373
0x01143379
0x0114337e
0x0114337e
0x01143384
0x0114338d
0x01143394
0x01143501
0x01143505
0x0114350a
0x0114350b
0x01143510
0x01143510
0x01143513
0x01143522
0x01143523
0x00000000
0x0114339a
0x0114339d
0x00000000
0x01143465
0x0114346a
0x0114346b
0x01143470
0x01143470
0x01143473
0x01143479
0x011434b2
0x011434f7
0x011434b4
0x011434b4
0x011434bb
0x011434bc
0x011434c1
0x011434c4
0x011434c5
0x011434d9
0x011434de
0x0114347b
0x0114347b
0x01143480
0x01143482
0x01143483
0x01143488
0x0114348b
0x011434a0
0x011434a5
0x00000000
0x00000000
0x01143431
0x01143433
0x01143436
0x01143437
0x0114343c
0x0114343c
0x0114343f
0x0114344e
0x0114344f
0x01143454
0x01143457
0x00000000
0x00000000
0x011433f7
0x011433f9
0x011433fc
0x011433fd
0x01143402
0x01143402
0x01143405
0x0114340b
0x01143417
0x01143420
0x00000000
0x00000000
0x00000000
0x00000000
0x011433a8
0x011433b3
0x011433b7
0x011433b8
0x011433c3
0x011433c4
0x011433c9
0x011433c9
0x011433d0
0x011433e6
0x011433eb
0x01143532
0x01143534
0x01143541
0x00000000
0x0114339d
0x01143394
0x01143314
0x01143320
0x0114332c
0x00000000
0x01143334
0x011432b1
0x011432cd
0x00000000
0x011432d5
0x01143272
0x01143265
0x00000000
0x01143265
0x01143250
0x00000000
0x01143258

APIs

_fwprintf.LIBCONCRTD ref: 01143250
_fwprintf.LIBCONCRTD ref: 011432CD
_fwprintf.LIBCONCRTD ref: 01143314

Strings

gun read error on %s: %s, xrefs: 011434C9
gun cannot stat %s, xrefs: 01143304
gun data error on %s: %s, xrefs: 01143410
gun cannot open %s, xrefs: 01143240
gun internal error--aborting, xrefs: 01143513
gun write error on %s: %s, xrefs: 01143490
gun cannot create %s, xrefs: 011432BD
gun unexpected end of file on %s, xrefs: 011434E7
gun out of memory error--aborting, xrefs: 0114343F
gun warning: trailing garbage ignored in %s, xrefs: 011433D6

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _fwprintf
String ID: gun cannot create %s$gun cannot open %s$gun cannot stat %s$gun data error on %s: %s$gun internal error--aborting$gun out of memory error--aborting$gun read error on %s: %s$gun unexpected end of file on %s$gun warning: trailing garbage ignored in %s$gun write error on %s: %s
API String ID: 394020290-3079423824
Opcode ID: c3d21a162353622b6bd9fc75ed12823513c14c73afd635fc173651df856da021
Instruction ID: 1ef4fdfee343dc6bcc843e4cbe924d2d318d5a7a7fc4f2bc133c78cfecc1be36
Opcode Fuzzy Hash: c3d21a162353622b6bd9fc75ed12823513c14c73afd635fc173651df856da021
Instruction Fuzzy Hash: D091D6F5E10215ABDF18EFA8EC45A6E7768BF6461CF044128FA255B280EB31D544CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011EDB29 Relevance: 34.7, APIs: 23, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E011EDB29(void* __ecx, void* __fp0) {
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t106;
				void* _t108;
				int _t109;
				signed int _t111;
				signed int _t115;
				signed int _t119;
				void* _t122;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t149;
				void* _t151;
				signed int _t152;
				int _t159;
				int _t163;
				void* _t166;
				void* _t170;
				void* _t171;
				signed int* _t172;
				signed int* _t173;
				void* _t174;
				long long* _t175;

				_push(0x184);
				_t98 = 0x1322372;
				E012EA0D7();
				_t170 = __ecx;
				_t151 =  *(_t174 + 8);
				_t171 = 0;
				if( *((intOrPtr*)(__ecx + 0x28)) == 0) {
					 *(_t174 - 0x150) = 0;
					__eflags =  *0x13a952c - _t171; // 0x0
					if(__eflags != 0) {
						 *(_t174 - 0x150) = 1;
						_t149 = CopyImage(_t151, 0, 0, 0, 0x2000);
						_push( *((intOrPtr*)(_t170 + 0x54)));
						 *(_t174 - 0x12c) = _t149;
						_push(_t174 - 0x12c);
						_t98 = E011F0F3A();
						_t151 =  *(_t174 - 0x12c);
					}
					_t99 = E011F04C6(_t98, _t170);
					__eflags = _t99;
					if(_t99 == 0) {
						L8:
						E011B84FA(_t174 - 0x144);
						 *(_t174 - 4) = 1;
						E011B8E5C(_t174 - 0x144, CreateCompatibleDC(_t171));
						_t104 = GetObjectW(_t151, 0x18, _t174 - 0x178);
						__eflags = _t104;
						if(_t104 == 0) {
							L23:
							_t152 = _t151 | 0xffffffff;
							__eflags = _t152;
							L24:
							E011B865B(_t174 - 0x144);
							_t106 = _t152;
							L25:
							E012EA081();
							return _t106;
						}
						__eflags =  *(_t174 + 0xc);
						if( *(_t174 + 0xc) != 0) {
							 *(_t170 + 8) =  *(_t174 - 0x166) & 0x0000ffff;
						}
						_t159 =  *(_t174 - 0x170);
						 *(_t174 - 0x148) =  *(_t174 - 0x174);
						_t108 =  *(_t170 + 0x8c);
						 *(_t174 - 0x130) = _t159;
						__eflags = _t108;
						if(_t108 == 0) {
							_t109 = _t171;
							 *(_t174 - 0x134) = _t109;
							__eflags = _t151;
							if(_t151 != 0) {
								_t133 = SelectObject( *(_t174 - 0x140), _t151);
								_t159 =  *(_t174 - 0x130);
								_t171 = _t133;
								_t109 =  *(_t174 - 0x134);
							}
							__eflags = _t171;
							if(_t171 == 0) {
								goto L23;
							} else {
								goto L20;
							}
						} else {
							_t134 = GetObjectW(_t108, 0x18, _t174 - 0x178);
							__eflags = _t134;
							if(_t134 == 0) {
								goto L23;
							}
							_t135 =  *(_t170 + 0x8c);
							__eflags = _t135;
							if(_t135 != 0) {
								_t171 = SelectObject( *(_t174 - 0x140), _t135);
							}
							__eflags = _t171;
							if(_t171 != 0) {
								_t109 =  *(_t174 - 0x174);
								_t159 =  *(_t174 - 0x170);
								 *(_t174 - 0x134) = _t109;
								 *(_t174 - 0x130) = _t159;
								L20:
								_t111 = CreateCompatibleBitmap( *(_t174 - 0x140), _t109 +  *(_t174 - 0x148), _t159);
								 *(_t174 - 0x12c) = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									E011B84FA(_t174 - 0x160);
									 *(_t174 - 4) = 2;
									E011B8E5C(_t174 - 0x160, CreateCompatibleDC( *(_t174 - 0x140)));
									_t115 = SelectObject( *(_t174 - 0x15c),  *(_t174 - 0x12c));
									 *(_t174 - 0x14c) = _t115;
									__eflags = _t115;
									if(_t115 == 0) {
										L34:
										__eflags = _t171;
										if(_t171 != 0) {
											SelectObject( *(_t174 - 0x140), _t171);
										}
										DeleteObject( *(_t174 - 0x12c));
										_t152 = _t151 | 0xffffffff;
										L44:
										E011B865B(_t174 - 0x160);
										goto L24;
									}
									_t163 = 0;
									__eflags =  *(_t170 + 0x8c);
									if( *(_t170 + 0x8c) != 0) {
										BitBlt( *(_t174 - 0x15c), 0, 0,  *(_t174 - 0x134),  *(_t174 - 0x130),  *(_t174 - 0x140), 0, 0, 0xcc0020);
										_t163 = 0;
										__eflags = 0;
									}
									__eflags = _t151;
									if(_t151 == 0) {
										_t119 = _t163;
									} else {
										_t119 = SelectObject( *(_t174 - 0x140), _t151);
										_t163 = 0;
									}
									__eflags = _t119;
									if(_t119 != 0) {
										BitBlt( *(_t174 - 0x15c),  *(_t174 - 0x134), _t163,  *(_t174 - 0x148),  *(_t174 - 0x130),  *(_t174 - 0x140), _t163, _t163, 0xcc0020);
										SelectObject( *(_t174 - 0x15c),  *(_t174 - 0x14c));
										__eflags = _t171;
										if(_t171 != 0) {
											SelectObject( *(_t174 - 0x140), _t171);
										}
										_t122 =  *(_t170 + 0x8c);
										__eflags = _t122;
										if(_t122 != 0) {
											DeleteObject(_t122);
										}
										 *(_t170 + 0x8c) =  *(_t174 - 0x12c);
										 *(_t170 + 0x1c) = 1;
										E011F24B0(_t170);
										_t172 = _t170 + 0x90;
										E011BD6C7(_t172);
										 *_t172 =  *_t172 & 0x00000000;
										_t173 = _t170 + 0x94;
										E011BD6C7(_t173);
										 *_t173 =  *_t173 & 0x00000000;
										__eflags =  *(_t174 - 0x150);
										if( *(_t174 - 0x150) != 0) {
											DeleteObject(_t151);
										}
										_t152 =  *((intOrPtr*)(_t170 + 4)) - 1;
										__eflags = _t152;
										goto L44;
									} else {
										SelectObject( *(_t174 - 0x15c),  *(_t174 - 0x14c));
										goto L34;
									}
								}
								__eflags = _t171;
								if(_t171 != 0) {
									SelectObject( *(_t174 - 0x140), _t171);
								}
							}
							goto L23;
						}
					}
					_t98 = GetObjectW(_t151, 0x18, _t174 - 0x190);
					__eflags = _t98;
					if(_t98 == 0) {
						goto L1;
					}
					__eflags =  *((intOrPtr*)(_t174 - 0x188)) -  *((intOrPtr*)(_t170 + 0x58));
					if(__eflags != 0) {
						_t166 = _t174 - 0x128;
						E011ECEED(_t166, __eflags);
						 *(_t174 - 0x120) =  *(_t174 - 0x17e) & 0x0000ffff;
						 *(_t174 - 0xd4) =  *(_t170 + 0x5c);
						 *((intOrPtr*)(_t174 - 0xd0)) =  *((intOrPtr*)(_t170 + 0x60));
						_t144 =  *(_t174 - 0x18c);
						asm("cdq");
						_push(_t166);
						_push(_t166);
						 *(_t174 - 4) = _t171;
						 *_t175 =  *((long long*)(_t170 + 0xb8));
						 *(_t174 - 0x9c) = _t151;
						 *(_t174 - 0x124) =  *(_t174 - 0x18c) /  *(_t170 + 0x5c);
						E011F1B03(_t174 - 0x128, _t144 %  *(_t170 + 0x5c));
						 *(_t174 - 0x100) = 1;
						DeleteObject(_t151);
						_t151 =  *(_t174 - 0x9c);
						_t34 = _t174 - 4;
						 *_t34 =  *(_t174 - 4) | 0xffffffff;
						__eflags =  *_t34;
						E011ED0C4(_t174 - 0x128);
					}
					goto L8;
				}
				L1:
				_t106 = _t98 | 0xffffffff;
				goto L25;
			}

0x011edb29
0x011edb2e
0x011edb33
0x011edb38
0x011edb3a
0x011edb3d
0x011edb42
0x011edb4c
0x011edb52
0x011edb58
0x011edb63
0x011edb6d
0x011edb73
0x011edb76
0x011edb82
0x011edb83
0x011edb88
0x011edb88
0x011edb90
0x011edb95
0x011edb97
0x011edc3b
0x011edc41
0x011edc47
0x011edc5b
0x011edc6a
0x011edc70
0x011edc72
0x011edd53
0x011edd53
0x011edd53
0x011edd56
0x011edd5c
0x011edd61
0x011edd63
0x011edd63
0x011edd68
0x011edd68
0x011edc78
0x011edc7c
0x011edc85
0x011edc85
0x011edc8e
0x011edc94
0x011edc9a
0x011edca0
0x011edca6
0x011edca8
0x011edcf9
0x011edcfb
0x011edd01
0x011edd03
0x011edd0c
0x011edd12
0x011edd18
0x011edd1a
0x011edd1a
0x011edd20
0x011edd22
0x00000000
0x00000000
0x00000000
0x00000000
0x011edcaa
0x011edcb4
0x011edcba
0x011edcbc
0x00000000
0x00000000
0x011edcc2
0x011edcc8
0x011edcca
0x011edcd9
0x011edcd9
0x011edcdb
0x011edcdd
0x011edcdf
0x011edce5
0x011edceb
0x011edcf1
0x011edd24
0x011edd32
0x011edd38
0x011edd3e
0x011edd40
0x011edd71
0x011edd7c
0x011edd8d
0x011edd9e
0x011edda4
0x011eddaa
0x011eddac
0x011ede0e
0x011ede0e
0x011ede10
0x011ede19
0x011ede19
0x011ede25
0x011ede2b
0x011ededf
0x011edee5
0x00000000
0x011edee5
0x011eddae
0x011eddb0
0x011eddb6
0x011eddd9
0x011edddf
0x011edddf
0x011edddf
0x011edde1
0x011edde3
0x011eddf6
0x011edde5
0x011eddec
0x011eddf2
0x011eddf2
0x011eddf8
0x011eddfa
0x011ede59
0x011ede6b
0x011ede71
0x011ede73
0x011ede7c
0x011ede7c
0x011ede82
0x011ede88
0x011ede8a
0x011ede8d
0x011ede8d
0x011ede9b
0x011edea1
0x011edea8
0x011edead
0x011edeb4
0x011edeb9
0x011edebc
0x011edec3
0x011edec8
0x011edecb
0x011eded2
0x011eded5
0x011eded5
0x011edede
0x011edede
0x00000000
0x011eddfc
0x011ede08
0x00000000
0x011ede08
0x011eddfa
0x011edd42
0x011edd44
0x011edd4d
0x011edd4d
0x011edd44
0x00000000
0x011edcdd
0x011edca8
0x011edba7
0x011edbad
0x011edbaf
0x00000000
0x00000000
0x011edbb7
0x011edbba
0x011edbbc
0x011edbc2
0x011edbce
0x011edbd7
0x011edbe0
0x011edbe6
0x011edbec
0x011edbf6
0x011edbf7
0x011edbfe
0x011edc01
0x011edc04
0x011edc0a
0x011edc10
0x011edc16
0x011edc20
0x011edc26
0x011edc32
0x011edc32
0x011edc32
0x011edc36
0x011edc36
0x00000000
0x011edbba
0x011edb44
0x011edb44
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 011EDB33
CopyImage.USER32 ref: 011EDB6D
GetObjectW.GDI32(?,00000018,?,00000184,011F0AC0,00000000,00000000), ref: 011EDBA7
DeleteObject.GDI32(?), ref: 011EDC20
CreateCompatibleDC.GDI32(00000000), ref: 011EDC4E
GetObjectW.GDI32(?,00000018,?,00000000), ref: 011EDC6A
GetObjectW.GDI32(?,00000018,?), ref: 011EDCB4
SelectObject.GDI32(?,?), ref: 011EDCD3

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$CompatibleCopyCreateDeleteH_prolog3_ImageSelect
String ID:
API String ID: 3232833411-0
Opcode ID: c0589295ad3f8f1a5f380f29d17880938e85d8d3e4763faa63ddc8496f7ce3fb
Instruction ID: 30a3cb17a3ac2a9f6880582da1d7079a82c7ae805987d9c8bb51be0c573fcb03
Opcode Fuzzy Hash: c0589295ad3f8f1a5f380f29d17880938e85d8d3e4763faa63ddc8496f7ce3fb
Instruction Fuzzy Hash: ABA10C71900629EFEF399FA5DC49BDDBBB8BF19701F0041A9E609A2250DB719A90CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011EFF26 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E011EFF26(intOrPtr __ecx, signed long long __fp0) {
				int _t135;
				void* _t138;
				signed int _t144;
				void* _t148;
				void* _t149;
				intOrPtr _t151;
				void* _t167;
				void* _t175;
				unsigned int _t177;
				intOrPtr _t193;
				unsigned int _t194;
				signed int _t204;
				intOrPtr _t206;
				short _t224;
				int _t232;
				void* _t234;
				int _t237;
				signed int _t238;
				int _t239;
				void* _t240;
				signed long long* _t241;
				signed long long _t244;
				signed long long _t247;

				_t244 = __fp0;
				_push(0x104);
				E012EA0D7();
				_t193 = __ecx;
				 *((intOrPtr*)(_t240 - 0xcc)) = __ecx;
				 *((intOrPtr*)(__ecx + 0xc)) =  *((intOrPtr*)(_t240 + 8));
				_t232 = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 1;
				if( *((intOrPtr*)(__ecx + 0x8c)) != 0) {
					if( *((intOrPtr*)(E011C5322() + 0x1ac)) > 8) {
						E011B84FA(_t240 - 0xc4);
						 *((intOrPtr*)(_t240 - 4)) = 0;
						E011B8E5C(_t240 - 0xc4, CreateCompatibleDC(0));
						if(GetObjectW( *(_t193 + 0x8c), 0x18, _t240 - 0x110) != 0) {
							 *(_t240 - 0x94) =  *(_t240 - 0x10c);
							 *(_t240 - 0xa8) =  *(_t240 - 0x108);
							_t138 =  *(_t193 + 0x8c);
							if(_t138 == 0) {
								_t234 = 0;
								 *(_t240 - 0x98) = 0;
							} else {
								_t234 = SelectObject( *(_t240 - 0xc0), _t138);
								 *(_t240 - 0x98) = _t234;
							}
							if(_t234 != 0) {
								E011B84FA(_t240 - 0xe0);
								 *((char*)(_t240 - 4)) = 1;
								E011B8E5C(_t240 - 0xe0, CreateCompatibleDC( *(_t240 - 0xc0)));
								_t204 =  *(_t240 - 0x94);
								_t144 =  *(_t240 - 0xa8);
								 *(_t240 - 0x34) = _t144;
								 *((short*)(_t240 - 0x30)) = 1;
								_t224 = 0x20;
								 *(_t240 - 0x28) = _t144 * _t204;
								 *(_t240 - 0x3c) = 0x28;
								 *(_t240 - 0x38) = _t204;
								 *((short*)(_t240 - 0x2e)) = _t224;
								 *(_t240 - 0x2c) = _t232;
								 *(_t240 - 0x24) = _t232;
								 *(_t240 - 0x20) = _t232;
								 *(_t240 - 0x1c) = _t232;
								 *(_t240 - 0x18) = _t232;
								 *(_t240 - 0xc8) = _t232;
								_t148 = CreateDIBSection( *(_t240 - 0xdc), _t240 - 0x3c, _t232, _t240 - 0xc8, _t232, _t232);
								 *(_t240 - 0x9c) = _t148;
								if(_t148 != 0) {
									_t149 = SelectObject( *(_t240 - 0xdc), _t148);
									 *(_t240 - 0xd0) = _t149;
									if(_t149 != 0) {
										BitBlt( *(_t240 - 0xdc), _t232, _t232,  *(_t240 - 0x94),  *(_t240 - 0xa8),  *(_t240 - 0xc0), _t232, _t232, 0xcc0020);
										_t151 =  *((intOrPtr*)(_t193 + 0xc));
										 *((intOrPtr*)(_t240 - 0xa0)) = _t151;
										if(_t151 <= 0) {
											_t151 = 0x82;
											 *((intOrPtr*)(_t240 - 0xa0)) = 0x82;
										}
										 *((intOrPtr*)(_t240 - 0xb0)) = _t151;
										if( *((intOrPtr*)(_t193 + 8)) != 0x20) {
											E012203AA(_t240 - 0xb4, _t240 - 0xe0);
											_t206 =  *((intOrPtr*)(_t193 + 0xa8));
											 *((char*)(_t240 - 4)) = 2;
											if(_t206 == 0xffffffff) {
												_t206 =  *((intOrPtr*)(E011C5322() + 0x1c));
											}
											_push(0xffffffff);
											_push(_t206);
											_push( *((intOrPtr*)(_t240 - 0xa0)));
											 *(_t240 - 0xf0) = _t232;
											 *(_t240 - 0xec) = _t232;
											 *(_t240 - 0xe8) =  *(_t240 - 0x94);
											 *(_t240 - 0xe4) =  *(_t240 - 0xa8);
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											E012203BF(E01222B9F(_t240 - 0xb4, _t224, _t244), _t240 - 0xb4);
											goto L26;
										} else {
											if(GetObjectW( *(_t240 - 0x9c), 0x54, _t240 - 0x90) != 0) {
												_t167 = 0x20;
												if( *((intOrPtr*)(_t240 - 0x7e)) == _t167 &&  *((intOrPtr*)(_t240 - 0x7c)) != 0) {
													if( *(_t240 - 0x88) *  *(_t240 - 0x8c) > 0) {
														asm("fild dword [ebp-0xb0]");
														 *(_t240 - 0xa4) = _t244;
														_t246 =  *(_t240 - 0xa4) *  *0x13341f0;
														_t237 =  *((intOrPtr*)(_t240 - 0x7c)) + 1;
														 *(_t240 - 0x94) = _t237;
														 *(_t240 - 0xa4) =  *(_t240 - 0xa4) *  *0x13341f0;
														do {
															_t175 = E01223EC5((( *(_t237 - 1) & 0x000000ff) << 0x00000008 |  *_t237 & 0x000000ff) << 0x00000008 |  *(_t237 + 1) & 0x000000ff, _t246, (( *(_t237 - 1) & 0x000000ff) << 0x00000008 |  *_t237 & 0x000000ff) << 0x00000008 |  *(_t237 + 1) & 0x000000ff, _t240 - 0xf8, _t240 - 0xe8, _t240 - 0xac);
															_t247 =  *(_t240 - 0xa4);
															_t241 = _t241 - 0x30;
															asm("fst qword [esp+0x28]");
															asm("fst qword [esp+0x20]");
															_t241[3] = _t247;
															asm("fldz");
															_t241[2] = _t247;
															_t241[1] =  *(_t240 - 0xac);
															_t246 =  *(_t240 - 0xf8);
															 *_t241 =  *(_t240 - 0xf8);
															_push(E01222EA5(_t175));
															_t177 = E01223BB2((( *(_t237 - 1) & 0x000000ff) << 0x00000008 |  *_t237 & 0x000000ff) << 0x00000008 |  *(_t237 + 1) & 0x000000ff);
															_t238 =  *(_t237 + 2) & 0x000000ff;
															_t194 = _t177;
															 *((char*)( *(_t240 - 0x94) + 1)) = (_t194 & 0x000000ff) * _t238 / 0xff;
															 *( *(_t240 - 0x94)) = (_t194 >> 0x00000008 & 0x000000ff) * _t238 / 0xff;
															_t239 =  *(_t240 - 0x94);
															_t232 = _t232 + 1;
															 *((char*)(_t239 - 1)) = (_t194 >> 0x00000010 & 0x000000ff) * _t238 / 0xff;
															_t237 = _t239 + 4;
															 *(_t240 - 0x94) = _t237;
														} while (_t232 <  *(_t240 - 0x88) *  *(_t240 - 0x8c));
														_t193 =  *((intOrPtr*)(_t240 - 0xcc));
														L26:
														_t234 =  *(_t240 - 0x98);
													}
													SelectObject( *(_t240 - 0xdc),  *(_t240 - 0xd0));
													SelectObject( *(_t240 - 0xc0), _t234);
													DeleteObject( *(_t193 + 0x8c));
													 *(_t193 + 0x8c) =  *(_t240 - 0x9c);
													_t232 = 1;
												}
											}
										}
									} else {
										SelectObject( *(_t240 - 0xc0), _t234);
										DeleteObject( *(_t240 - 0x9c));
									}
								} else {
									SelectObject( *(_t240 - 0xc0), _t234);
								}
								E011B865B(_t240 - 0xe0);
							}
						}
						E011B865B(_t240 - 0xc4);
						_t135 = _t232;
					} else {
						_t135 = 1;
					}
				} else {
					_t135 = 1;
				}
				E012EA081();
				return _t135;
			}

0x011eff26
0x011eff26
0x011eff30
0x011eff35
0x011eff37
0x011eff43
0x011eff46
0x011eff48
0x011eff51
0x011eff66
0x011eff78
0x011eff7e
0x011eff8e
0x011effaa
0x011effb6
0x011effc2
0x011effc8
0x011effd0
0x011effe9
0x011effeb
0x011effd2
0x011effdf
0x011effe1
0x011effe1
0x011efff3
0x011effff
0x011f000d
0x011f001d
0x011f0022
0x011f002a
0x011f0033
0x011f0039
0x011f003d
0x011f0040
0x011f004e
0x011f005c
0x011f005f
0x011f0063
0x011f0066
0x011f0069
0x011f006c
0x011f006f
0x011f0072
0x011f0078
0x011f007e
0x011f0086
0x011f00a1
0x011f00a7
0x011f00af
0x011f00f0
0x011f00f6
0x011f00f9
0x011f0101
0x011f0103
0x011f0108
0x011f0108
0x011f0112
0x011f0118
0x011f0281
0x011f0286
0x011f028c
0x011f0293
0x011f029a
0x011f029a
0x011f02a9
0x011f02ab
0x011f02ac
0x011f02b2
0x011f02be
0x011f02c7
0x011f02d5
0x011f02db
0x011f02dc
0x011f02dd
0x011f02de
0x011f02ea
0x00000000
0x011f011e
0x011f0135
0x011f013d
0x011f0142
0x011f0161
0x011f0167
0x011f016d
0x011f0179
0x011f0182
0x011f0183
0x011f0189
0x011f018f
0x011f01ba
0x011f01bf
0x011f01c5
0x011f01c8
0x011f01cc
0x011f01d0
0x011f01d4
0x011f01d6
0x011f01e0
0x011f01e4
0x011f01ea
0x011f01f2
0x011f01f3
0x011f01f8
0x011f01fc
0x011f0215
0x011f0235
0x011f0242
0x011f024a
0x011f024b
0x011f024e
0x011f025e
0x011f0264
0x011f026c
0x011f02ef
0x011f02ef
0x011f02ef
0x011f0301
0x011f030e
0x011f031a
0x011f0326
0x011f032e
0x011f032e
0x011f0142
0x011f0135
0x011f00b1
0x011f00b8
0x011f00c4
0x011f00c4
0x011f0088
0x011f008f
0x011f008f
0x011f0337
0x011f0337
0x011efff3
0x011f0342
0x011f0347
0x011eff68
0x011eff6a
0x011eff6a
0x011eff53
0x011eff53
0x011eff53
0x011f0349
0x011f034e

APIs

__EH_prolog3_GS.LIBCMT ref: 011EFF30

Strings

(, xrefs: 011F004E

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: H_prolog3_
String ID: (
API String ID: 2427045233-3887548279
Opcode ID: 9ec7a990c59de6f7d84ad7d6862d1ff2640e3454d8a9a60dd76e99504cb0bba4
Instruction ID: 12c5dc05cb1dccbcd1bf1c369817854b9762c95a36cc686d5a09962e8f341ebe
Opcode Fuzzy Hash: 9ec7a990c59de6f7d84ad7d6862d1ff2640e3454d8a9a60dd76e99504cb0bba4
Instruction Fuzzy Hash: 4AC14A31900229DFEB29DF25DC84BEDBBB9FF59300F0081EAE549A6251DB705A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 011F2623 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E011F2623(void* __ecx) {
				int _t107;
				void* _t116;
				void* _t117;
				signed int _t123;
				void* _t127;
				void* _t128;
				int _t134;
				int _t154;
				int _t155;
				intOrPtr _t157;
				signed int _t163;
				intOrPtr* _t166;
				int _t167;
				short _t174;
				int _t175;
				void** _t178;
				signed int _t179;
				intOrPtr* _t180;
				int _t181;
				void* _t183;
				void* _t185;
				signed int _t186;
				void* _t188;

				_push(0x9c);
				E012EA0D7();
				_t183 = __ecx;
				_t157 =  *((intOrPtr*)(_t188 + 8));
				_t154 = 0;
				_t178 = __ecx + 0x90 + (0 | _t157 != 0x00000000) * 4;
				if(_t157 != 0) {
					L5:
					E011BD6C7(_t178);
					 *_t178 = _t154;
					if( *(_t183 + 0x8c) != _t154) {
						if( *((intOrPtr*)(E011C5322() + 0x1ac)) <= 8) {
							goto L6;
						} else {
							E011B84FA(_t188 - 0x78);
							 *(_t188 - 4) = _t154;
							E011B8E5C(_t188 - 0x78, CreateCompatibleDC(_t154));
							if(GetObjectW( *(_t183 + 0x8c), 0x18, _t188 - 0xa8) != 0) {
								 *(_t188 - 0x44) =  *(_t188 - 0xa4);
								 *(_t188 - 0x40) =  *(_t188 - 0xa0);
								_t116 =  *(_t183 + 0x8c);
								if(_t116 == 0) {
									_t117 = _t154;
									 *(_t188 - 0x48) = _t154;
								} else {
									_t117 = SelectObject( *(_t188 - 0x74), _t116);
									 *(_t188 - 0x48) = _t117;
								}
								if(_t117 != 0) {
									E011B84FA(_t188 - 0x68);
									 *(_t188 - 4) = 1;
									E011B8E5C(_t188 - 0x68, CreateCompatibleDC( *(_t188 - 0x74)));
									_t163 =  *(_t188 - 0x44);
									_t123 =  *(_t188 - 0x40);
									 *(_t188 - 0x34) = _t123;
									 *((short*)(_t188 - 0x30)) = 1;
									_t174 = 0x20;
									 *(_t188 - 0x28) = _t123 * _t163;
									 *(_t188 - 0x3c) = 0x28;
									 *(_t188 - 0x38) = _t163;
									 *((short*)(_t188 - 0x2e)) = _t174;
									 *(_t188 - 0x2c) = _t154;
									 *(_t188 - 0x24) = _t154;
									 *(_t188 - 0x20) = _t154;
									 *(_t188 - 0x1c) = _t154;
									 *(_t188 - 0x18) = _t154;
									 *(_t188 - 0x7c) = _t154;
									_t127 = CreateDIBSection( *(_t188 - 0x64), _t188 - 0x3c, _t154, _t188 - 0x7c, _t154, _t154);
									 *_t178 = _t127;
									if(_t127 != 0) {
										_t128 = SelectObject( *(_t188 - 0x64), _t127);
										 *(_t188 - 0x80) = _t128;
										if(_t128 != 0) {
											if( *((intOrPtr*)(_t183 + 8)) != 0x20) {
												_t179 =  *(_t183 + 0xa8);
											} else {
												_t179 = _t178 | 0xffffffff;
											}
											 *(_t188 - 0x4c) = _t179;
											BitBlt( *(_t188 - 0x64), _t154, _t154,  *(_t188 - 0x44),  *(_t188 - 0x40),  *(_t188 - 0x74), _t154, _t154, 0xcc0020);
											if( *((intOrPtr*)(_t188 + 8)) != 0) {
												if(_t179 == 0xffffffff) {
													 *(_t188 - 0x4c) =  *(E011C5322() + 0x1c);
												}
												_t180 = E011C5385();
												L012EA066();
												_t166 = _t180;
												_t185 =  *((intOrPtr*)( *((intOrPtr*)( *_t180 + 0xc0))))();
												if( *((intOrPtr*)(E011C5322() + 0x1ac)) > 8) {
													 *(_t188 - 0x54) = E01223AB9(_t166, _t185, 0x43);
												} else {
													 *(_t188 - 0x54) =  *(E011C5322() + 0x20);
												}
												_t134 =  *(_t188 - 0x44);
												_t167 = _t154;
												 *(_t188 - 0x50) = _t167;
												if(_t134 > 0) {
													_t186 =  *(_t188 - 0x4c);
													_t175 =  *(_t188 - 0x40);
													do {
														_t181 = _t154;
														if(_t175 > 0) {
															_t155 =  *(_t188 - 0x50);
															do {
																if(GetPixel( *(_t188 - 0x64), _t155, _t181) != _t186) {
																	SetPixel( *(_t188 - 0x64), _t155, _t181,  *(_t188 - 0x54));
																}
																_t181 = _t181 + 1;
															} while (_t181 <  *(_t188 - 0x40));
															_t167 =  *(_t188 - 0x50);
															_t154 = 0;
															_t134 =  *(_t188 - 0x44);
															_t175 =  *(_t188 - 0x40);
														}
														_t167 = _t167 + 1;
														 *(_t188 - 0x50) = _t167;
													} while (_t167 < _t134);
												}
											} else {
												E012203AA(_t188 - 0x58, _t188 - 0x68);
												 *(_t188 - 4) = 2;
												if(_t179 == 0xffffffff) {
													_t179 =  *(E011C5322() + 0x1c);
												}
												_push(0xffffffff);
												_push(_t154);
												_push(_t179);
												_push( *((intOrPtr*)(_t183 + 0x10)));
												 *(_t188 - 0x88) =  *(_t188 - 0x44);
												 *(_t188 - 0x84) =  *(_t188 - 0x40);
												 *(_t188 - 0x90) = _t154;
												 *(_t188 - 0x8c) = _t154;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												E012203BF(E012231B6(_t188 - 0x58, _t174), _t188 - 0x58);
											}
											SelectObject( *(_t188 - 0x64),  *(_t188 - 0x80));
											SelectObject( *(_t188 - 0x74),  *(_t188 - 0x48));
											_t154 = 1;
										} else {
											SelectObject( *(_t188 - 0x74),  *(_t188 - 0x48));
											DeleteObject( *_t178);
											 *_t178 = _t154;
										}
									} else {
										SelectObject( *(_t188 - 0x74),  *(_t188 - 0x48));
									}
									E011B865B(_t188 - 0x68);
								}
							}
							E011B865B(_t188 - 0x78);
							_t107 = _t154;
						}
					} else {
						L6:
						_t107 = 1;
					}
				} else {
					if( *((intOrPtr*)(__ecx + 8)) <= 4 ||  *((intOrPtr*)(__ecx + 0x38)) != 0) {
						if( *((intOrPtr*)(_t183 + 8)) != _t154) {
							goto L5;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t107 = 0;
					}
				}
				E012EA081();
				return _t107;
			}

0x011f2623
0x011f262d
0x011f2632
0x011f2634
0x011f2644
0x011f2646
0x011f264b
0x011f2664
0x011f2665
0x011f266a
0x011f2672
0x011f2688
0x00000000
0x011f268a
0x011f268d
0x011f2693
0x011f26a0
0x011f26bc
0x011f26c8
0x011f26d1
0x011f26d4
0x011f26dc
0x011f26ed
0x011f26ef
0x011f26de
0x011f26e2
0x011f26e8
0x011f26e8
0x011f26f4
0x011f26fd
0x011f2708
0x011f2715
0x011f271a
0x011f271f
0x011f2725
0x011f272b
0x011f272f
0x011f2732
0x011f273d
0x011f2748
0x011f274b
0x011f274f
0x011f2752
0x011f2755
0x011f2758
0x011f275b
0x011f275e
0x011f2761
0x011f2767
0x011f276b
0x011f2782
0x011f2788
0x011f278d
0x011f27ae
0x011f27b5
0x011f27b0
0x011f27b0
0x011f27b0
0x011f27c5
0x011f27d3
0x011f27dd
0x011f2848
0x011f2852
0x011f2852
0x011f285a
0x011f2866
0x011f286b
0x011f286f
0x011f287d
0x011f2894
0x011f287f
0x011f2887
0x011f2887
0x011f2897
0x011f289a
0x011f289c
0x011f28a1
0x011f28a3
0x011f28a6
0x011f28a9
0x011f28a9
0x011f28ad
0x011f28af
0x011f28b2
0x011f28bf
0x011f28c9
0x011f28c9
0x011f28cf
0x011f28d0
0x011f28d5
0x011f28d8
0x011f28da
0x011f28dd
0x011f28dd
0x011f28e0
0x011f28e1
0x011f28e4
0x011f28a9
0x011f27df
0x011f27e6
0x011f27eb
0x011f27f2
0x011f27f9
0x011f27f9
0x011f2802
0x011f2804
0x011f2805
0x011f2806
0x011f2809
0x011f281d
0x011f2823
0x011f2829
0x011f282f
0x011f2830
0x011f2831
0x011f2832
0x011f283b
0x011f283b
0x011f28ee
0x011f28fa
0x011f2902
0x011f278f
0x011f2795
0x011f279d
0x011f27a3
0x011f27a3
0x011f276d
0x011f2773
0x011f2773
0x011f2908
0x011f2908
0x011f26f4
0x011f2910
0x011f2915
0x011f2915
0x011f2674
0x011f2674
0x011f2676
0x011f2676
0x011f264d
0x011f2651
0x011f265b
0x00000000
0x00000000
0x00000000
0x00000000
0x011f265d
0x011f265d
0x011f265d
0x011f265d
0x011f2651
0x011f2917
0x011f291c

APIs

__EH_prolog3_GS.LIBCMT ref: 011F262D
CreateCompatibleDC.GDI32(00000000), ref: 011F2696
GetObjectW.GDI32(?,00000018,?,00000000), ref: 011F26B4
SelectObject.GDI32(?,?), ref: 011F26E2
CreateCompatibleDC.GDI32(?), ref: 011F270B
CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 011F2761
SelectObject.GDI32(?,?), ref: 011F2773
SelectObject.GDI32(?,00000000), ref: 011F2782
SelectObject.GDI32(?,?), ref: 011F2795
DeleteObject.GDI32(?), ref: 011F279D
BitBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 011F27D3
SelectObject.GDI32(?,?), ref: 011F28EE
SelectObject.GDI32(?,?), ref: 011F28FA

Strings

(, xrefs: 011F273D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
String ID: (
API String ID: 1429849173-3887548279
Opcode ID: d6e1a69be690460305522904999c0c4f650973fa9716829c7c537ff9f8369b92
Instruction ID: d57251871117444383f8ce8971f5b0dae0035a627ed1367ee2aaed958d4c5818
Opcode Fuzzy Hash: d6e1a69be690460305522904999c0c4f650973fa9716829c7c537ff9f8369b92
Instruction Fuzzy Hash: 46A1267190061ADFDF29EFA9C884AEEBBB9FF18304F20412DE516A7251DB30A945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 011EE304 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 214
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E011EE304(intOrPtr __ecx, void* __edx) {
				void* _t130;
				void* _t132;
				void* _t143;
				void* _t144;
				void* _t148;
				void* _t149;
				void* _t154;
				void* _t161;
				intOrPtr _t171;
				signed int _t186;
				void* _t190;
				int _t191;
				void* _t192;
				void* _t193;
				int _t194;
				void* _t195;
				intOrPtr _t198;
				void* _t199;

				_t190 = __edx;
				_push(0xd4);
				E012EA0D7();
				_t171 = __ecx;
				 *((intOrPtr*)(_t199 - 0xb8)) = __ecx;
				_t198 =  *((intOrPtr*)(_t199 + 8));
				if( *((intOrPtr*)(_t198 + 0x28)) == 0) {
					__eflags =  *(_t198 + 0x8c);
					if( *(_t198 + 0x8c) != 0) {
						E011EDFAC(_t198);
					}
					_push(_t199 - 0xe0);
					_t191 = 0x18;
					__eflags = GetObjectW( *(_t171 + 0x8c), _t191, ??) - _t191;
					if(__eflags == 0) {
						_t194 = E01304A7B(_t190,  *((intOrPtr*)(_t199 - 0xd8)));
						 *(_t199 - 0xb4) = _t194;
						 *(_t199 - 0x94) =  *(_t199 - 0xdc);
						E011B84FA(_t199 - 0xac);
						 *(_t199 - 4) =  *(_t199 - 4) & 0x00000000;
						E011B8E5C(_t199 - 0xac, CreateCompatibleDC(0));
						_t143 =  *(_t171 + 0x8c);
						__eflags = _t143;
						if(_t143 == 0) {
							_t144 = 0;
							__eflags = 0;
						} else {
							_t144 = SelectObject( *(_t199 - 0xa8), _t143);
						}
						 *(_t199 - 0x98) = _t144;
						__eflags = _t144;
						if(_t144 != 0) {
							E012EE6E0(_t194, _t199 - 0x90, 0, 0x54);
							_t148 = 0x18;
							__eflags =  *((intOrPtr*)(_t199 - 0xce)) - _t148;
							if( *((intOrPtr*)(_t199 - 0xce)) < _t148) {
								L12:
								_t149 = CreateCompatibleBitmap( *(_t199 - 0xa8),  *(_t199 - 0x94), _t194);
							} else {
								_t161 = GetObjectW( *(_t171 + 0x8c), 0x54, _t199 - 0x90);
								__eflags = _t161;
								if(_t161 == 0) {
									goto L12;
								} else {
									_t186 = 0xa;
									memset(_t199 - 0x38, 0, _t186 << 2);
									 *(_t199 - 0x38) =  *(_t199 - 0xdc);
									 *((intOrPtr*)(_t199 - 0x34)) =  *((intOrPtr*)(_t199 - 0xd8));
									 *((short*)(_t199 - 0x30)) =  *((intOrPtr*)(_t199 - 0xd0));
									 *((short*)(_t199 - 0x2e)) =  *((intOrPtr*)(_t199 - 0xce));
									 *(_t199 - 0x3c) = 0x28;
									 *((intOrPtr*)(_t199 - 0x2c)) = 0;
									 *(_t199 - 0xb0) = 0;
									_t149 = CreateDIBSection( *(_t199 - 0xa8), _t199 - 0x3c, 0, _t199 - 0xb0, 0, 0);
								}
							}
							_t195 = _t149;
							__eflags = _t195;
							if(_t195 != 0) {
								E011B84FA(_t199 - 0xc8);
								 *(_t199 - 4) = 1;
								E011B8E5C(_t199 - 0xc8, CreateCompatibleDC( *(_t199 - 0xa8)));
								_t154 = SelectObject( *(_t199 - 0xc4), _t195);
								 *(_t199 - 0x9c) = _t154;
								__eflags = _t154;
								if(_t154 == 0) {
									DeleteObject(_t195);
								} else {
									BitBlt( *(_t199 - 0xc4), 0, 0,  *(_t199 - 0x94),  *(_t199 - 0xb4),  *(_t199 - 0xa8), 0, 0, 0xcc0020);
									SelectObject( *(_t199 - 0xc4),  *(_t199 - 0x9c));
									 *(_t198 + 0x8c) = _t195;
								}
								E011B865B(_t199 - 0xc8);
							}
							SelectObject( *(_t199 - 0xa8),  *(_t199 - 0x98));
						}
						_t56 = _t199 - 4;
						 *_t56 =  *(_t199 - 4) | 0xffffffff;
						__eflags =  *_t56;
						E011B865B(_t199 - 0xac);
					}
					 *((intOrPtr*)(_t198 + 0x54)) =  *((intOrPtr*)(_t171 + 0x54));
					 *((intOrPtr*)(_t198 + 0x58)) =  *((intOrPtr*)(_t171 + 0x58));
					 *((intOrPtr*)(_t198 + 0x64)) =  *((intOrPtr*)(_t171 + 0x64));
					 *((intOrPtr*)(_t198 + 0x68)) =  *((intOrPtr*)(_t171 + 0x68));
					 *((intOrPtr*)(_t198 + 0x18)) =  *((intOrPtr*)(_t171 + 0x18));
					E01167F70(_t198 + 0x98, __eflags, _t171 + 0x98);
					 *((intOrPtr*)(_t198 + 0x1c)) =  *((intOrPtr*)(_t171 + 0x1c));
					 *((intOrPtr*)(_t198 + 4)) =  *((intOrPtr*)(_t171 + 4));
					 *((intOrPtr*)(_t198 + 0xa8)) =  *((intOrPtr*)(_t171 + 0xa8));
					 *((intOrPtr*)(_t198 + 0x24)) =  *((intOrPtr*)(_t171 + 0x24));
					 *((intOrPtr*)(_t198 + 0xb0)) =  *((intOrPtr*)(_t171 + 0xb0));
					 *((intOrPtr*)(_t198 + 0x2c)) =  *((intOrPtr*)(_t171 + 0x2c));
					 *((intOrPtr*)(_t198 + 8)) =  *((intOrPtr*)(_t171 + 8));
					 *((long long*)(_t198 + 0xb8)) =  *((long long*)(_t171 + 0xb8));
					 *((intOrPtr*)(_t198 + 0x5c)) =  *((intOrPtr*)(_t171 + 0x5c));
					 *((intOrPtr*)(_t198 + 0x60)) =  *((intOrPtr*)(_t171 + 0x60));
					_t192 =  *(_t171 + 0xc4);
					__eflags = _t192;
					if(_t192 != 0) {
						 *(_t199 - 0x9c) = _t171 + 0xf8;
						do {
							_t132 =  *(_t192 + 8);
							_t192 =  *_t192;
							 *(_t199 - 0x98) = _t132;
							E011D763A(_t198 + 0xc0, _t132);
							 *(_t199 - 0x94) =  *(_t199 - 0x94) | 0xffffffff;
							__eflags = E01250C5C( *(_t199 - 0x9c), __eflags,  *(_t199 - 0x98), _t199 - 0x94);
							if(__eflags != 0) {
								 *(E011ED1D2(_t171, _t190, _t192, __eflags,  *(_t199 - 0x98))) =  *(_t199 - 0x94);
							}
							__eflags = _t192;
						} while (_t192 != 0);
						_t171 =  *((intOrPtr*)(_t199 - 0xb8));
					}
					_t193 =  *(_t171 + 0xe0);
					while(1) {
						__eflags = _t193;
						if(_t193 == 0) {
							break;
						}
						_t193 =  *_t193;
						E011D763A(_t198 + 0xdc,  *((intOrPtr*)(_t193 + 8)));
					}
					_t130 = 1;
					__eflags = 1;
				} else {
					_t130 = 0;
				}
				E012EA081();
				return _t130;
			}

0x011ee304
0x011ee304
0x011ee30e
0x011ee313
0x011ee315
0x011ee31b
0x011ee322
0x011ee32b
0x011ee332
0x011ee336
0x011ee336
0x011ee341
0x011ee344
0x011ee352
0x011ee354
0x011ee366
0x011ee374
0x011ee37a
0x011ee380
0x011ee385
0x011ee398
0x011ee39d
0x011ee3a3
0x011ee3a5
0x011ee3b6
0x011ee3b6
0x011ee3a7
0x011ee3ae
0x011ee3ae
0x011ee3b8
0x011ee3be
0x011ee3c0
0x011ee3d1
0x011ee3db
0x011ee3dc
0x011ee3e3
0x011ee45e
0x011ee46b
0x011ee3e5
0x011ee3f4
0x011ee3fa
0x011ee3fc
0x00000000
0x011ee3fe
0x011ee400
0x011ee406
0x011ee410
0x011ee419
0x011ee423
0x011ee430
0x011ee43f
0x011ee44d
0x011ee450
0x011ee456
0x011ee456
0x011ee3fc
0x011ee471
0x011ee473
0x011ee475
0x011ee481
0x011ee48c
0x011ee49d
0x011ee4a9
0x011ee4af
0x011ee4b5
0x011ee4b7
0x011ee4fd
0x011ee4b9
0x011ee4dc
0x011ee4ee
0x011ee4f4
0x011ee4f4
0x011ee509
0x011ee509
0x011ee51a
0x011ee51a
0x011ee520
0x011ee520
0x011ee520
0x011ee52a
0x011ee52a
0x011ee538
0x011ee53e
0x011ee544
0x011ee54a
0x011ee550
0x011ee55a
0x011ee562
0x011ee568
0x011ee571
0x011ee57a
0x011ee583
0x011ee58c
0x011ee592
0x011ee59b
0x011ee5a4
0x011ee5aa
0x011ee5ad
0x011ee5b3
0x011ee5b5
0x011ee5bd
0x011ee5c3
0x011ee5c3
0x011ee5cc
0x011ee5cf
0x011ee5d5
0x011ee5e6
0x011ee5f9
0x011ee5fb
0x011ee616
0x011ee616
0x011ee618
0x011ee618
0x011ee61c
0x011ee61c
0x011ee622
0x011ee63a
0x011ee63a
0x011ee63c
0x00000000
0x00000000
0x011ee62d
0x011ee635
0x011ee635
0x011ee640
0x011ee640
0x011ee324
0x011ee324
0x011ee324
0x011ee641
0x011ee646

APIs

__EH_prolog3_GS.LIBCMT ref: 011EE30E
GetObjectW.GDI32(00000000,00000018,?,000000D4,0121FF0B,?,?,0122011A,013AA580,00808080,00FF00FF,-00003F01,00000000,00000000,00000000), ref: 011EE34C
CreateCompatibleDC.GDI32(00000000), ref: 011EE38B
SelectObject.GDI32(?,00000000), ref: 011EE3AE
GetObjectW.GDI32(00000000,00000054,?,?,?), ref: 011EE3F4
CreateDIBSection.GDI32(?,?), ref: 011EE456
CreateCompatibleDC.GDI32(?), ref: 011EE490
SelectObject.GDI32(?,00000000), ref: 011EE4A9

Strings

(, xrefs: 011EE43F

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section
String ID: (
API String ID: 1338481308-3887548279
Opcode ID: 99e905e86134879e0769c2c76033be8ad7a718f21ab8e1373ee3c262ef916c91
Instruction ID: 8f91823f90d52d3cd643a4ffc857facaf74bc0cc082dfcb659d0aade9efd64b9
Opcode Fuzzy Hash: 99e905e86134879e0769c2c76033be8ad7a718f21ab8e1373ee3c262ef916c91
Instruction Fuzzy Hash: 73A10974901619DFEB65DF64DC84B9ABBF5BF08300F1085A9E94DE7251EB30AA85CF20

Uniqueness

Uniqueness Score: -1.00%

Function 011F0B31 Relevance: 24.2, APIs: 16, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E011F0B31(void* __edx, void* __fp0) {
				int _t60;
				int _t61;
				int _t63;
				int _t64;
				int _t65;
				int _t69;
				int _t71;
				int _t77;
				void* _t78;
				void** _t84;
				int _t85;
				int _t89;
				int _t92;
				void* _t94;
				void* _t95;
				void* _t96;
				int _t97;
				int _t98;
				int _t100;
				void* _t101;
				void* _t103;

				_t103 = __fp0;
				_t95 = __edx;
				_push(0x50);
				E012EA0A3();
				_t84 =  *(_t101 + 8);
				_t98 = 0;
				if( *_t84 != 0) {
					__eflags =  *((intOrPtr*)(_t101 + 0x10)) - 0xffffffff;
					if( *((intOrPtr*)(_t101 + 0x10)) == 0xffffffff) {
						L4:
						E011B84FA(_t101 - 0x34);
						 *(_t101 - 4) = _t98;
						E011B8E5C(_t101 - 0x34, CreateCompatibleDC(_t98));
						_push(_t101 - 0x5c);
						_t60 = 0x18;
						_t61 = GetObjectW( *_t84, _t60, ??);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags =  *_t84;
							if( *_t84 == 0) {
								_t96 = _t98;
								 *(_t101 - 0x20) = _t98;
							} else {
								_t96 = SelectObject( *(_t101 - 0x30),  *_t84);
								 *(_t101 - 0x20) = _t96;
							}
							__eflags = _t96;
							if(_t96 != 0) {
								_t89 =  *(_t101 - 0x54);
								_t64 =  *(_t101 - 0x58);
								 *(_t101 - 0x10) = _t64;
								 *(_t101 - 0x1c) = _t89;
								_t65 = CreateCompatibleBitmap( *(_t101 - 0x30), _t64, _t89);
								 *(_t101 - 0x18) = _t65;
								__eflags = _t65;
								if(_t65 != 0) {
									E011B84FA(_t101 - 0x44);
									 *(_t101 - 4) = 1;
									E011B8E5C(_t101 - 0x44, CreateCompatibleDC( *(_t101 - 0x30)));
									_t69 = SelectObject( *(_t101 - 0x40),  *(_t101 - 0x18));
									 *(_t101 - 0x24) = _t69;
									__eflags = _t69;
									if(_t69 != 0) {
										BitBlt( *(_t101 - 0x40), _t98, _t98,  *(_t101 - 0x10),  *(_t101 - 0x1c),  *(_t101 - 0x30), _t98, _t98, 0xcc0020);
										_t92 =  *(_t101 - 0x10);
										_t71 = _t98;
										 *(_t101 - 0x14) = _t71;
										__eflags = _t92;
										if(_t92 > 0) {
											_t97 =  *(_t101 - 0x1c);
											do {
												_t85 = _t98;
												__eflags = _t97;
												if(_t97 > 0) {
													_t100 =  *(_t101 - 0x14);
													do {
														_t77 = GetPixel( *(_t101 - 0x40), _t100, _t85);
														__eflags =  *((intOrPtr*)(_t101 + 0x10)) - 0xffffffff;
														 *(_t101 - 0x1c) = _t77;
														if( *((intOrPtr*)(_t101 + 0x10)) == 0xffffffff) {
															_t94 = 0x18;
															__eflags =  *((intOrPtr*)(_t101 - 0x4a)) - _t94;
															if( *((intOrPtr*)(_t101 - 0x4a)) != _t94) {
																L23:
																_t78 = E011F0DA1(_t97, _t100, _t77,  *((intOrPtr*)(_t101 + 0xc)));
															} else {
																__eflags =  *0x139e510;
																if(__eflags != 0) {
																	goto L23;
																} else {
																	_t78 = E011F0E31(_t95, __eflags, _t103, _t77);
																}
															}
															__eflags =  *(_t101 - 0x1c) - _t78;
															if( *(_t101 - 0x1c) != _t78) {
																_push(_t78);
																goto L26;
															}
														} else {
															__eflags = _t77 -  *((intOrPtr*)(_t101 + 0x10));
															if(_t77 ==  *((intOrPtr*)(_t101 + 0x10))) {
																_push( *((intOrPtr*)(_t101 + 0x14)));
																L26:
																SetPixel( *(_t101 - 0x40), _t100, _t85, ??);
															}
														}
														_t85 = _t85 + 1;
														__eflags = _t85 - _t97;
													} while (_t85 < _t97);
													_t71 =  *(_t101 - 0x14);
													_t98 = 0;
													__eflags = 0;
													_t92 =  *(_t101 - 0x10);
												}
												_t71 = _t71 + 1;
												 *(_t101 - 0x14) = _t71;
												__eflags = _t71 - _t92;
											} while (_t71 < _t92);
											_t96 =  *(_t101 - 0x20);
											_t84 =  *(_t101 + 8);
										}
										SelectObject( *(_t101 - 0x40),  *(_t101 - 0x24));
										SelectObject( *(_t101 - 0x30), _t96);
										DeleteObject( *_t84);
										 *_t84 =  *(_t101 - 0x18);
										_t98 = 1;
										__eflags = 1;
									} else {
										SelectObject( *(_t101 - 0x30), _t96);
										DeleteObject( *(_t101 - 0x18));
									}
									E011B865B(_t101 - 0x44);
								} else {
									SelectObject( *(_t101 - 0x30), _t96);
								}
							}
						}
						E011B865B(_t101 - 0x34);
						_t63 = _t98;
					} else {
						__eflags =  *((intOrPtr*)(_t101 + 0x14)) - 0xffffffff;
						if( *((intOrPtr*)(_t101 + 0x14)) == 0xffffffff) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_t63 = 0;
				}
				E012EA06C();
				return _t63;
			}

0x011f0b31
0x011f0b31
0x011f0b31
0x011f0b38
0x011f0b3d
0x011f0b40
0x011f0b44
0x011f0b4d
0x011f0b51
0x011f0b59
0x011f0b5c
0x011f0b62
0x011f0b6f
0x011f0b77
0x011f0b7a
0x011f0b7e
0x011f0b84
0x011f0b86
0x011f0b8c
0x011f0b8f
0x011f0ba3
0x011f0ba5
0x011f0b91
0x011f0b9c
0x011f0b9e
0x011f0b9e
0x011f0ba8
0x011f0baa
0x011f0bb0
0x011f0bb3
0x011f0bbb
0x011f0bbe
0x011f0bc1
0x011f0bc7
0x011f0bca
0x011f0bcc
0x011f0be0
0x011f0be8
0x011f0bf6
0x011f0c01
0x011f0c07
0x011f0c0a
0x011f0c0c
0x011f0c3b
0x011f0c41
0x011f0c44
0x011f0c46
0x011f0c49
0x011f0c4b
0x011f0c4d
0x011f0c50
0x011f0c50
0x011f0c52
0x011f0c54
0x011f0c56
0x011f0c59
0x011f0c5e
0x011f0c64
0x011f0c68
0x011f0c6b
0x011f0c79
0x011f0c7a
0x011f0c7e
0x011f0c91
0x011f0c95
0x011f0c80
0x011f0c80
0x011f0c87
0x00000000
0x011f0c89
0x011f0c8a
0x011f0c8a
0x011f0c87
0x011f0c9a
0x011f0c9d
0x011f0c9f
0x00000000
0x011f0c9f
0x011f0c6d
0x011f0c6d
0x011f0c70
0x011f0c72
0x011f0ca0
0x011f0ca5
0x011f0ca5
0x011f0c70
0x011f0cab
0x011f0cac
0x011f0cac
0x011f0cb0
0x011f0cb3
0x011f0cb3
0x011f0cb5
0x011f0cb5
0x011f0cb8
0x011f0cb9
0x011f0cbc
0x011f0cbc
0x011f0cc0
0x011f0cc3
0x011f0cc3
0x011f0ccc
0x011f0cd6
0x011f0cde
0x011f0ce9
0x011f0ceb
0x011f0ceb
0x011f0c0e
0x011f0c12
0x011f0c1b
0x011f0c1b
0x011f0cef
0x011f0bce
0x011f0bd2
0x011f0bd2
0x011f0bcc
0x011f0baa
0x011f0cf7
0x011f0cfc
0x011f0b53
0x011f0b53
0x011f0b57
0x00000000
0x00000000
0x00000000
0x00000000
0x011f0b57
0x011f0b46
0x011f0b46
0x011f0b46
0x011f0b46
0x011f0cfe
0x011f0d03

APIs

__EH_prolog3.LIBCMT ref: 011F0B38
CreateCompatibleDC.GDI32(00000000), ref: 011F0B65
GetObjectW.GDI32(?,00000018,?,00000000,?,0121FF1A,00000001,00000000,?,?,?,0122011A,013AA580,00808080,00FF00FF,-00003F01), ref: 011F0B7E
SelectObject.GDI32(?,?), ref: 011F0B96
CreateCompatibleBitmap.GDI32(?,?,?), ref: 011F0BC1
SelectObject.GDI32(?,00000000), ref: 011F0BD2

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$CompatibleCreateSelect$BitmapH_prolog3
String ID:
API String ID: 1715795092-0
Opcode ID: 63644445594ee76e393ba1257313a38fc5dbbe4d05aad5638b7763404ffe7b0d
Instruction ID: fd61f7ed82251bdabe00f3022ac56f1446f494620387f6567ddeaa7a4e29b007
Opcode Fuzzy Hash: 63644445594ee76e393ba1257313a38fc5dbbe4d05aad5638b7763404ffe7b0d
Instruction Fuzzy Hash: 4E51383080022AEFDF29AFA4DD48AEEBF7AFF08701F10456DFA12A2151D7319901DB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C4C05 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E011C4C05() {
				intOrPtr _t40;
				void* _t42;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t102;
				void* _t103;

				_push(8);
				E012EA0A3();
				_t104 =  *((intOrPtr*)(_t103 + 8));
				if( *((intOrPtr*)(_t103 + 8)) == 0) {
					_t40 = 0;
					__eflags = 0;
				} else {
					E01144970(_t104,  *((intOrPtr*)(_t103 + 8)));
					_t102 = 0;
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t42 = E01167950(_t103 - 0x10, L"MFCButton");
					_t105 = _t42;
					if(_t42 != 0) {
						__eflags = E01167950(_t103 - 0x10, L"MFCColorButton");
						if(__eflags != 0) {
							__eflags = E01167950(_t103 - 0x10, L"MFCEditBrowse");
							if(__eflags != 0) {
								__eflags = E01167950(_t103 - 0x10, L"MFCFontComboBox");
								if(__eflags != 0) {
									__eflags = E01167950(_t103 - 0x10, L"MFCLink");
									if(__eflags != 0) {
										__eflags = E01167950(_t103 - 0x10, L"MFCMaskedEdit");
										if(__eflags != 0) {
											__eflags = E01167950(_t103 - 0x10, L"MFCMenuButton");
											if(__eflags != 0) {
												__eflags = E01167950(_t103 - 0x10, L"MFCPropertyGrid");
												if(__eflags != 0) {
													__eflags = E01167950(_t103 - 0x10, L"MFCShellList");
													if(__eflags != 0) {
														__eflags = E01167950(_t103 - 0x10, L"MFCShellTree");
														if(__eflags != 0) {
															__eflags = E01167950(_t103 - 0x10, L"MFCVSListBox");
															if(__eflags == 0) {
																_t54 = E011A6FE4(__eflags, 0x1f8);
																 *((intOrPtr*)(_t103 - 0x14)) = _t54;
																 *((char*)(_t103 - 4)) = 0xb;
																__eflags = _t54;
																if(__eflags != 0) {
																	_t55 = E011E3597(_t54, __eflags);
																	goto L34;
																}
															}
														} else {
															_t56 = E011A6FE4(__eflags, 0x90);
															 *((intOrPtr*)(_t103 - 0x14)) = _t56;
															 *((char*)(_t103 - 4)) = 0xa;
															__eflags = _t56;
															if(_t56 != 0) {
																_t55 = E011E2462(_t56);
																goto L34;
															}
														}
													} else {
														_t57 = E011A6FE4(__eflags, 0x170);
														 *((intOrPtr*)(_t103 - 0x14)) = _t57;
														 *((char*)(_t103 - 4)) = 9;
														__eflags = _t57;
														if(__eflags != 0) {
															_t55 = E011D2A8E(_t57, __eflags);
															goto L34;
														}
													}
												} else {
													_t58 = E011A6FE4(__eflags, 0x408);
													 *((intOrPtr*)(_t103 - 0x14)) = _t58;
													 *((char*)(_t103 - 4)) = 8;
													__eflags = _t58;
													if(__eflags != 0) {
														_t55 = E011DCE07(_t58, __eflags);
														goto L34;
													}
												}
											} else {
												_t59 = E011A6FE4(__eflags, 0x7c8);
												 *((intOrPtr*)(_t103 - 0x14)) = _t59;
												 *((char*)(_t103 - 4)) = 7;
												__eflags = _t59;
												if(__eflags != 0) {
													_t55 = E011DC710(_t59, __eflags);
													goto L34;
												}
											}
										} else {
											_t60 = E011A6FE4(__eflags, 0xb0);
											 *((intOrPtr*)(_t103 - 0x14)) = _t60;
											 *((char*)(_t103 - 4)) = 6;
											__eflags = _t60;
											if(_t60 != 0) {
												_t55 = E011DA50D(_t60);
												goto L34;
											}
										}
									} else {
										_t61 = E011A6FE4(__eflags, 0x7c0);
										 *((intOrPtr*)(_t103 - 0x14)) = _t61;
										 *((char*)(_t103 - 4)) = 5;
										__eflags = _t61;
										if(__eflags != 0) {
											_t55 = E011D9D28(_t61, __eflags);
											goto L34;
										}
									}
								} else {
									_t62 = E011A6FE4(__eflags, 0x90);
									 *((intOrPtr*)(_t103 - 0x14)) = _t62;
									 *((char*)(_t103 - 4)) = 4;
									__eflags = _t62;
									if(__eflags != 0) {
										_t55 = E011D93EE(_t62, __eflags);
										goto L34;
									}
								}
							} else {
								_t63 = E011A6FE4(__eflags, 0xd0);
								 *((intOrPtr*)(_t103 - 0x14)) = _t63;
								 *((char*)(_t103 - 4)) = 3;
								__eflags = _t63;
								if(__eflags != 0) {
									_t55 = E011D8135(_t63, __eflags);
									goto L34;
								}
							}
						} else {
							_t64 = E011A6FE4(__eflags, 0x808);
							 *((intOrPtr*)(_t103 - 0x14)) = _t64;
							 *((char*)(_t103 - 4)) = 2;
							__eflags = _t64;
							if(__eflags != 0) {
								_t55 = E011D7304(_t64, __eflags);
								goto L34;
							}
						}
					} else {
						_t65 = E011A6FE4(_t105, 0x7a8);
						 *((intOrPtr*)(_t103 - 0x14)) = _t65;
						 *((char*)(_t103 - 4)) = 1;
						_t106 = _t65;
						if(_t65 != 0) {
							_t55 = E011D4E22(_t65, _t106);
							L34:
							_t102 = _t55;
						}
					}
					E01144240( *((intOrPtr*)(_t103 - 0x10)) + 0xfffffff0);
					_t40 = _t102;
				}
				E012EA06C();
				return _t40;
			}

0x011c4c05
0x011c4c0c
0x011c4c11
0x011c4c15
0x011c4e82
0x011c4e82
0x011c4c1b
0x011c4c21
0x011c4c26
0x011c4c30
0x011c4c33
0x011c4c38
0x011c4c3a
0x011c4c6f
0x011c4c71
0x011c4ca6
0x011c4ca8
0x011c4cdd
0x011c4cdf
0x011c4d14
0x011c4d16
0x011c4d4b
0x011c4d4d
0x011c4d82
0x011c4d84
0x011c4db9
0x011c4dbb
0x011c4df0
0x011c4df2
0x011c4e20
0x011c4e22
0x011c4e50
0x011c4e52
0x011c4e59
0x011c4e5f
0x011c4e62
0x011c4e66
0x011c4e68
0x011c4e6c
0x00000000
0x011c4e6c
0x011c4e68
0x011c4e24
0x011c4e29
0x011c4e2f
0x011c4e32
0x011c4e36
0x011c4e38
0x011c4e3c
0x00000000
0x011c4e3c
0x011c4e38
0x011c4df4
0x011c4df9
0x011c4dff
0x011c4e02
0x011c4e06
0x011c4e08
0x011c4e0c
0x00000000
0x011c4e0c
0x011c4e08
0x011c4dbd
0x011c4dc2
0x011c4dc8
0x011c4dcb
0x011c4dcf
0x011c4dd1
0x011c4dd9
0x00000000
0x011c4dd9
0x011c4dd1
0x011c4d86
0x011c4d8b
0x011c4d91
0x011c4d94
0x011c4d98
0x011c4d9a
0x011c4da2
0x00000000
0x011c4da2
0x011c4d9a
0x011c4d4f
0x011c4d54
0x011c4d5a
0x011c4d5d
0x011c4d61
0x011c4d63
0x011c4d6b
0x00000000
0x011c4d6b
0x011c4d63
0x011c4d18
0x011c4d1d
0x011c4d23
0x011c4d26
0x011c4d2a
0x011c4d2c
0x011c4d34
0x00000000
0x011c4d34
0x011c4d2c
0x011c4ce1
0x011c4ce6
0x011c4cec
0x011c4cef
0x011c4cf3
0x011c4cf5
0x011c4cfd
0x00000000
0x011c4cfd
0x011c4cf5
0x011c4caa
0x011c4caf
0x011c4cb5
0x011c4cb8
0x011c4cbc
0x011c4cbe
0x011c4cc6
0x00000000
0x011c4cc6
0x011c4cbe
0x011c4c73
0x011c4c78
0x011c4c7e
0x011c4c81
0x011c4c85
0x011c4c87
0x011c4c8f
0x00000000
0x011c4c8f
0x011c4c87
0x011c4c3c
0x011c4c41
0x011c4c47
0x011c4c4a
0x011c4c4e
0x011c4c50
0x011c4c58
0x011c4e71
0x011c4e71
0x011c4e71
0x011c4c50
0x011c4e79
0x011c4e7e
0x011c4e7e
0x011c4e84
0x011c4e89

APIs

__EH_prolog3.LIBCMT ref: 011C4C0C

Part of subcall function 01144970: _DebugHeapAllocator.LIBCPMTD ref: 011449C5

Part of subcall function 01167950: __CrtIsValidPointer.LIBCMTD ref: 01167962

Part of subcall function 011D4E22: __EH_prolog3.LIBCMT ref: 011D4E29

Strings

MFCShellList, xrefs: 011C4DE3
MFCEditBrowse, xrefs: 011C4C99
MFCVSListBox, xrefs: 011C4E43
MFCMenuButton, xrefs: 011C4D75
MFCButton, xrefs: 011C4C2B
MFCLink, xrefs: 011C4D07
MFCColorButton, xrefs: 011C4C62
MFCMaskedEdit, xrefs: 011C4D3E
MFCPropertyGrid, xrefs: 011C4DAC
MFCShellTree, xrefs: 011C4E13
MFCFontComboBox, xrefs: 011C4CD0

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: H_prolog3$AllocatorDebugHeapPointerValid
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 2296494758-2110171958
Opcode ID: 7a0ee9769edf84a15358a33107a44d2d02769fdf7a2590f3f281c918acd02bc0
Instruction ID: fdc03ecc8daa337929449a7b005b68ebd1de8069259d371bc9df9a5c3ce00b46
Opcode Fuzzy Hash: 7a0ee9769edf84a15358a33107a44d2d02769fdf7a2590f3f281c918acd02bc0
Instruction Fuzzy Hash: B3519520A0C3279AEF4CE7B889207BEBBE46F70A5CF55041DD505E66C0FF788A44CA56

Uniqueness

Uniqueness Score: -1.00%

Function 013131B2 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E013131B2(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x139f148) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0130B4D5(_t46);
							E013124BD( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0130B4D5(_t47);
							E01312977( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0130B4D5( *((intOrPtr*)(_t74 + 0x7c)));
						E0130B4D5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0130B4D5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0130B4D5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0130B4D5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0130B4D5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E01313325( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x139f388) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0130B4D5(_t31);
							E0130B4D5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0130B4D5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0130B4D5(_t74);
			}

0x013131ba
0x013131be
0x013131c6
0x013131cf
0x013131d4
0x013131db
0x013131e3
0x013131eb
0x013131f6
0x013131fc
0x013131fd
0x01313205
0x0131320d
0x01313218
0x0131321e
0x01313222
0x0131322d
0x01313233
0x013131d4
0x01313234
0x0131323c
0x0131324f
0x01313262
0x01313270
0x0131327b
0x01313280
0x01313289
0x01313291
0x01313292
0x01313298
0x0131329b
0x0131329e
0x013132a5
0x013132a7
0x013132ab
0x013132b3
0x013132ba
0x013132c0
0x013132c1
0x013132c1
0x013132c8
0x013132ca
0x013132cf
0x013132d7
0x013132dc
0x013132dd
0x013132dd
0x013132e0
0x013132e3
0x013132e6
0x013132e9
0x013132e9
0x013132fb

APIs

___free_lconv_mon.LIBCMT ref: 013131F6

Part of subcall function 013124BD: _free.LIBCMT ref: 013124DA
Part of subcall function 013124BD: _free.LIBCMT ref: 013124EC
Part of subcall function 013124BD: _free.LIBCMT ref: 013124FE
Part of subcall function 013124BD: _free.LIBCMT ref: 01312510
Part of subcall function 013124BD: _free.LIBCMT ref: 01312522
Part of subcall function 013124BD: _free.LIBCMT ref: 01312534
Part of subcall function 013124BD: _free.LIBCMT ref: 01312546
Part of subcall function 013124BD: _free.LIBCMT ref: 01312558
Part of subcall function 013124BD: _free.LIBCMT ref: 0131256A
Part of subcall function 013124BD: _free.LIBCMT ref: 0131257C
Part of subcall function 013124BD: _free.LIBCMT ref: 0131258E
Part of subcall function 013124BD: _free.LIBCMT ref: 013125A0
Part of subcall function 013124BD: _free.LIBCMT ref: 013125B2

_free.LIBCMT ref: 013131EB

Part of subcall function 0130B4D5: RtlFreeHeap.NTDLL(00000000,00000000,?,01312C2A,?,00000000,?,00000000,?,01312ECE,?,00000007,?,?,0131334A,?), ref: 0130B4EB
Part of subcall function 0130B4D5: GetLastError.KERNEL32(?,?,01312C2A,?,00000000,?,00000000,?,01312ECE,?,00000007,?,?,0131334A,?,?), ref: 0130B4FD

_free.LIBCMT ref: 0131320D
_free.LIBCMT ref: 01313222
_free.LIBCMT ref: 0131322D
_free.LIBCMT ref: 0131324F
_free.LIBCMT ref: 01313262
_free.LIBCMT ref: 01313270
_free.LIBCMT ref: 0131327B
_free.LIBCMT ref: 013132B3
_free.LIBCMT ref: 013132BA
_free.LIBCMT ref: 013132D7
_free.LIBCMT ref: 013132EF

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ca253f742b7df290a95c567f7e29d599f9bce03837e10f381849788229f42399
Instruction ID: c4fa28fb8beae718720d80c587a32233da636f4bd823dc1f8aace4ed5efac7d1
Opcode Fuzzy Hash: ca253f742b7df290a95c567f7e29d599f9bce03837e10f381849788229f42399
Instruction Fuzzy Hash: A331A0356007019FEB2AAE7CD844B96B7E8FF103B8F128469E559E7198DF31E941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 011F215B Relevance: 18.2, APIs: 12, Instructions: 218
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E011F215B(void* __edx) {
				int _t96;
				struct HDC__* _t108;
				int _t132;
				int _t134;
				int _t135;
				struct HDC__* _t156;
				struct HDC__* _t157;
				void* _t158;
				int _t159;
				intOrPtr _t160;
				long _t161;
				void* _t165;

				_t158 = __edx;
				_push(0x48);
				E012EA0A3();
				_t134 =  *(_t165 + 0x2c);
				_t159 =  *(_t165 + 0x14);
				if(_t134 != 0xffffffff) {
					_t159 = _t134;
				}
				_t96 =  *(_t165 + 0x30);
				if(_t96 == 0xffffffff) {
					_t96 =  *(_t165 + 0x18);
				}
				_t160 =  *((intOrPtr*)(_t165 + 0x1c));
				 *(_t165 - 0x10) = _t96;
				if( *0x13a952c != 0) {
					L9:
					E011B84FA(_t165 - 0x44);
					 *(_t165 - 4) =  *(_t165 - 4) & 0x00000000;
					E011B84FA(_t165 - 0x34);
					 *(_t165 - 4) = 1;
					E011B84FA(_t165 - 0x54);
					 *(_t165 - 4) = 2;
					E011B8E5C(_t165 - 0x44,  *((intOrPtr*)(_t165 + 8)));
					E011B8E5C(_t165 - 0x54, CreateCompatibleDC( *(_t165 - 0x40)));
					 *(_t165 - 0x20) =  *(_t165 - 0x20) & 0x00000000;
					 *((intOrPtr*)(_t165 - 0x24)) = 0x1331fa4;
					 *(_t165 - 4) = 3;
					E011B8E5C(_t165 - 0x34, CreateCompatibleDC( *(_t165 - 0x40)));
					 *(_t165 - 0x18) =  *(_t165 - 0x18) & 0x00000000;
					 *((intOrPtr*)(_t165 - 0x1c)) = 0x1331fa4;
					 *(_t165 - 4) = 4;
					E011B8E9D(_t165 - 0x1c, _t158, _t159, CreateCompatibleBitmap( *(_t165 - 0x40), _t159,  *(_t165 - 0x10)));
					 *((intOrPtr*)(_t165 - 0x14)) = E011B9645( *(_t165 - 0x30),  *(_t165 - 0x18));
					if(_t134 == 0xffffffff) {
						L16:
						if(_t160 != 0) {
							_t108 =  *(_t160 + 4);
						} else {
							_t108 = 0;
						}
						_t161 = 0xcc0020;
						BitBlt( *(_t165 - 0x30), 0, 0,  *(_t165 + 0x14),  *(_t165 + 0x18), _t108,  *(_t165 + 0x20),  *(_t165 + 0x24), 0xcc0020);
					} else {
						_t132 =  *(_t165 + 0x30);
						if(_t134 !=  *(_t165 + 0x14) || _t132 !=  *(_t165 + 0x18)) {
							if(_t160 != 0) {
								_t156 =  *(_t160 + 4);
							} else {
								_t156 = 0;
							}
							_t161 = 0xcc0020;
							StretchBlt( *(_t165 - 0x30), 0, 0, _t134, _t132, _t156,  *(_t165 + 0x20),  *(_t165 + 0x24),  *(_t165 + 0x14),  *(_t165 + 0x18), 0xcc0020);
						} else {
							goto L16;
						}
					}
					_t135 =  *(_t165 - 0x10);
					E011B8E9D(_t165 - 0x24, _t158, _t159, CreateBitmap(_t159, _t135, 1, 1, 0));
					 *(_t165 - 0x10) = E011B9645( *(_t165 - 0x50),  *(_t165 - 0x20));
					E011B9751(_t112, _t165 - 0x34,  *((intOrPtr*)(_t165 + 0x28)));
					E011B989F(E011B9751(BitBlt( *(_t165 - 0x50), 0, 0, _t159, _t135,  *(_t165 - 0x30), 0, 0, _t161), _t165 - 0x34, 0), _t165 - 0x34, 0xffffff);
					E011B989F(E011B9751(BitBlt( *(_t165 - 0x30), 0, 0, _t159, _t135,  *(_t165 - 0x50), 0, 0, 0x8800c6), _t165 - 0x44, 0xffffff), _t165 - 0x44, 0);
					BitBlt( *(_t165 - 0x40),  *(_t165 + 0xc),  *(_t165 + 0x10), _t159, _t135,  *(_t165 - 0x50), 0, 0, 0x8800c6);
					BitBlt( *(_t165 - 0x40),  *(_t165 + 0xc),  *(_t165 + 0x10), _t159, _t135,  *(_t165 - 0x30), 0, 0, 0xee0086);
					_t123 =  *(_t165 - 0x10);
					if( *(_t165 - 0x10) != 0) {
						E011B9645( *(_t165 - 0x50),  *((intOrPtr*)(_t123 + 4)));
					}
					_t124 =  *((intOrPtr*)(_t165 - 0x14));
					if( *((intOrPtr*)(_t165 - 0x14)) != 0) {
						E011B9645( *(_t165 - 0x30),  *((intOrPtr*)(_t124 + 4)));
					}
					E011B902D(_t165 - 0x44, _t158);
					 *((intOrPtr*)(_t165 - 0x1c)) = 0x1331fa4;
					E011681B0(0x1331fa4, _t165 - 0x1c, _t159, 0);
					 *((intOrPtr*)(_t165 - 0x24)) = 0x1331fa4;
					E011681B0(0x1331fa4, _t165 - 0x24, _t159, 0);
					E011B865B(_t165 - 0x54);
					E011B865B(_t165 - 0x34);
					_t96 = E011B865B(_t165 - 0x44);
				} else {
					if(_t160 != 0) {
						_t157 =  *(_t160 + 4);
					} else {
						_t157 = 0;
					}
					__imp__TransparentBlt( *((intOrPtr*)(_t165 + 8)),  *(_t165 + 0xc),  *(_t165 + 0x10), _t159, _t96, _t157,  *(_t165 + 0x20),  *(_t165 + 0x24),  *(_t165 + 0x14),  *(_t165 + 0x18),  *((intOrPtr*)(_t165 + 0x28)));
					if(_t96 == 0) {
						goto L9;
					}
				}
				E012EA06C();
				return _t96;
			}

0x011f215b
0x011f215b
0x011f2162
0x011f2167
0x011f216a
0x011f2170
0x011f2172
0x011f2172
0x011f2174
0x011f217a
0x011f217c
0x011f217c
0x011f2186
0x011f2189
0x011f218c
0x011f21c2
0x011f21c5
0x011f21ca
0x011f21d1
0x011f21d9
0x011f21dd
0x011f21e8
0x011f21ec
0x011f21fe
0x011f2203
0x011f2207
0x011f2211
0x011f221f
0x011f2224
0x011f2228
0x011f2232
0x011f2244
0x011f2254
0x011f225a
0x011f2298
0x011f229a
0x011f22a0
0x011f229c
0x011f229c
0x011f229c
0x011f22a3
0x011f22bd
0x011f225c
0x011f225c
0x011f2262
0x011f226b
0x011f2271
0x011f226d
0x011f226d
0x011f226d
0x011f2274
0x011f2290
0x00000000
0x00000000
0x00000000
0x011f2262
0x011f22c3
0x011f22d8
0x011f22ee
0x011f22f1
0x011f231d
0x011f234a
0x011f2364
0x011f237f
0x011f2385
0x011f238a
0x011f2392
0x011f2392
0x011f2397
0x011f239c
0x011f23a4
0x011f23a4
0x011f23ac
0x011f23b9
0x011f23bc
0x011f23c4
0x011f23c7
0x011f23cf
0x011f23d7
0x011f23df
0x011f218e
0x011f2190
0x011f2196
0x011f2192
0x011f2192
0x011f2192
0x011f21b4
0x011f21bc
0x00000000
0x00000000
0x011f21bc
0x011f23e4
0x011f23e9

APIs

__EH_prolog3.LIBCMT ref: 011F2162
TransparentBlt.MSIMG32(?,?,00000000,?,?,?,?,00000000,?,00000000,?,00000048,011EF7D5,00000007,?,?), ref: 011F21B4
CreateCompatibleDC.GDI32(?), ref: 011F21F4
CreateCompatibleDC.GDI32(?), ref: 011F2215
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 011F223A
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,01331FA4,?,00000000,00CC0020), ref: 011F2290
BitBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,01331FA4,00CC0020), ref: 011F22BD
CreateBitmap.GDI32(?,00000000,00000001,00000001,00000000), ref: 011F22CE
BitBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 011F2305
BitBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,00000000,008800C6), ref: 011F2335
BitBlt.GDI32(?,?,00000000,?,00000000,?,00000000,00000000,008800C6), ref: 011F2364
BitBlt.GDI32(?,?,00000000,?,00000000,?,00000000,00000000,00EE0086), ref: 011F237F

Part of subcall function 011B865B: DeleteDC.GDI32(00000000), ref: 011B868F

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Create$Compatible$Bitmap$DeleteH_prolog3StretchTransparent
String ID:
API String ID: 646174778-0
Opcode ID: 8104f785a5049babc32d720bef721d9b936598d88634ac7e82b45f7b5d835f3b
Instruction ID: 69dc3e21228c5eabfe9caa422c95c57337663727bb77f1c32199fd30b103bafb
Opcode Fuzzy Hash: 8104f785a5049babc32d720bef721d9b936598d88634ac7e82b45f7b5d835f3b
Instruction Fuzzy Hash: A2811575810119AFDF2AEFA0DD85EEE7B79FF18718F100118FA05621A0CB359A15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 011B32E1 Relevance: 18.1, APIs: 12, Instructions: 112
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E011B32E1(void* __ebx, intOrPtr* __ecx, signed char _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				signed char _v24;
				intOrPtr _v28;
				char _v32;
				void* __edi;
				void* _t31;
				void* _t37;
				void* _t38;
				void* _t45;
				signed char _t56;
				intOrPtr* _t58;
				intOrPtr* _t63;
				intOrPtr* _t67;

				_t58 = __ecx;
				_t67 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					_t31 = E011B1E69(__ecx);
					asm("int3");
					_push(0);
					_t63 = _t58;
					if( *((intOrPtr*)(_t63 + 0x28)) != 0) {
						L012EA066();
						_t31 =  *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))(1, _t67);
					}
					return _t31;
				} else {
					E012EE6E0(0,  &_v32, 0, 0x1c);
					_v32 = E011B730A();
					_v28 = _t67;
					_v16 = CreateEventW(0, 1, 0, 0);
					_t37 = CreateEventW(0, 1, 0, 0);
					_t56 = _a4;
					_v12 = _t37;
					_v24 = _t56;
					if(_v16 == 0) {
						L12:
						if(_t37 != 0) {
							CloseHandle(_t37);
							goto L14;
						}
						goto L15;
					} else {
						if(_t37 == 0) {
							CloseHandle(_v16);
							_t37 = _v12;
							goto L12;
						} else {
							_t10 = _t67 + 0x30; // 0x30
							_t45 = E013035A1(_t58, _a12, _a8, 0x11b38c8,  &_v32, _t56 | 0x00000004, _t10);
							 *(_t67 + 0x2c) = _t45;
							if(_t45 != 0) {
								ResumeThread(_t45);
								WaitForSingleObject(_v16, 0xffffffff);
								CloseHandle(_v16);
								if((_t56 & 0x00000004) != 0) {
									SuspendThread( *(_t67 + 0x2c));
								}
								if(_v8 == 0) {
									SetEvent(_v12);
									_t38 = 1;
								} else {
									WaitForSingleObject( *(_t67 + 0x2c), 0xffffffff);
									CloseHandle( *(_t67 + 0x2c));
									 *(_t67 + 0x2c) = 0;
									goto L5;
								}
							} else {
								CloseHandle(_v16);
								L5:
								CloseHandle(_v12);
								L14:
								L15:
								_t38 = 0;
							}
						}
					}
					return _t38;
				}
			}

0x011b32e1
0x011b32e9
0x011b32f1
0x011b33f1
0x011b33f6
0x011b33f7
0x011b33f8
0x011b33fe
0x011b340a
0x011b3411
0x011b3413
0x011b3415
0x011b32f7
0x011b32fe
0x011b3310
0x011b3313
0x011b3321
0x011b3324
0x011b332a
0x011b332d
0x011b3330
0x011b3336
0x011b33db
0x011b33dd
0x011b33e0
0x00000000
0x011b33e0
0x00000000
0x011b333c
0x011b333e
0x011b33d2
0x011b33d8
0x00000000
0x011b3344
0x011b3344
0x011b335d
0x011b3365
0x011b336a
0x011b337b
0x011b3386
0x011b338f
0x011b3398
0x011b339d
0x011b339d
0x011b33a6
0x011b33c4
0x011b33cc
0x011b33a8
0x011b33ad
0x011b33b6
0x011b33bc
0x00000000
0x011b33bc
0x011b336c
0x011b336f
0x011b3375
0x011b33e0
0x011b33e0
0x011b33e6
0x011b33e6
0x011b33e6
0x011b336a
0x011b333e
0x011b33ee
0x011b33ee

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000,00000000), ref: 011B3316
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000,00000000), ref: 011B3324
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000), ref: 011B336F
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000), ref: 011B337B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000), ref: 011B3386
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000), ref: 011B338F
SuspendThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000), ref: 011B339D
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000), ref: 011B33AD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000), ref: 011B33B6
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000), ref: 011B33C4
CloseHandle.KERNEL32(00000000,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000,00000000), ref: 011B33D2
CloseHandle.KERNEL32(00000000,?,?,011439A6,Function_000038A0,?,00000000,00000000,00000000,00000000), ref: 011B33E0

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CloseHandle$Event$CreateObjectSingleThreadWait$ResumeSuspend
String ID:
API String ID: 3826824246-0
Opcode ID: f8d3143623d86db7a7748a841679ad407ab4dfb1e5daf1243e7dea0ff50ad756
Instruction ID: 05ea3c8d004a0719ad7bc8fa6b80a3f0607d37118f75a2105833be3b2b2145e6
Opcode Fuzzy Hash: f8d3143623d86db7a7748a841679ad407ab4dfb1e5daf1243e7dea0ff50ad756
Instruction Fuzzy Hash: 09317C31914204BFDB29AFA9EC89A9FBBB8FF48712F104139F521A2264DB319551CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01308CEA Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01308CEA(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E012F9204();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E012F9217())) = 9;
						L59:
						_t145 = E012F9CEA();
						goto L60;
					}
					__eflags = _t213 -  *0x13ad2c0; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x13ad0c0 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0130B125(_t224, _t158);
								E0130B4D5(0);
								E0130B4D5(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0130A71D(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x13ad0c0 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x13ad0c0 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x13ad0c0 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x13ad0c0 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x13ad0c0 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x13ad0c0 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x13ad0c0 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E01315046(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E012F91E1(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E012F9217())) = 9;
											 *(E012F9204()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x13ad0c0 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E01308844();
												} else {
													_t176 = E01308B54();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E01308A04(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x13ad0c0 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t112 =  &_v32; // 0xa
									_t180 = GetConsoleMode( *_t112,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E012F9217())) = 0xc;
									 *(E012F9204()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E0130B4D5(_t246);
									return _t242;
								}
							}
							L15:
							 *(E012F9204()) =  *_t206 & _t246;
							 *((intOrPtr*)(E012F9217())) = 0x16;
							E012F9CEA();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E012F9204()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E012F9217())) = 0x16;
					goto L59;
				} else {
					 *(E012F9204()) =  *_t212 & 0x00000000;
					_t145 = E012F9217();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x01308cf3
0x01308cfa
0x01308d14
0x01308d16
0x0130907e
0x0130907e
0x01309083
0x01309083
0x0130908b
0x01309091
0x01309091
0x00000000
0x01309091
0x01308d1c
0x01308d22
0x00000000
0x00000000
0x01308d2a
0x01308d36
0x01308d39
0x01308d3c
0x01308d3f
0x01308d46
0x01308d49
0x01308d4d
0x01308d50
0x01308d53
0x00000000
0x00000000
0x01308d59
0x01308d5c
0x01308d62
0x01308d7c
0x01308d7e
0x0130907a
0x00000000
0x0130907a
0x01308d84
0x01308d88
0x00000000
0x00000000
0x01308d8e
0x01308d92
0x00000000
0x00000000
0x01308d99
0x01308d9d
0x01308da0
0x01308da3
0x01308da8
0x01308da8
0x01308dab
0x01308dc8
0x01308dcd
0x01308dcf
0x01308dd1
0x01308df1
0x01308df2
0x01308df4
0x01308df7
0x01308df9
0x01308dfb
0x01308dfd
0x01308dfd
0x01308e08
0x01308e0a
0x01308e11
0x01308e16
0x01308e19
0x01308e1c
0x01308e1e
0x01308e43
0x01308e48
0x01308e4f
0x01308e52
0x01308e55
0x01308e59
0x01308e5b
0x01308e5f
0x01308e61
0x01308e64
0x01308e67
0x01308e69
0x01308e6c
0x01308e73
0x01308e76
0x01308e7b
0x01308e7e
0x01308e87
0x01308e8b
0x01308e8e
0x01308e91
0x01308e94
0x01308e9a
0x01308e9c
0x01308ea5
0x01308ea8
0x01308eab
0x01308eae
0x01308eaf
0x01308eb3
0x01308eb9
0x01308ec3
0x01308ec8
0x01308ed8
0x01308edc
0x01308edf
0x01308ee1
0x01308ee3
0x01308ee5
0x01308ee7
0x01308eef
0x01308ef0
0x01308ef3
0x01308ef6
0x01308ef7
0x01308efd
0x01308f07
0x01308f0f
0x01308f12
0x01308f1e
0x01308f22
0x01308f25
0x01308f27
0x01308f29
0x01308f2b
0x01308f2d
0x01308f35
0x01308f36
0x01308f39
0x01308f3c
0x01308f3c
0x01308f3d
0x01308f43
0x01308f4d
0x01308f4d
0x01308f2b
0x01308f27
0x01308f12
0x01308ee5
0x01308ee1
0x01308ec8
0x01308e9c
0x01308e94
0x01308f53
0x01308f59
0x01308f5b
0x01308fce
0x01308fce
0x01308fd2
0x01308fe2
0x01308fe8
0x01308fea
0x01309046
0x01309046
0x0130904e
0x0130904f
0x01309051
0x0130906a
0x0130906d
0x01308faa
0x01308fab
0x00000000
0x01308fb0
0x01309073
0x00000000
0x01309073
0x01309058
0x01309063
0x00000000
0x01309063
0x01308fec
0x01308fef
0x01308ff2
0x00000000
0x00000000
0x01308ff4
0x01308ff4
0x01308ff7
0x01308ffa
0x01308ffd
0x01309004
0x01309009
0x0130900b
0x0130900f
0x0130902a
0x0130902e
0x0130902f
0x01309032
0x01309033
0x0130903f
0x01309035
0x01309035
0x01309035
0x01309011
0x01309011
0x01309011
0x0130901c
0x01309021
0x01309024
0x01309024
0x00000000
0x01309009
0x01308f60
0x01308f63
0x01308f6a
0x01308f6f
0x00000000
0x00000000
0x01308f75
0x01308f78
0x01308f7e
0x01308f80
0x00000000
0x00000000
0x01308f82
0x01308f86
0x00000000
0x00000000
0x01308f9a
0x01308fa0
0x01308fa2
0x01308fc6
0x01308fc9
0x00000000
0x01308fc9
0x01308fa4
0x00000000
0x01308e20
0x01308e25
0x01308e30
0x01308fb1
0x01308fb1
0x01308fb1
0x01308fb4
0x01308fb5
0x00000000
0x01308fbd
0x01308e1e
0x01308dd3
0x01308dd8
0x01308ddf
0x01308de5
0x00000000
0x01308de5
0x01308dad
0x01308db0
0x01308dba
0x01308dba
0x01308dbd
0x01308dc0
0x00000000
0x01308dc0
0x01308db4
0x01308db6
0x01308db8
0x00000000
0x00000000
0x00000000
0x01308db8
0x01308d64
0x01308d69
0x01308d71
0x00000000
0x01308cfc
0x01308d01
0x01308d04
0x01308d09
0x01309096
0x00000000
0x01309096

Strings

, xrefs: 01308F75

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 356853b50122610c08d679be84047ff082b1e8ea33261eb617468816e4f2a176
Instruction ID: c04cf31f3cf397423cfcad0d2a856360d8874d75c40d351252814f19463d656f
Opcode Fuzzy Hash: 356853b50122610c08d679be84047ff082b1e8ea33261eb617468816e4f2a176
Instruction Fuzzy Hash: D1C1D374E0424AAFDF12DFACD860BADBBF9AF19318F044198E654A73D2D7309941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0130A039 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0130A039(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E01309D84(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E01305FDC(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E01309CEF();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E01305F25(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x13ad0c0 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E01309AA2(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x13ad0c0 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E01309CEF();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x13ad0c0 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E012F91E1(GetLastError());
											 *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E013060EE( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E01309F00(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0130A48B(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E012F91E1(_t270);
							 *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x13ad0c0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E012F9217())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x13ad0c0 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E012F91E1(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E01309CEF();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E012F9204()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E012F9217())) = 0x18;
						goto L2;
					}
				} else {
					 *(E012F9204()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E012F9217()));
				}
			}

0x0130a05c
0x0130a060
0x0130a061
0x0130a061
0x0130a061
0x0130a063
0x0130a069
0x0130a084
0x0130a089
0x0130a08c
0x0130a08e
0x0130a090
0x0130a0af
0x0130a0b6
0x0130a0bd
0x0130a0c0
0x0130a0cc
0x0130a0cf
0x0130a0d7
0x0130a0d8
0x0130a0db
0x0130a0db
0x0130a0e2
0x0130a0e4
0x0130a0e7
0x0130a0ef
0x0130a0f2
0x0130a15f
0x0130a160
0x0130a166
0x0130a168
0x0130a1b1
0x0130a1b4
0x0130a1bd
0x0130a1c0
0x0130a1c3
0x0130a1c5
0x0130a1c5
0x0130a1c5
0x0130a1b6
0x0130a1b9
0x0130a1b9
0x0130a1ca
0x0130a1cd
0x0130a1d9
0x0130a1de
0x0130a1ea
0x0130a1f4
0x0130a1f8
0x0130a202
0x0130a205
0x0130a210
0x0130a215
0x0130a225
0x0130a228
0x0130a22c
0x0130a22d
0x0130a233
0x0130a238
0x0130a23b
0x0130a23d
0x0130a23f
0x0130a244
0x0130a247
0x0130a249
0x0130a273
0x0130a297
0x0130a29b
0x0130a29f
0x0130a2a1
0x0130a2a5
0x0130a2a7
0x0130a2b1
0x0130a2b4
0x0130a2bb
0x0130a2bb
0x0130a2bb
0x0130a2bb
0x0130a2a5
0x0130a2c0
0x0130a2cc
0x0130a2ce
0x0130a359
0x0130a359
0x00000000
0x0130a2d4
0x0130a2d4
0x0130a2d8
0x00000000
0x00000000
0x0130a2dd
0x0130a2ef
0x0130a2f7
0x0130a2fa
0x0130a2fb
0x0130a2fe
0x0130a305
0x0130a30a
0x0130a30d
0x0130a341
0x0130a34b
0x0130a34b
0x0130a355
0x00000000
0x0130a355
0x0130a316
0x0130a32f
0x0130a336
0x0130a159
0x00000000
0x0130a159
0x0130a2ce
0x0130a24b
0x00000000
0x0130a217
0x0130a21e
0x0130a221
0x0130a223
0x0130a24d
0x0130a24f
0x00000000
0x0130a255
0x00000000
0x0130a223
0x0130a215
0x0130a170
0x0130a173
0x0130a18e
0x0130a193
0x0130a199
0x0130a19b
0x0130a1a6
0x0130a1a6
0x00000000
0x0130a19b
0x0130a0f4
0x0130a0fb
0x0130a0fd
0x0130a134
0x0130a134
0x0130a13e
0x0130a141
0x0130a148
0x0130a148
0x0130a148
0x0130a154
0x00000000
0x0130a154
0x0130a0ff
0x0130a103
0x00000000
0x00000000
0x0130a105
0x0130a114
0x0130a119
0x0130a11c
0x0130a11d
0x0130a120
0x0130a120
0x0130a127
0x0130a129
0x0130a12c
0x0130a12f
0x0130a132
0x00000000
0x00000000
0x00000000
0x0130a092
0x0130a097
0x0130a09a
0x0130a0a1
0x00000000
0x0130a0a1
0x0130a06b
0x0130a070
0x0130a076
0x0130a078
0x00000000
0x0130a07d

APIs

Part of subcall function 01309CEF: CreateFileW.KERNEL32(00000000,00000000,?,0130A0E2,?,?,00000000,?,0130A0E2,00000000,0000000C), ref: 01309D0C

GetLastError.KERNEL32 ref: 0130A14D
__dosmaperr.LIBCMT ref: 0130A154
GetFileType.KERNEL32(00000000), ref: 0130A160
GetLastError.KERNEL32 ref: 0130A16A
__dosmaperr.LIBCMT ref: 0130A173
CloseHandle.KERNEL32(00000000), ref: 0130A193
CloseHandle.KERNEL32(00008301), ref: 0130A2DD
GetLastError.KERNEL32 ref: 0130A30F
__dosmaperr.LIBCMT ref: 0130A316

Strings

H, xrefs: 0130A29B

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f4fdf9d298b4bf64cb3523104f5cad5849b7c2f681df5c915193d935d8538c4e
Instruction ID: 8957848b30bc6c12bd58a419b606a6193c9b73bb23de75fa5b79023c8bb05efc
Opcode Fuzzy Hash: f4fdf9d298b4bf64cb3523104f5cad5849b7c2f681df5c915193d935d8538c4e
Instruction Fuzzy Hash: 06A13732A142098FDF2AEF7CE8657AE7BE4AB06328F14016DE811DB3D1D7358856CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012204FD Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012204FD(void* __ebx, void* __edx) {
				void* _t43;
				signed int _t48;
				signed int _t67;
				void* _t74;
				void* _t75;
				signed int* _t82;
				void* _t84;
				unsigned int _t85;
				void* _t87;
				void* _t88;
				signed int _t92;
				signed int _t95;
				void* _t96;

				_t84 = __edx;
				_push(0x48);
				E012EA0A3();
				_t87 =  *(_t96 + 8);
				if(_t87 != 0) {
					if(GetObjectW(_t87, 0x18, _t96 - 0x54) == 0 ||  *((intOrPtr*)(_t96 - 0x40)) == 0) {
						goto L1;
					} else {
						_t93 =  *(_t96 - 0x4c);
						 *(_t96 - 0x10) =  *(_t96 - 0x10) & 0x00000000;
						 *(_t96 - 0x1c) =  *(_t96 - 0x50);
						 *(_t96 - 0x18) =  *(_t96 - 0x4c);
						_t74 = E01220458(__ebx, _t87, _t93, _t96 - 0x1c, _t96 - 0x10);
						 *(_t96 - 0x14) = _t74;
						_t48 = E01304A7B(_t84, _t93);
						 *(_t96 - 0x18) = _t48;
						if(_t74 != 0) {
							_t95 =  *(_t96 - 0x50) * _t48;
							if( *((short*)(_t96 - 0x42)) != 0x20) {
								E011B84FA(_t96 - 0x3c);
								 *(_t96 - 4) =  *(_t96 - 4) & 0x00000000;
								E011B8E5C(_t96 - 0x3c, CreateCompatibleDC(0));
								_t75 = SelectObject( *(_t96 - 0x38), _t87);
								if(_t75 != 0) {
									E011B84FA(_t96 - 0x2c);
									 *(_t96 - 4) = 1;
									E011B8E5C(_t96 - 0x2c, CreateCompatibleDC(0));
									_t88 = SelectObject( *(_t96 - 0x28),  *(_t96 - 0x14));
									BitBlt( *(_t96 - 0x28), 0, 0,  *(_t96 - 0x50),  *(_t96 - 0x18),  *(_t96 - 0x38), 0, 0, 0xcc0020);
									if(_t88 != 0) {
										SelectObject( *(_t96 - 0x28), _t88);
									}
									SelectObject( *(_t96 - 0x38), _t75);
									_t85 =  *(_t96 + 0xc);
									_t82 =  *(_t96 - 0x10);
									if(_t85 != 0xffffffff) {
										_t92 = (_t85 >> 0x00000008 & 0x000000ff | (_t85 & 0x000000ff) << 0x00000008) << 0x00000008 | _t85 >> 0x00000010 & 0x000000ff;
										if(_t95 != 0) {
											do {
												_t67 =  *_t82;
												if(_t67 == _t92) {
													 *_t82 =  *_t82 & 0x00000000;
												} else {
													 *_t82 = _t67 | 0xff000000;
												}
												_t82 =  &(_t82[1]);
												_t95 = _t95 - 1;
											} while (_t95 != 0);
										}
									} else {
										if(_t95 != 0) {
											do {
												 *_t82 =  *_t82 | 0xff000000;
												_t82 =  &(_t82[1]);
												_t95 = _t95 - 1;
											} while (_t95 != 0);
										}
									}
									E011B865B(_t96 - 0x2c);
								}
								E011B865B(_t96 - 0x3c);
								_t74 =  *(_t96 - 0x14);
							} else {
								E012EE160( *(_t96 - 0x10),  *((intOrPtr*)(_t96 - 0x40)), _t95 << 2);
							}
						}
						_t43 = _t74;
					}
				} else {
					L1:
					_t43 = 0;
				}
				E012EA06C();
				return _t43;
			}

0x012204fd
0x012204fd
0x01220504
0x01220509
0x0122050e
0x01220526
0x00000000
0x0122052e
0x01220531
0x01220534
0x01220538
0x01220542
0x0122054b
0x0122054e
0x01220551
0x01220556
0x0122055c
0x01220565
0x0122056d
0x0122058b
0x01220590
0x012205a0
0x012205af
0x012205b3
0x012205bc
0x012205c3
0x012205d1
0x012205e7
0x012205fb
0x01220603
0x01220609
0x01220609
0x01220613
0x01220619
0x0122061c
0x01220622
0x01220651
0x01220655
0x01220657
0x01220657
0x0122065b
0x01220666
0x0122065d
0x01220662
0x01220662
0x01220669
0x0122066c
0x0122066c
0x01220657
0x01220624
0x01220626
0x01220628
0x01220628
0x0122062e
0x01220631
0x01220631
0x01220636
0x01220626
0x01220674
0x01220674
0x0122067c
0x01220681
0x0122056f
0x0122057b
0x01220580
0x0122056d
0x01220684
0x01220684
0x01220510
0x01220510
0x01220510
0x01220510
0x01220686
0x0122068b

APIs

__EH_prolog3.LIBCMT ref: 01220504
GetObjectW.GDI32(?,00000018,?,00000048,011F1C43,?,000000FF), ref: 0122051E

Strings

, xrefs: 01220568

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: H_prolog3Object
String ID:
API String ID: 133200376-3916222277
Opcode ID: f53da0bfa14a762af9d5fcd7a717aa96229f0596702378eb418e0cdd657bea10
Instruction ID: 485886cef7087120fae73254cb64d1cc27aed5dc60ac7f7ff51aa5b0ef6340de
Opcode Fuzzy Hash: f53da0bfa14a762af9d5fcd7a717aa96229f0596702378eb418e0cdd657bea10
Instruction Fuzzy Hash: F141A172D1012AEFEB21EFA4DC84AFEBB79FF58304F204128F611A6164DB759905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 011D7796 Relevance: 15.4, APIs: 10, Instructions: 368
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E011D7796(signed int __ecx, void* __fp0, intOrPtr _a4, signed int _a8) {
				struct tagRECT* _v0;
				signed int _v4;
				signed int _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				long _v52;
				char _v60;
				struct tagRECT _v76;
				long _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				struct HBRUSH__* _v104;
				char _v108;
				char _v116;
				long _v152;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t129;
				signed int _t131;
				void* _t138;
				void* _t142;
				void* _t148;
				struct HBRUSH__* _t157;
				void* _t166;
				void* _t172;
				signed int _t176;
				intOrPtr* _t179;
				signed int _t180;
				intOrPtr _t188;
				void* _t191;
				signed int _t193;
				void* _t195;
				int _t198;
				void* _t199;
				signed int _t201;
				signed int _t202;
				intOrPtr _t208;
				void* _t214;
				signed int _t218;
				long _t240;
				void* _t259;
				long _t261;
				signed int _t263;
				long _t268;
				signed int _t276;
				signed int _t277;
				long _t280;
				long _t283;
				intOrPtr* _t288;
				long _t289;
				signed int _t297;
				signed int _t299;
				void* _t307;

				_t307 = __fp0;
				_t223 = __ecx;
				_t276 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t214 = E011C947E(__ecx, __ecx + 0x14,  *((intOrPtr*)(__ecx + 0x18)), 0xc);
					_t263 =  *(_t276 + 0x18);
					_t223 = 0xfffffff4 + _t263 * 0xc + _t214 + 8;
					while(1) {
						_t263 = _t263 - 1;
						if(_t263 < 0) {
							goto L4;
						}
						 *_t223 =  *(_t276 + 0x10);
						 *(_t276 + 0x10) = _t223;
						_t223 = _t223 - 0xc;
						__eflags = _t223;
					}
				}
				L4:
				_t129 =  *(_t276 + 0x10);
				if(_t129 == 0) {
					E011B1E69(_t223);
					asm("int3");
					_t297 = _t299;
					_t131 =  *0x139eff4; // 0xdde28b47
					_v28.bottom = _t131 ^ _t297;
					_t218 = _v4;
					_push(_t276);
					_t277 = _t223;
					_v88 = _t218;
					_v84 = _t277;
					_v92 = _v0;
					__eflags =  *(_t277 + 0x800);
					if( *(_t277 + 0x800) == 0) {
						_push(0);
						E011D7FCD(_t223, _t259);
					}
					_v100 = E011B96ED(_t218,  *(_t277 + 0x800), 0);
					RealizePalette( *(_t218 + 4));
					E01220330(_t218, 0, _t277,  &_v116);
					_t138 = 0xfffffff8;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t261 = _v28.right + _t138 - _v116;
					_v28.right = _t261;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t268 = _v80;
					_v44.left = _t261;
					_t280 =  *(_t268 + 0x7b0);
					__eflags = _t280 - 0xffffffff;
					if(_t280 != 0xffffffff) {
						L12:
						InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
						_t142 = E011C5322();
						E011BDF7C( &_v28,  *((intOrPtr*)(E011C5322() + 0x24)),  *((intOrPtr*)(_t142 + 0x24)));
						InflateRect( &_v28, 0xffffffff, 0xffffffff);
						_t148 = E011C5322();
						E011BDF7C( &_v28,  *((intOrPtr*)(E011C5322() + 0x30)),  *((intOrPtr*)(_t148 + 0x30)));
						InflateRect( &_v28, 0xffffffff, 0xffffffff);
						__eflags = _t280 - 0xffffffff;
						if(_t280 != 0xffffffff) {
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								__eflags =  *((intOrPtr*)(E011C5322() + 0x1ac)) - 8;
								if(__eflags == 0) {
									_t280 = GetNearestPaletteIndex( *( *((intOrPtr*)(_t268 + 0x800)) + 4), _t280) & 0x0000ffff | 0x01000000;
									__eflags = _t280;
								}
								_push(_t280);
								E011B8463( &_v108, _t268, __eflags);
								FillRect( *(_t218 + 4),  &_v28, _v104);
								_v108 = 0x13320c4;
								E011681B0(_t218,  &_v108, _t268, _t280);
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						InflateRect( &_v76, 0xfffffffe, 0xfffffffe);
						__eflags =  *0x13a9048;
						if( *0x13a9048 == 0) {
							L19:
							_t157 = E011C5322() + 0x98;
							__eflags = _t157;
							if(_t157 != 0) {
								_t157 =  *(_t157 + 4);
							}
							FillRect( *(_t218 + 4),  &_v44, _t157);
							_v96 = _v96 & 0x00000000;
							_v92 = _v92 & 0x00000000;
							__eflags = _a8 >> 0x00000002 & 0x00000001;
							E0121FFBC(_a8 >> 0x00000002 & 0x00000001, _t307, _t218, 0xd,  &_v44, _a8 >> 0x00000002 & 0x00000001,  &_v96);
							_t166 = E011C5322();
							E011BDF7C( &_v44,  *((intOrPtr*)(E011C5322() + 0x34)),  *((intOrPtr*)(_t166 + 0x30)));
							InflateRect( &_v44, 0xffffffff, 0xffffffff);
							_t172 = E011C5322();
							E011BDF7C( &_v44,  *((intOrPtr*)(E011C5322() + 0x24)),  *((intOrPtr*)(_t172 + 0x20)));
						} else {
							_t179 = E011C5385();
							_t283 = _v80;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L012EA066();
							_t180 =  *((intOrPtr*)( *((intOrPtr*)( *_t179 + 0x1c8))))(_v84, _a8 & 0x00000004,  *((intOrPtr*)(_t283 + 0xac)),  *((intOrPtr*)(_t283 + 0xb4)));
							_t218 = _v84;
							__eflags = _t180;
							if(_t180 == 0) {
								goto L19;
							}
						}
						_t176 = _v100;
						__eflags = _t176;
						if(_t176 != 0) {
							E011B96ED(_t218, _t176, 0);
						}
						__eflags = _v12 ^ _t297;
						return E012E980C(_v12 ^ _t297);
					} else {
						_t188 =  *((intOrPtr*)(_t268 + 0x7f8));
						_t280 =  *(_t268 + 0x7b4);
						_v92 = _t280;
						__eflags =  *(_t188 - 0xc);
						if( *(_t188 - 0xc) == 0) {
							goto L12;
						} else {
							_t191 = _v28.bottom - _v28.top + _v28.left;
							_v28.right = _t191;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t268 = _v80;
							_v60 = _t191;
							_v52 = _t261;
							_t288 =  *((intOrPtr*)( *_t268 + 0x18c));
							L012EA066();
							_t240 = _t268;
							_t193 =  *_t288(_t218);
							_v88 = _t193;
							__eflags = _t193;
							if(_t193 == 0) {
								E011B1E69(_t240);
								asm("int3");
								_push(_t297);
								_push(_t240);
								_push(_t240);
								__eflags =  *0x13a9048;
								_push(_t218);
								_push(_t288);
								_t289 = _t240;
								_push(_t268);
								_v152 = _t289;
								if( *0x13a9048 == 0) {
									L28:
									_t195 = E011C5322();
									E011BDF7C(_v0,  *((intOrPtr*)(E011C5322() + 0x30)),  *((intOrPtr*)(_t195 + 0x24)));
									_t198 = InflateRect(_v0, 0xffffffff, 0xffffffff);
									__eflags =  *(_t289 + 0x80);
									if( *(_t289 + 0x80) == 0) {
										L30:
										_t199 = E011C5322();
										_t198 = E011BDF7C(_v0,  *((intOrPtr*)(E011C5322() + 0x20)),  *((intOrPtr*)(_t199 + 0x34)));
									} else {
										__eflags =  *(_t289 + 0xb4);
										if( *(_t289 + 0xb4) != 0) {
											goto L30;
										}
									}
								} else {
									_t201 = E011C5385();
									_v28.bottom = _t201;
									_t202 = E011B082E(_t289);
									asm("sbb eax, eax");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									L012EA066();
									_t198 =  *((intOrPtr*)( *_t201 + 0x1cc))(_v4,  ~_t202 + 1, 0, 1);
									__eflags = _t198;
									if(_t198 == 0) {
										_t289 = _v28.right;
										goto L28;
									}
								}
								return _t198;
							} else {
								E011B9783(_t218, 1);
								L012EA066();
								 *((intOrPtr*)( *_t218 + 0x30))( *((intOrPtr*)(E011C5322() + 0x28)));
								_t208 =  *((intOrPtr*)(_t268 + 0x7f8));
								L012EA066();
								 *((intOrPtr*)( *_t218 + 0x68))(_t208,  *((intOrPtr*)(_t208 - 0xc)),  &_v60, 0x8025);
								L012EA066();
								 *((intOrPtr*)( *((intOrPtr*)( *_t218 + 0x28))))(_v88);
								_t280 = _v92;
								goto L12;
							}
						}
					}
				} else {
					 *(_t276 + 0x10) =  *_t129;
					 *((intOrPtr*)(_t129 + 4)) = _a4;
					 *_t129 = _a8;
					 *((intOrPtr*)(_t276 + 0xc)) =  *((intOrPtr*)(_t276 + 0xc)) + 1;
					return _t129;
				}
			}

0x011d7796
0x011d7796
0x011d779a
0x011d77a0
0x011d77ab
0x011d77b0
0x011d77bc
0x011d77cb
0x011d77cb
0x011d77ce
0x00000000
0x00000000
0x011d77c3
0x011d77c5
0x011d77c8
0x011d77c8
0x011d77c8
0x011d77cb
0x011d77d0
0x011d77d0
0x011d77d5
0x011d77ef
0x011d77f4
0x011d77f6
0x011d77fb
0x011d7802
0x011d7809
0x011d780c
0x011d780d
0x011d780f
0x011d7815
0x011d7818
0x011d781b
0x011d7821
0x011d7823
0x011d7824
0x011d7824
0x011d783a
0x011d783d
0x011d7847
0x011d7856
0x011d785a
0x011d785b
0x011d785c
0x011d785d
0x011d7866
0x011d7868
0x011d786b
0x011d786c
0x011d786d
0x011d786e
0x011d786f
0x011d7872
0x011d7875
0x011d787b
0x011d787e
0x011d7932
0x011d793a
0x011d7940
0x011d7956
0x011d7963
0x011d7969
0x011d797f
0x011d798c
0x011d7992
0x011d7995
0x011d7997
0x011d799b
0x011d79a2
0x011d79a9
0x011d79be
0x011d79be
0x011d79be
0x011d79c4
0x011d79c8
0x011d79d7
0x011d79e0
0x011d79e7
0x011d79e7
0x011d799b
0x011d79f2
0x011d79fb
0x011d79fc
0x011d79fd
0x011d79fe
0x011d7a04
0x011d7a0b
0x011d7a57
0x011d7a5c
0x011d7a5c
0x011d7a61
0x011d7a63
0x011d7a63
0x011d7a6e
0x011d7a74
0x011d7a7b
0x011d7a86
0x011d7a91
0x011d7a96
0x011d7aac
0x011d7ab9
0x011d7abf
0x011d7ad5
0x011d7a0d
0x011d7a0d
0x011d7a12
0x011d7a37
0x011d7a38
0x011d7a39
0x011d7a3a
0x011d7a43
0x011d7a4a
0x011d7a4c
0x011d7a4f
0x011d7a51
0x00000000
0x00000000
0x011d7a51
0x011d7ada
0x011d7add
0x011d7adf
0x011d7ae6
0x011d7ae6
0x011d7af0
0x011d7afb
0x011d7884
0x011d7884
0x011d788a
0x011d7890
0x011d7893
0x011d7897
0x00000000
0x011d789d
0x011d78a8
0x011d78ab
0x011d78af
0x011d78b0
0x011d78b1
0x011d78b2
0x011d78b3
0x011d78b6
0x011d78b9
0x011d78be
0x011d78c6
0x011d78cb
0x011d78cd
0x011d78cf
0x011d78d2
0x011d78d4
0x011d7afe
0x011d7b03
0x011d7b04
0x011d7b07
0x011d7b08
0x011d7b09
0x011d7b10
0x011d7b11
0x011d7b12
0x011d7b14
0x011d7b15
0x011d7b18
0x011d7b5f
0x011d7b5f
0x011d7b75
0x011d7b81
0x011d7b87
0x011d7b8e
0x011d7b99
0x011d7b99
0x011d7baf
0x011d7b90
0x011d7b90
0x011d7b97
0x00000000
0x00000000
0x011d7b97
0x011d7b1a
0x011d7b1a
0x011d7b25
0x011d7b2a
0x011d7b3a
0x011d7b46
0x011d7b47
0x011d7b48
0x011d7b49
0x011d7b4a
0x011d7b52
0x011d7b58
0x011d7b5a
0x011d7b5c
0x00000000
0x011d7b5c
0x011d7b5a
0x011d7bba
0x011d78da
0x011d78de
0x011d78f0
0x011d78f7
0x011d78fa
0x011d7912
0x011d7919
0x011d7926
0x011d792d
0x011d792f
0x00000000
0x011d792f
0x011d78d4
0x011d7897
0x011d77d7
0x011d77d9
0x011d77df
0x011d77e5
0x011d77e7
0x011d77ec
0x011d77ec

APIs

RealizePalette.GDI32(00000007), ref: 011D783D
InflateRect.USER32(?,000000FE,000000FE), ref: 011D793A
InflateRect.USER32(?,000000FF,000000FF), ref: 011D7963
InflateRect.USER32(?,000000FF,000000FF), ref: 011D798C
GetNearestPaletteIndex.GDI32(00000007,?), ref: 011D79B5
FillRect.USER32 ref: 011D79D7
InflateRect.USER32(?,000000FE,000000FE), ref: 011D79FE
FillRect.USER32 ref: 011D7A6E
InflateRect.USER32(?,000000FF,000000FF), ref: 011D7AB9
InflateRect.USER32(?,000000FF,000000FF), ref: 011D7B81

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Rect$Inflate$FillPalette$IndexNearestRealize
String ID:
API String ID: 3736734007-0
Opcode ID: 39f7bdddf236bf9709e061cad359798c2fc169eb38a239f100111f9a985b5211
Instruction ID: 7b1916cf2eb0b5af77193ef6e21137c7462e986989f1f5173c61c15414f50411
Opcode Fuzzy Hash: 39f7bdddf236bf9709e061cad359798c2fc169eb38a239f100111f9a985b5211
Instruction Fuzzy Hash: 42D1D471900619AFCF19EFA4CC44ADEBBBAFF08324F104669F815AB291DB71AD04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011F0F3A Relevance: 15.2, APIs: 10, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E011F0F3A() {
				void* _t86;
				void* _t90;
				int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				long _t97;
				void* _t103;
				signed int _t106;
				int _t110;
				signed int _t113;
				int _t114;
				int _t115;
				signed int _t117;
				signed int _t118;
				int _t122;
				int _t124;
				int _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				int _t130;
				signed int _t131;
				int _t132;
				int _t134;
				void** _t135;
				int _t137;
				int _t139;
				int _t141;
				void* _t142;
				int _t143;
				void* _t144;

				_push(0xa8);
				E012EA0D7();
				_t135 =  *(_t144 + 8);
				_t131 =  *(_t144 + 0xc);
				 *(_t144 - 0x84) = _t131;
				if( *_t135 != 0) {
					if(GetObjectW( *_t135, 0x18, _t144 - 0xb4) != 0) {
						_t118 =  *(_t144 - 0xb0);
						 *(_t144 - 0x68) =  *(_t144 - 0xac);
						asm("cdq");
						_t113 = _t118 / _t131;
						 *(_t144 - 0x8c) = _t118;
						_t86 = 0x20;
						 *(_t144 - 0x7c) = _t113;
						if( *((intOrPtr*)(_t144 - 0xa2)) != _t86) {
							E011B84FA(_t144 - 0x9c);
							_t132 = 0;
							 *((intOrPtr*)(_t144 - 4)) = 0;
							E011B8E5C(_t144 - 0x9c, CreateCompatibleDC(0));
							if( *_t135 == 0) {
								_t90 = 0;
								 *(_t144 - 0x70) = 0;
							} else {
								_t90 = SelectObject( *(_t144 - 0x98),  *_t135);
								 *(_t144 - 0x70) = _t90;
							}
							if(_t90 != 0) {
								if(_t113 > 0) {
									_t94 =  *(_t144 - 0x84);
									_t122 = _t132;
									_t128 =  *(_t144 - 0x68);
									 *(_t144 - 0x74) = _t122;
									do {
										 *(_t144 - 0x8c) = _t132;
										if(_t128 > 0) {
											_t54 = _t122 - 1; // -1
											_t137 = _t54 + _t94;
											asm("cdq");
											_t95 = _t94 - _t128;
											 *(_t144 - 0x80) = _t137;
											_t128 =  *(_t144 - 0x68);
											_t96 = _t95 >> 1;
											 *(_t144 - 0x88) = _t96;
											do {
												 *(_t144 - 0x6c) = _t137;
												_t114 = _t122;
												if(_t96 > 0) {
													 *(_t144 - 0x78) = _t96;
													do {
														_t97 = GetPixel( *(_t144 - 0x98), _t114, _t132);
														SetPixel( *(_t144 - 0x98), _t114, _t132, GetPixel( *(_t144 - 0x98),  *(_t144 - 0x6c), _t132));
														_t139 =  *(_t144 - 0x6c);
														SetPixel( *(_t144 - 0x98), _t139, _t132, _t97);
														_t114 = _t114 + 1;
														_t66 = _t144 - 0x78;
														 *_t66 =  *(_t144 - 0x78) - 1;
														 *(_t144 - 0x6c) = _t139 - 1;
													} while ( *_t66 != 0);
													_t122 =  *(_t144 - 0x74);
													_t96 =  *(_t144 - 0x88);
													_t128 =  *(_t144 - 0x68);
													_t137 =  *(_t144 - 0x80);
												}
												_t132 = _t132 + 1;
											} while (_t132 < _t128);
											_t113 =  *(_t144 - 0x7c);
											_t132 = 0;
											_t94 =  *(_t144 - 0x84);
										}
										_t122 = _t122 + _t94;
										_t113 = _t113 - 1;
										 *(_t144 - 0x74) = _t122;
										 *(_t144 - 0x7c) = _t113;
									} while (_t113 != 0);
									_t90 =  *(_t144 - 0x70);
								}
								SelectObject( *(_t144 - 0x98), _t90);
								_t132 = 1;
							}
							E011B865B(_t144 - 0x9c);
							_t92 = _t132;
						} else {
							if(GetObjectW( *_t135, 0x54, _t144 - 0x64) == 0) {
								goto L3;
							} else {
								_t103 = 0x20;
								if( *((intOrPtr*)(_t144 - 0x52)) != _t103) {
									goto L3;
								} else {
									_t141 =  *(_t144 - 0x50);
									 *(_t144 - 0x74) = _t141;
									if(_t141 == 0) {
										goto L3;
									} else {
										if(_t113 > 0) {
											_t129 =  *(_t144 - 0x68);
											_t106 = _t131 << 2;
											_t124 = _t141 - 4 + _t106;
											 *(_t144 - 0x78) = _t124;
											do {
												if(_t129 > 0) {
													asm("cdq");
													_t130 = _t141;
													_t142 =  *(_t144 - 0x68);
													 *(_t144 - 0x6c) = _t131 - _t129 >> 1;
													_t110 = _t124;
													_t125 =  *(_t144 - 0x6c);
													 *(_t144 - 0x80) = _t110;
													 *(_t144 - 0x70) = _t142;
													do {
														 *(_t144 - 0x88) = _t130;
														_t115 = _t110;
														if(_t125 > 0) {
															_t143 = _t125;
															_t134 = _t130;
															do {
																_t126 =  *_t134;
																 *_t134 =  *_t115;
																_t134 = _t134 + 4;
																 *_t115 = _t126;
																_t115 = _t115 - 4;
																_t143 = _t143 - 1;
															} while (_t143 != 0);
															_t110 =  *(_t144 - 0x80);
															_t125 =  *(_t144 - 0x6c);
															_t142 =  *(_t144 - 0x70);
														}
														_t131 =  *(_t144 - 0x84);
														_t117 =  *(_t144 - 0x8c) << 2;
														_t110 = _t110 + _t117;
														_t130 = _t130 + _t117;
														_t142 = _t142 - 1;
														 *(_t144 - 0x80) = _t110;
														 *(_t144 - 0x70) = _t142;
													} while (_t142 != 0);
													_t113 =  *(_t144 - 0x7c);
													_t141 =  *(_t144 - 0x74);
													_t124 =  *(_t144 - 0x78);
													_t129 =  *(_t144 - 0x68);
													_t106 = _t131 << 2;
												}
												_t141 = _t141 + _t106;
												_t124 = _t124 + _t106;
												_t113 = _t113 - 1;
												 *(_t144 - 0x74) = _t141;
												 *(_t144 - 0x78) = _t124;
												 *(_t144 - 0x7c) = _t113;
											} while (_t113 != 0);
										}
										goto L1;
										L39:
									}
								}
							}
						}
					} else {
						L3:
						_t92 = 0;
					}
				} else {
					L1:
					_t92 = 1;
				}
				E012EA081();
				return _t92;
				goto L39;
			}

0x011f0f3a
0x011f0f44
0x011f0f49
0x011f0f4c
0x011f0f4f
0x011f0f58
0x011f0f75
0x011f0f84
0x011f0f8a
0x011f0f8f
0x011f0f94
0x011f0f96
0x011f0f9c
0x011f0f9d
0x011f0fa7
0x011f1080
0x011f1085
0x011f1088
0x011f1098
0x011f109f
0x011f10b4
0x011f10b6
0x011f10a1
0x011f10a9
0x011f10af
0x011f10af
0x011f10bb
0x011f10c3
0x011f10c9
0x011f10cf
0x011f10d1
0x011f10d4
0x011f10d7
0x011f10d7
0x011f10df
0x011f10e5
0x011f10e8
0x011f10ea
0x011f10eb
0x011f10ed
0x011f10f0
0x011f10f3
0x011f10f5
0x011f10fb
0x011f10fb
0x011f10fe
0x011f1102
0x011f1104
0x011f1107
0x011f110f
0x011f1130
0x011f1137
0x011f1142
0x011f1148
0x011f114a
0x011f114a
0x011f114e
0x011f114e
0x011f1153
0x011f1156
0x011f115c
0x011f115f
0x011f115f
0x011f1162
0x011f1163
0x011f1167
0x011f116a
0x011f116c
0x011f116c
0x011f1172
0x011f1174
0x011f1177
0x011f117a
0x011f117a
0x011f1183
0x011f1183
0x011f118d
0x011f1195
0x011f1195
0x011f119c
0x011f11a1
0x011f0fad
0x011f0fbd
0x00000000
0x011f0fbf
0x011f0fc1
0x011f0fc6
0x00000000
0x011f0fc8
0x011f0fc8
0x011f0fcb
0x011f0fd0
0x00000000
0x011f0fd2
0x011f0fd4
0x011f0fd6
0x011f0fde
0x011f0fe1
0x011f0fe3
0x011f0fe6
0x011f0fe8
0x011f0fec
0x011f0fef
0x011f0ff1
0x011f0ff6
0x011f0ff9
0x011f0ffb
0x011f0ffe
0x011f1001
0x011f1004
0x011f1004
0x011f100a
0x011f100e
0x011f1010
0x011f1012
0x011f1014
0x011f1014
0x011f1018
0x011f101a
0x011f101d
0x011f101f
0x011f1022
0x011f1022
0x011f1027
0x011f102a
0x011f102d
0x011f102d
0x011f1036
0x011f103c
0x011f103f
0x011f1041
0x011f1043
0x011f1046
0x011f1049
0x011f1049
0x011f104e
0x011f1053
0x011f1056
0x011f1059
0x011f105c
0x011f105c
0x011f105f
0x011f1061
0x011f1063
0x011f1066
0x011f1069
0x011f106c
0x011f106c
0x011f1075
0x00000000
0x00000000
0x011f0fd4
0x011f0fd0
0x011f0fc6
0x011f0fbd
0x011f0f77
0x011f0f77
0x011f0f77
0x011f0f77
0x011f0f5a
0x011f0f5a
0x011f0f5c
0x011f0f5c
0x011f11a3
0x011f11a8
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 011F0F44
GetObjectW.GDI32(?,00000018,?,000000A8,011F1552,?,00000010,00000038,011F04A2,?,?,00000000,00000008,011BD066,?), ref: 011F0F6D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: H_prolog3_Object
String ID:
API String ID: 2214263146-0
Opcode ID: e643500bb5c5a76f21048b9b52cf3f640e5ca0353772a8d8db405ff51378186a
Instruction ID: 895e0bbac0b5d246273e0062d4b6d2f6eb2a886b377490165410c54ecab55333
Opcode Fuzzy Hash: e643500bb5c5a76f21048b9b52cf3f640e5ca0353772a8d8db405ff51378186a
Instruction Fuzzy Hash: 70811771E00229DBDB24CFA9C884AADBBB6FF98304F24816DEA59E7301DB315945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011B1858 Relevance: 15.1, APIs: 10, Instructions: 91
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E011B1858(void* __eflags, struct HMENU__* _a4, struct HMENU__* _a8, signed int _a12) {
				struct HMENU__* _v4;
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _t24;
				int _t29;
				struct HMENU__* _t32;
				struct HMENU__* _t35;
				int _t38;
				int _t40;
				int _t43;

				_push(4);
				E012EA0A3();
				_t24 = E011A6FE4(__eflags, 0xc);
				_v16 = _t24;
				_t35 = 0;
				_v4 = 0;
				if(_t24 != 0) {
					_t35 = E011B15A5(_t24);
				}
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t35 + 8)) = _a4;
				_v20 = _t35;
				E012EE83A( &_v20, 0x138acc0);
				asm("int3");
				_push(_t35);
				_push(_t35);
				_v20 = GetMenuItemCount(_v4);
				_t29 = GetMenuItemCount(_v8);
				_t43 = _t29 - 1;
				if(_t43 >= 0) {
					do {
						_t29 = GetSubMenu(_a4, _t43);
						_t32 = _t29;
						if(_t32 != 0) {
							if(_a12 == 0) {
								_t38 = 0;
								__eflags = _v8;
								if(_v8 > 0) {
									while(1) {
										_t29 = GetSubMenu(_a8, _t38);
										__eflags = _t29 - _t32;
										if(_t29 == _t32) {
											break;
										}
										_t38 = _t38 + 1;
										__eflags = _t38 - _v8;
										if(_t38 < _v8) {
											continue;
										} else {
										}
										goto L16;
									}
									_t29 = RemoveMenu(_a4, _t43, 0x400);
								}
							} else {
								_t29 = GetMenuItemCount(_t32);
								_t40 = 0;
								_v12 = _t29;
								if(_t29 > 0) {
									while(1) {
										_t29 = GetSubMenu(_t32, _t40);
										if(_t29 == _a12) {
											break;
										}
										_t40 = _t40 + 1;
										if(_t40 < _v12) {
											continue;
										} else {
										}
										goto L16;
									}
									_t29 = RemoveMenu(_t32, _t40, 0x400);
									_a12 = _a12 & 0x00000000;
								}
							}
						}
						L16:
						_t43 = _t43 - 1;
					} while (_t43 >= 0);
				}
				return _t29;
			}

0x011b1858
0x011b185f
0x011b1866
0x011b186c
0x011b186f
0x011b1871
0x011b1876
0x011b187f
0x011b187f
0x011b1884
0x011b1888
0x011b1894
0x011b1897
0x011b189c
0x011b18a0
0x011b18a1
0x011b18af
0x011b18b2
0x011b18ba
0x011b18bd
0x011b18c5
0x011b18c9
0x011b18cf
0x011b18d3
0x011b18d9
0x011b1913
0x011b1915
0x011b1918
0x011b191a
0x011b191e
0x011b1924
0x011b1926
0x00000000
0x00000000
0x011b1928
0x011b1929
0x011b192c
0x00000000
0x00000000
0x011b192e
0x00000000
0x011b192c
0x011b1939
0x011b1939
0x011b18db
0x011b18dc
0x011b18e2
0x011b18e4
0x011b18e9
0x011b18eb
0x011b18ed
0x011b18f6
0x00000000
0x00000000
0x011b18f8
0x011b18fc
0x00000000
0x00000000
0x011b18fe
0x00000000
0x011b18fc
0x011b1907
0x011b190d
0x011b190d
0x011b18e9
0x011b18d9
0x011b193f
0x011b193f
0x011b193f
0x011b1945
0x011b194a

APIs

__EH_prolog3.LIBCMT ref: 011B185F
__CxxThrowException@8.LIBVCRUNTIME ref: 011B1897
GetMenuItemCount.USER32 ref: 011B18A6
GetMenuItemCount.USER32 ref: 011B18B2
GetSubMenu.USER32 ref: 011B18C9
GetMenuItemCount.USER32 ref: 011B18DC
GetSubMenu.USER32 ref: 011B18ED
RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,8007000E,0138ACC0,00000004,011447AC), ref: 011B1907

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Menu$CountItem$Exception@8H_prolog3RemoveThrow
String ID:
API String ID: 642076194-0
Opcode ID: 7d151fb3d09fdd063b75d3f34606a16e39a712a95f1518ce558ffbf19cb089ce
Instruction ID: 88d7655cd6f77305c951edf70ba9617686085a5d03dd043f87a257a203cbc2ca
Opcode Fuzzy Hash: 7d151fb3d09fdd063b75d3f34606a16e39a712a95f1518ce558ffbf19cb089ce
Instruction Fuzzy Hash: 8A318E71900249FFDB39AFA9FC99AAE3FB9FB40360F124539F505A6150EB709A40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011D459F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 128
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E011D459F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed int* _a8, signed int _a12) {
				struct HINSTANCE__* _v8;
				intOrPtr* _v32;
				void* __ebp;
				intOrPtr* _t26;
				signed short _t31;
				struct HRSRC__* _t43;
				void* _t44;
				void* _t46;
				intOrPtr* _t52;
				signed int _t58;
				signed int* _t63;
				signed int _t65;
				void* _t70;
				void* _t74;

				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(0x11d46db);
				_t55 = 0x13a901c;
				_t70 = E011BEDA5(0x13a901c, __esi);
				if(_t70 == 0) {
					E011B1E69(0x13a901c);
					L15:
					E011B1E83(_t55);
					asm("int3");
					_push(_t55);
					_t26 = E011BEA3D(0xc);
					_v32 = _t26;
					__eflags = _t26;
					if(_t26 == 0) {
						__eflags = 0;
						return 0;
					}
					 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					 *_t26 = 0x1335af0;
					 *((short*)(_t26 + 8)) = 0;
					return _t26;
				}
				_t52 = _a4;
				if( *(_t70 + 8) != 0) {
					_t63 = _a8;
				} else {
					_t31 = GetModuleHandleW(L"comctl32.dll");
					_v8 = _t31;
					if(_t31 == 0) {
						L9:
						_t63 = _a8;
					} else {
						__imp__GetUserDefaultUILanguage();
						_t65 = _a12;
						_t55 = 0x3ff;
						if((_t31 & 0x000003ff) != 0x11) {
							L6:
							asm("sbb edi, edi");
							_t43 = FindResourceW(_v8, ( ~_t65 & 0x0000000e) + 0x3ee, 5);
							if(_t43 == 0) {
								goto L9;
							} else {
								goto L7;
							}
						} else {
							_t46 = E011D471B(_t52, _t65, _t70, L"MS UI Gothic");
							_pop(_t55);
							if(_t46 == 0) {
								goto L6;
							} else {
								asm("sbb eax, eax");
								_t43 = FindResourceExW(_v8, 5, ( ~_t65 & 0x0000000e) + 0x3ee, 0xfc11);
								if(_t43 != 0) {
									L7:
									_t44 = LoadResource(_v8, _t43);
									_t63 = _a8;
									_t84 = _t44;
									if(_t44 != 0) {
										E011BD187(_t84, _t44, _t52, _t63);
										_t74 = _t74 + 0xc;
									}
								} else {
									goto L6;
								}
							}
						}
					}
					_t55 = GlobalAlloc(0x40, E011B2297(_t52, _t55, _t63, _t70, _t84,  *((intOrPtr*)( *_t52 - 0xc)) + 1, 2));
					 *((intOrPtr*)(_t70 + 4)) = _t55;
					if(_t55 == 0) {
						goto L15;
					} else {
						E011BB364(_t55,  *((intOrPtr*)( *_t52 - 0xc)) + 1,  *_t52);
						 *(_t70 + 8) =  *_t63;
					}
				}
				E01144900(_t52,  *((intOrPtr*)(_t70 + 4)));
				_t58 =  *(_t70 + 8) & 0x0000ffff;
				 *_t63 = _t58;
				return 0 | _t58 != 0x0000ffff;
			}

0x011d45a2
0x011d45a3
0x011d45a4
0x011d45a5
0x011d45a6
0x011d45ab
0x011d45b5
0x011d45b9
0x011d46d0
0x011d46d5
0x011d46d5
0x011d46da
0x011d46de
0x011d46e1
0x011d46e6
0x011d46e9
0x011d46eb
0x011d46ff
0x00000000
0x011d46ff
0x011d46ed
0x011d46f3
0x011d46f9
0x00000000
0x011d46f9
0x011d45c4
0x011d45c7
0x011d46a6
0x011d45cd
0x011d45d2
0x011d45d8
0x011d45dd
0x011d4667
0x011d4667
0x011d45e3
0x011d45e3
0x011d45e9
0x011d45ec
0x011d45f8
0x011d462c
0x011d4630
0x011d463f
0x011d4647
0x00000000
0x00000000
0x00000000
0x00000000
0x011d45fa
0x011d45ff
0x011d4604
0x011d4607
0x00000000
0x011d4609
0x011d4612
0x011d4622
0x011d462a
0x011d4649
0x011d464d
0x011d4653
0x011d4656
0x011d4658
0x011d465d
0x011d4662
0x011d4662
0x00000000
0x00000000
0x00000000
0x011d462a
0x011d4607
0x011d45f8
0x011d4683
0x011d4685
0x011d468a
0x00000000
0x011d468c
0x011d4695
0x011d46a0
0x011d46a0
0x011d468a
0x011d46ae
0x011d46b3
0x011d46bc
0x011d46cd

APIs

Part of subcall function 011BEDA5: __EH_prolog3_catch.LIBCMT ref: 011BEDAC

GetModuleHandleW.KERNEL32(comctl32.dll,011D46DB,00000000,00000000,00000000,?,?,011C2F86,00000000,00000000,011C1BAC,00000000,0000001C,011C2D83,00000000,011C1BAC), ref: 011D45D2
GetUserDefaultUILanguage.KERNEL32(?,?,011C2F86,00000000,00000000,011C1BAC,00000000,0000001C,011C2D83,00000000,011C1BAC), ref: 011D45E3
FindResourceExW.KERNEL32(?,00000005,?,0000FC11,?,?,011C2F86,00000000,00000000,011C1BAC,00000000,0000001C,011C2D83,00000000,011C1BAC), ref: 011D4622
FindResourceW.KERNEL32(?,?,00000005,?,?,011C2F86,00000000,00000000,011C1BAC,00000000,0000001C,011C2D83,00000000,011C1BAC), ref: 011D463F
LoadResource.KERNEL32(?,00000000,?,?,011C2F86,00000000,00000000,011C1BAC,00000000,0000001C,011C2D83,00000000,011C1BAC), ref: 011D464D

Part of subcall function 011D471B: _wcslen.LIBCMT ref: 011D4749
Part of subcall function 011D471B: GetDC.USER32(00000000), ref: 011D4771
Part of subcall function 011D471B: EnumFontFamiliesExW.GDI32(00000000,?,011D4705,?,00000000,?,?,?,?,?,?,00000000), ref: 011D478C
Part of subcall function 011D471B: ReleaseDC.USER32 ref: 011D4794

GlobalAlloc.KERNEL32(00000040,00000000,?,?,011C2F86,00000000,00000000,011C1BAC,00000000,0000001C,011C2D83,00000000,011C1BAC), ref: 011D467D

Strings

comctl32.dll, xrefs: 011D45CD
MS UI Gothic, xrefs: 011D45FA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Resource$Find$AllocDefaultEnumFamiliesFontGlobalH_prolog3_catchHandleLanguageLoadModuleReleaseUser_wcslen
String ID: MS UI Gothic$comctl32.dll
API String ID: 2994302752-3248924666
Opcode ID: 467220da4d0aa284f9d135bb9cc7229b5e9fb3f79f65bde61b9f3c5b4299398a
Instruction ID: bc698c7fd56ed80205f5ca718c87d8f4444fec777bfcf35e4e03546b16fb5c4f
Opcode Fuzzy Hash: 467220da4d0aa284f9d135bb9cc7229b5e9fb3f79f65bde61b9f3c5b4299398a
Instruction Fuzzy Hash: 4A41F771600606EFEB28AF69DC86E7A77ADEF40714F158128F906CBA80EB70D940C721

Uniqueness

Uniqueness Score: -1.00%

Function 011BD720 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 115
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E011BD720(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				intOrPtr* _v36;
				short _v520;
				signed int* _v524;
				signed int* _v528;
				signed int _v540;
				signed int* _v564;
				void* __ebp;
				signed int _t19;
				signed int _t22;
				signed int* _t24;
				void* _t46;
				signed int* _t47;
				void* _t48;
				void* _t49;
				struct HWND__* _t58;
				intOrPtr* _t59;
				WCHAR* _t64;
				struct HINSTANCE__* _t65;
				signed int _t66;
				signed int _t68;

				_t46 = __ebx;
				_t19 =  *0x139eff4; // 0xdde28b47
				_v8 = _t19 ^ _t66;
				_t64 = _a8;
				_t58 = _a4;
				if(_t58 == 0 || _t64 == 0) {
					E011B1E69(_t49);
					asm("int3");
					_push(_t66);
					_t67 = _t68;
					_t22 =  *0x139eff4; // 0xdde28b47
					_v540 = _t22 ^ _t68;
					_t24 = _v524;
					_push(_t46);
					_t47 = _v528;
					_push(_t64);
					_push(L"comctl32.dll");
					_v564 = _t24;
					 *_t47 =  *_t47 & 0x00000000;
					 *_t24 =  *_t24 & 0x00000000;
					_t65 = E011AFE0C();
					if(_t65 != 0) {
						_push(_t58);
						_t59 = GetProcAddress(_t65, "DllGetVersion");
						if(_t59 != 0) {
							E012EE6E0(_t59,  &_v32, 0, 0x14);
							_v32 = 0x14;
							_push( &_v32);
							L012EA066();
							if( *_t59() >= 0) {
								 *_t47 = _v28;
								 *_v36 = _v24;
							}
						}
						FreeLibrary(_t65);
					} else {
						E011BB96A();
					}
					return E012E980C(_v12 ^ _t67);
				} else {
					_t48 = E013004F8(_t64);
					 *_t68 = 0x200;
					_push(0);
					_push( &_v520);
					E012EE6E0(_t58);
					if(_t48 > 0x100 || GetWindowTextW(_t58,  &_v520, 0x100) != _t48 || lstrcmpW( &_v520, _t64) != 0) {
						SetWindowTextW(_t58, _t64);
					}
					return E012E980C(_v8 ^ _t66);
				}
			}

0x011bd720
0x011bd729
0x011bd730
0x011bd735
0x011bd739
0x011bd73e
0x011bd7ad
0x011bd7b2
0x011bd7b3
0x011bd7b4
0x011bd7b9
0x011bd7c0
0x011bd7c3
0x011bd7c6
0x011bd7c7
0x011bd7ca
0x011bd7cb
0x011bd7d0
0x011bd7d3
0x011bd7d6
0x011bd7de
0x011bd7e2
0x011bd7eb
0x011bd7f8
0x011bd7fc
0x011bd806
0x011bd80e
0x011bd81a
0x011bd81b
0x011bd826
0x011bd82e
0x011bd833
0x011bd833
0x011bd826
0x011bd83d
0x011bd7e4
0x011bd7e4
0x011bd7e4
0x011bd855
0x011bd744
0x011bd74a
0x011bd74c
0x011bd759
0x011bd75b
0x011bd75c
0x011bd76b
0x011bd794
0x011bd794
0x011bd7aa
0x011bd7aa

APIs

_wcslen.LIBCMT ref: 011BD745
GetWindowTextW.USER32 ref: 011BD776
lstrcmpW.KERNEL32(?,011B2D17), ref: 011BD788
SetWindowTextW.USER32(00000000,011B2D17), ref: 011BD794
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 011BD7F2
FreeLibrary.KERNEL32(00000000), ref: 011BD83D

Strings

comctl32.dll, xrefs: 011BD7CB
DllGetVersion, xrefs: 011BD7EC

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: TextWindow$AddressFreeLibraryProc_wcslenlstrcmp
String ID: DllGetVersion$comctl32.dll
API String ID: 3894640525-3857068685
Opcode ID: 0d9ff941274ff0d544c3f372a6ddc9f66968ccb2f9262bbad81c1e3f3b0c5bb9
Instruction ID: 186b6476ce04b1fd45e18c4df247ec6807c840d901b765cf35032498c5aaddd2
Opcode Fuzzy Hash: 0d9ff941274ff0d544c3f372a6ddc9f66968ccb2f9262bbad81c1e3f3b0c5bb9
Instruction Fuzzy Hash: 7D311A75900219ABCF28FFA8DCC4BEEB7BCEF84715F410029FA0997240DB3499008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 011BD482 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E011BD482(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				char _v72;
				void _v100;
				intOrPtr _v104;
				signed int _t11;
				void* _t13;
				struct HDC__* _t18;
				char* _t23;
				signed int _t29;
				intOrPtr _t32;
				struct HDC__* _t33;
				signed short _t35;
				signed int _t36;

				_t11 =  *0x139eff4; // 0xdde28b47
				_v8 = _t11 ^ _t36;
				_t35 = 0xa;
				_t32 = __ecx;
				_t23 = L"System";
				_v104 = __ecx;
				_t13 = GetStockObject(0x11);
				if(_t13 != 0) {
					L2:
					if(GetObjectW(_t13, 0x5c,  &_v100) != 0) {
						_t23 =  &_v72;
						_t18 = GetDC(0);
						_t29 = _v100;
						_t33 = _t18;
						if(_t29 < 0) {
							_v100 =  ~_t29;
						}
						_t35 = MulDiv(_v100, 0x48, GetDeviceCaps(_t33, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t33);
						_t32 = _v104;
					}
					L6:
					_t15 = _a4;
					if(_a4 == 0) {
						_t15 = _t35 & 0x0000ffff;
					}
					E011BD334(_t32, _t23, _t15);
					return E012E980C(_v8 ^ _t36);
				}
				_t13 = GetStockObject(0xd);
				if(_t13 == 0) {
					goto L6;
				}
				goto L2;
			}

0x011bd488
0x011bd48f
0x011bd497
0x011bd498
0x011bd49a
0x011bd4a1
0x011bd4a4
0x011bd4ac
0x011bd4ba
0x011bd4c9
0x011bd4cd
0x011bd4d0
0x011bd4d6
0x011bd4d9
0x011bd4dd
0x011bd4e1
0x011bd4e1
0x011bd4fc
0x011bd4ff
0x011bd505
0x011bd505
0x011bd508
0x011bd508
0x011bd50e
0x011bd510
0x011bd510
0x011bd517
0x011bd52c
0x011bd52c
0x011bd4b0
0x011bd4b8
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 011BD4A4
GetStockObject.GDI32(0000000D), ref: 011BD4B0
GetObjectW.GDI32(00000000,0000005C,?,?,?,00000000), ref: 011BD4C1
GetDC.USER32(00000000), ref: 011BD4D0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 011BD4E7
MulDiv.KERNEL32(?,00000048,00000000), ref: 011BD4F3
ReleaseDC.USER32 ref: 011BD4FF

Strings

System, xrefs: 011BD49A, 011BD514

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: ed41e9343df37ade1f67bdd5e113dc802f538b7fbd37f411d57bffb4a8a31cef
Instruction ID: 85b1c9d722729f5ca875c2b38ced432b7d854ed8097adb1930665de04a0257ee
Opcode Fuzzy Hash: ed41e9343df37ade1f67bdd5e113dc802f538b7fbd37f411d57bffb4a8a31cef
Instruction Fuzzy Hash: 3C114571640319ABEF28AEA5EC4ABFE7B79FB45705F10002DFA0597284DB609801C751

Uniqueness

Uniqueness Score: -1.00%

Function 011F0560 Relevance: 13.7, APIs: 9, Instructions: 195
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E011F0560(void* __ecx, void* __fp0) {
				void* _t48;
				void* _t49;
				void* _t52;
				signed int _t54;
				signed char _t58;
				signed short _t59;
				long _t69;
				void* _t71;
				void* _t72;
				signed int _t74;
				void* _t91;
				signed int _t99;
				void* _t106;
				struct _SECURITY_ATTRIBUTES* _t107;
				void* _t113;
				WCHAR* _t115;
				WCHAR* _t116;
				void** _t117;
				intOrPtr* _t118;
				intOrPtr* _t119;
				void* _t121;
				void* _t126;

				_t126 = __fp0;
				_push(0xa38);
				E012EA0D7();
				_t91 = __ecx;
				_t115 =  *(_t121 + 8);
				_t107 = 0;
				if( *((intOrPtr*)(__ecx + 0x28)) == 0) {
					__eflags = _t115;
					if(_t115 == 0) {
						E011B1E69(__ecx);
					}
					E011BD6C7(_t91 + 0x8c);
					_t48 = E01144970(__eflags, _t115);
					 *(_t121 - 4) = _t107;
					_t49 = E01176CC0(_t48, _t121 - 0xa2c, "\\", _t107);
					__eflags = _t49 - 0xffffffff;
					if(_t49 == 0xffffffff) {
						_t71 = E01176CC0(_t49, _t121 - 0xa2c, 0x1339c50, _t107);
						__eflags = _t71 - 0xffffffff;
						if(_t71 == 0xffffffff) {
							_t104 = _t121 - 0xa2c;
							_t72 = E01176CC0(_t71, _t121 - 0xa2c, 0x13313b4, _t107);
							__eflags = _t72 - 0xffffffff;
							if(_t72 == 0xffffffff) {
								_t74 = GetModuleFileNameW(_t107, _t121 - 0x820, 0x104);
								__eflags = _t74;
								if(_t74 != 0) {
									E01303B36(_t121 - 0x820, _t121 - 0x18, 3, _t121 - 0x618, 0x100, _t107, _t107, _t107, _t107);
									_t107 = 0;
									__eflags = 0;
									E01303B36(_t115, 0, 0, 0, 0, _t121 - 0x418, 0x100, _t121 - 0x218, 0x100);
									_push(_t121 - 0x218);
									_push(_t121 - 0x418);
									E013038F8(_t104, _t121 - 0xa28, 0x104, _t121 - 0x18, _t121 - 0x618);
									E01144900(_t121 - 0xa2c, _t121 - 0xa28);
								}
							}
						}
					}
					__eflags =  *(_t121 + 0xc);
					if( *(_t121 + 0xc) <= 0) {
						L13:
						_t116 =  *(_t121 - 0xa2c);
						asm("sbb edi, edi");
						_t52 = LoadImageW( *(E011B72B6(_t116) + 8), _t116, 0, 0, 0, ( ~( *(_t91 + 0x34)) & 0x00001000) + 0x2010);
						_t117 = _t91 + 0x8c;
						 *_t117 = _t52;
						__eflags = _t52;
						if(_t52 == 0) {
							L12:
							E01144240( *(_t121 - 0xa2c) - 0x10);
							goto L1;
						}
						__eflags = GetObjectW(_t52, 0x18, _t121 - 0xa44);
						if(__eflags != 0) {
							 *(_t91 + 0x18) = 1;
							E01167F70(_t91 + 0x98, __eflags, _t121 - 0xa2c);
							_t58 = GetFileAttributesW( *(_t121 - 0xa2c));
							__eflags = _t58 & 0x00000001;
							if((_t58 & 0x00000001) != 0) {
								 *(_t91 + 0x24) = 1;
							}
							_t59 =  *((intOrPtr*)(_t121 - 0xa32));
							_t99 = _t59 & 0x0000ffff;
							 *(_t91 + 8) = _t99;
							_t106 = 0x20;
							__eflags = _t99 - 8;
							if(_t99 > 8) {
								__eflags = _t99 - _t106;
								if(_t99 < _t106) {
									E011F0B31(_t106, _t126, _t117, 0, 0xffffffff, 0xffffffff);
									_t59 =  *((intOrPtr*)(_t121 - 0xa32));
									_t106 = 0x20;
								}
							}
							__eflags = _t59 - _t106;
							if(_t59 >= _t106) {
								E011F16D0(_t91, 0, _t117,  *_t117,  *((intOrPtr*)(_t91 + 0x3c)));
							}
							E011F24B0(_t91);
							_t118 = _t91 + 0x90;
							E011BD6C7(_t118);
							 *_t118 = 0;
							_t119 = _t91 + 0x94;
							E011BD6C7(_t119);
							 *_t119 = 0;
							E01144240( &(( *(_t121 - 0xa2c))[0xfffffffffffffff8]));
							_t54 = 1;
							__eflags = 1;
							L24:
							E012EA081();
							return _t54;
						}
						DeleteObject( *_t117);
						 *_t117 = 0;
						goto L12;
					}
					_t113 = CreateFileW(_t115, 0x80000000, 1, _t107, 3, _t107, _t107);
					__eflags = _t113 - 0xffffffff;
					if(_t113 == 0xffffffff) {
						goto L13;
					}
					_t69 = GetFileSize(_t113, 0);
					CloseHandle(_t113);
					__eflags = _t69 -  *(_t121 + 0xc);
					if(_t69 <=  *(_t121 + 0xc)) {
						goto L13;
					}
					goto L12;
				}
				L1:
				_t54 = 0;
				goto L24;
			}

0x011f0560
0x011f0560
0x011f056a
0x011f056f
0x011f0571
0x011f0574
0x011f0579
0x011f0582
0x011f0584
0x011f0586
0x011f0586
0x011f0592
0x011f059e
0x011f05af
0x011f05b2
0x011f05b7
0x011f05ba
0x011f05cc
0x011f05d1
0x011f05d4
0x011f05e0
0x011f05e6
0x011f05eb
0x011f05ee
0x011f0601
0x011f0607
0x011f0609
0x011f062d
0x011f0641
0x011f0641
0x011f0649
0x011f0657
0x011f065e
0x011f0676
0x011f068b
0x011f068b
0x011f0609
0x011f05ee
0x011f05d4
0x011f0690
0x011f0694
0x011f06da
0x011f06dd
0x011f06e5
0x011f0703
0x011f0709
0x011f070f
0x011f0711
0x011f0713
0x011f06c7
0x011f06d0
0x00000000
0x011f06d0
0x011f0725
0x011f0727
0x011f073b
0x011f0749
0x011f0754
0x011f075a
0x011f075c
0x011f075e
0x011f075e
0x011f0765
0x011f076c
0x011f076f
0x011f0774
0x011f0775
0x011f0778
0x011f077a
0x011f077c
0x011f0784
0x011f0789
0x011f0792
0x011f0792
0x011f077c
0x011f0793
0x011f0796
0x011f079d
0x011f079d
0x011f07a4
0x011f07a9
0x011f07b0
0x011f07b5
0x011f07b7
0x011f07be
0x011f07cc
0x011f07ce
0x011f07d5
0x011f07d5
0x011f07d6
0x011f07d6
0x011f07db
0x011f07db
0x011f072b
0x011f0731
0x00000000
0x011f0731
0x011f06a9
0x011f06ab
0x011f06ae
0x00000000
0x00000000
0x011f06b3
0x011f06bc
0x011f06c2
0x011f06c5
0x00000000
0x00000000
0x00000000
0x011f06c5
0x011f057b
0x011f057b
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 011F056A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,013313B4,00000000,01339C50,00000000,0132FFF0,00000000,?,?,00000A38,011F1539,?,00000000,00000038), ref: 011F0601
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,0132FFF0,00000000,?,?,00000A38,011F1539,?,00000000,00000038), ref: 011F06A3
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,00000008), ref: 011F06B3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000008), ref: 011F06BC

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: File$CloseCreateH_prolog3_HandleModuleNameSize
String ID:
API String ID: 2198494350-0
Opcode ID: 033f840abe31cc842367fb496ce01d9c6a5453b7221ea6b8f44584c3ef612285
Instruction ID: 7d0f8cd0749f7fb42b4fed3fab0b82a50bfa337fee1cf9a6add18b51feb6f460
Opcode Fuzzy Hash: 033f840abe31cc842367fb496ce01d9c6a5453b7221ea6b8f44584c3ef612285
Instruction Fuzzy Hash: 23610772900515AADB38AF24CC88FEF777CEF99724F1001ACF645A7181DB309A85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C5C39 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 185
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E011C5C39(void* __ebx, intOrPtr* _a4, signed short* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __esi;
				void* __ebp;
				struct HICON__* _t47;
				struct HICON__* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				signed int _t57;
				signed int _t58;
				signed int _t62;
				void* _t63;
				signed int _t64;
				signed int _t65;
				void* _t66;
				void* _t68;
				intOrPtr* _t70;
				void* _t73;
				signed int _t75;
				void* _t77;
				void* _t78;
				intOrPtr _t83;
				void* _t84;
				intOrPtr* _t86;
				signed short* _t88;
				signed int* _t89;
				signed short* _t94;
				signed int _t97;
				intOrPtr _t99;
				void* _t102;

				_t94 = _a8;
				if(_t94 == 0) {
					L38:
					E011B1E69(_t70);
					asm("int3");
					_push(_t70);
					_push(_t70);
					_push(_t85);
					_t86 = _t70;
					if( *0x13a8d24 != 0) {
						L41:
						L012EA066();
						_t47 =  *((intOrPtr*)( *_t86 + 0xc))(0xe145, 0, 0,  &_v16, _t94);
					} else {
						_t48 = LoadCursorW(0, 0x7f8b);
						 *0x13a8d24 = _t48;
						if(_t48 != 0) {
							goto L41;
						} else {
							_t47 = LoadCursorW( *(E011B72B6(_t94) + 0xc), 0x7901);
							 *0x13a8d24 = _t47;
							if(_t47 != 0) {
								goto L41;
							}
						}
					}
					return _t47;
				} else {
					_t70 = _a12;
					if(_t70 == 0) {
						goto L38;
					} else {
						_t51 = 0x25;
						_t73 = 0;
						_v8 = 0x31;
						_t68 = 0;
						_t88 = _t94;
						_t83 = 0x39;
						_v24 = _t83;
						_v12 = 0x41;
						_v16 = 0x5a;
						if( *_t94 != 0) {
							_t99 = _a12;
							do {
								if( *_t88 != _t51) {
									L17:
									_t68 = _t68 + 1;
									_push(2);
								} else {
									_t64 = _t88[1] & 0x0000ffff;
									if(_t64 < _v8 || _t64 > _t83) {
										if(_t64 < _v12 || _t64 > _v16) {
											goto L17;
										} else {
											if(_t64 <= _t83) {
												goto L11;
											} else {
												_t65 = _t64 - 0x38;
											}
											goto L12;
										}
									} else {
										L11:
										_t65 = _t64 - 0x31;
										L12:
										if(_t65 < _a16) {
											if( *((intOrPtr*)(_t99 + _t65 * 4)) != 0) {
												_t66 = E013004F8( *((intOrPtr*)(_t99 + _t65 * 4)));
												_t68 = _t68 + _t66;
												_t73 = 0;
												_t83 = 0x39;
											}
										} else {
											_t68 = _t68 + 1;
										}
										_push(4);
									}
								}
								_pop(_t63);
								_t88 = _t88 + _t63;
								_t51 = 0x25;
							} while ( *_t88 != _t73);
							_t94 = _a8;
						}
						_t89 = E011444A0(_a4, _t68);
						_t84 = 0;
						while( *_t94 != _t84) {
							_t75 =  *_t94 & 0x0000ffff;
							_t53 = 0x25;
							if(_t75 != _t53) {
								L34:
								 *_t89 = _t75;
								_t89 =  &(_t89[0]);
								_t68 = _t68 - 1;
								_push(2);
							} else {
								_t57 = _t94[1] & 0x0000ffff;
								if(_t57 < _v8 || _t57 > _v24) {
									if(_t57 < _v12 || _t57 > _v16) {
										goto L34;
									} else {
										goto L26;
									}
								} else {
									L26:
									_t77 = 0x39;
									if(_t57 <= _t77) {
										_t78 = 0x31;
										_t58 = _t57 - _t78;
									} else {
										_t58 = _t57 - 0x38;
									}
									_v20 = _t58;
									if(_t58 < _a16) {
										_t79 = _a12;
										if( *((intOrPtr*)(_a12 + _t58 * 4)) != 0) {
											_t97 = E013004F8( *((intOrPtr*)(_t79 + _t58 * 4)));
											_t35 = _t68 + 1; // 0x1
											E011BB364(_t89, _t35,  *((intOrPtr*)(_a12 + _v20 * 4)));
											_t68 = _t68 - _t97;
											_t89 = _t89 + _t97 * 2;
											_t94 = _a8;
											_t102 = _t102 + 0x10;
											_t84 = 0;
										}
									} else {
										_t62 = 0x3f;
										 *_t89 = _t62;
										_t89 =  &(_t89[0]);
										_t68 = _t68 - 1;
									}
									_push(4);
								}
							}
							_pop(_t54);
							_t94 = _t94 + _t54;
							_a8 = _t94;
						}
						return E01167EE0(_a4, _t89 -  *_a4 >> 1);
					}
				}
			}

0x011c5c41
0x011c5c47
0x011c5daa
0x011c5daa
0x011c5daf
0x011c5db3
0x011c5db4
0x011c5dbc
0x011c5dbd
0x011c5dbf
0x011c5df4
0x011c5e07
0x011c5e0e
0x011c5dc1
0x011c5dc8
0x011c5dce
0x011c5dd5
0x00000000
0x011c5dd7
0x011c5de5
0x011c5deb
0x011c5df2
0x00000000
0x00000000
0x011c5df2
0x011c5dd5
0x011c5e16
0x011c5c4d
0x011c5c4d
0x011c5c52
0x00000000
0x011c5c58
0x011c5c5a
0x011c5c5b
0x011c5c5d
0x011c5c64
0x011c5c66
0x011c5c6a
0x011c5c6b
0x011c5c6e
0x011c5c75
0x011c5c7f
0x011c5c81
0x011c5c84
0x011c5c87
0x011c5cd3
0x011c5cd3
0x011c5cd4
0x011c5c89
0x011c5c89
0x011c5c91
0x011c5c9c
0x00000000
0x011c5ca4
0x011c5ca7
0x00000000
0x011c5ca9
0x011c5ca9
0x011c5ca9
0x00000000
0x011c5ca7
0x011c5cae
0x011c5cae
0x011c5cae
0x011c5cb1
0x011c5cb4
0x011c5cbd
0x011c5cc2
0x011c5cca
0x011c5ccc
0x011c5cce
0x011c5cce
0x011c5cb6
0x011c5cb6
0x011c5cb6
0x011c5ccf
0x011c5ccf
0x011c5c91
0x011c5cd6
0x011c5cd7
0x011c5cdb
0x011c5cdc
0x011c5ce1
0x011c5ce1
0x011c5ced
0x011c5cef
0x011c5d89
0x011c5cf6
0x011c5cfb
0x011c5cff
0x011c5d7a
0x011c5d7a
0x011c5d7d
0x011c5d80
0x011c5d81
0x011c5d01
0x011c5d01
0x011c5d09
0x011c5d15
0x00000000
0x00000000
0x00000000
0x00000000
0x011c5d1d
0x011c5d1d
0x011c5d1f
0x011c5d23
0x011c5d2c
0x011c5d2d
0x011c5d25
0x011c5d25
0x011c5d25
0x011c5d2f
0x011c5d35
0x011c5d43
0x011c5d4a
0x011c5d57
0x011c5d5f
0x011c5d64
0x011c5d69
0x011c5d6b
0x011c5d6e
0x011c5d71
0x011c5d74
0x011c5d74
0x011c5d37
0x011c5d39
0x011c5d3a
0x011c5d3d
0x011c5d40
0x011c5d40
0x011c5d76
0x011c5d76
0x011c5d09
0x011c5d83
0x011c5d84
0x011c5d86
0x011c5d86
0x011c5da7
0x011c5da7
0x011c5c52

APIs

_wcslen.LIBCMT ref: 011C5CC2
_wcslen.LIBCMT ref: 011C5D4F
LoadCursorW.USER32(00000000,00007F8B), ref: 011C5DC8
LoadCursorW.USER32(?,00007901), ref: 011C5DE5

Strings

Z, xrefs: 011C5C75
A, xrefs: 011C5C6E
1, xrefs: 011C5C5D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CursorLoad_wcslen
String ID: 1$A$Z
API String ID: 3485656099-2117984505
Opcode ID: 4f5cbbfffb804055bb3a6003f1d500bf1ec49b066a37a4cd28f679afdc92995f
Instruction ID: c9cbe962969df61cb0f736d43908633b3d48bd71467b163e13d702335be0b211
Opcode Fuzzy Hash: 4f5cbbfffb804055bb3a6003f1d500bf1ec49b066a37a4cd28f679afdc92995f
Instruction Fuzzy Hash: FE510531B0030AABDB6CAF68D8057BE77BAEB50B50F50855EE9019B184E7B07982C755

Uniqueness

Uniqueness Score: -1.00%

Function 011C08B3 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E011C08B3(intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24) {
				_Unknown_base(*)()* _t13;
				struct HINSTANCE__* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t22;

				_t13 =  *0x13a8c88; // 0x0
				if(_t13 != 0) {
					__imp__DecodePointer(_t13);
					_t22 = _t13;
					L4:
					if(_t22 == 0) {
						L6:
						return CompareStringW(E011C11A6(_a4), _a8, _a12, _a16, _a20, _a24);
					}
					L012EA066();
					return  *_t22(_a4, _a8, _a12, _a16, _a20, _a24, 0, 0, 0);
				}
				_t18 = GetModuleHandleW(L"kernel32.dll");
				if(_t18 == 0) {
					goto L6;
				}
				_t19 = GetProcAddress(_t18, "CompareStringEx");
				_t22 = _t19;
				__imp__EncodePointer(_t22);
				 *0x13a8c88 = _t19;
				goto L4;
			}

0x011c08b6
0x011c08be
0x011c08ec
0x011c08f2
0x011c08f4
0x011c08f6
0x011c091a
0x00000000
0x011c0933
0x011c0911
0x00000000
0x011c0916
0x011c08c5
0x011c08cd
0x00000000
0x00000000
0x011c08d5
0x011c08db
0x011c08de
0x011c08e4
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,011A9B8B,0132FFB4,00000001,?,000000FF,?,000000FF,?,?,011A73AB,000FC000,00000010,00000040), ref: 011C08C5
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 011C08D5
EncodePointer.KERNEL32(00000000,?,011A9B8B,0132FFB4,00000001,?,000000FF,?,000000FF,?,?,011A73AB,000FC000,00000010,00000040,011A75AB), ref: 011C08DE
DecodePointer.KERNEL32(00000000,00000000,?,011A9B8B,0132FFB4,00000001,?,000000FF,?,000000FF,?,?,011A73AB,000FC000,00000010,00000040), ref: 011C08EC
CompareStringW.KERNEL32(00000000,?,00000000,?,?,?,?,011A9B8B,0132FFB4,00000001,?,000000FF,?,000000FF,?,?), ref: 011C0933

Strings

CompareStringEx, xrefs: 011C08CF
kernel32.dll, xrefs: 011C08C0

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Pointer$AddressCompareDecodeEncodeHandleModuleProcString
String ID: CompareStringEx$kernel32.dll
API String ID: 866791306-948622644
Opcode ID: 4145448eaf5b7449156c2af75d325ebc17af5854aa9d4a2760857178d006a131
Instruction ID: f056d120f4ae1f6942ace48ecf7760706744e2288b712326bc326198b548da10
Opcode Fuzzy Hash: 4145448eaf5b7449156c2af75d325ebc17af5854aa9d4a2760857178d006a131
Instruction Fuzzy Hash: 5501D33654021AFFDF262FA5DC09DAF7FADEB18B51B044428FA0592224DB318961DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011F1793 Relevance: 12.2, APIs: 8, Instructions: 183
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E011F1793(void* __ecx) {
				void* _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t68;
				struct HBITMAP__* _t75;
				void* _t77;
				void* _t80;
				void* _t85;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t93;
				void** _t94;
				void** _t95;
				void* _t97;
				void* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;

				_push(0x18);
				E012EA0A3();
				_t111 = __ecx;
				_t110 = 0;
				if( *((intOrPtr*)(__ecx + 0x8c)) != 0) {
					__eflags =  *0x13a94f8 - _t110; // 0x0
					if(__eflags != 0) {
						EnterCriticalSection(0x13a953c);
					}
					_t93 =  *(_t112 + 0x14);
					__eflags = _t93;
					if(_t93 == 0) {
						L8:
						__eflags =  *((intOrPtr*)(_t111 + 8)) - 0x20;
						if( *((intOrPtr*)(_t111 + 8)) < 0x20) {
							__eflags =  *((intOrPtr*)(_t111 + 0x94)) - _t110;
							if( *((intOrPtr*)(_t111 + 0x94)) == _t110) {
								_t88 = E011C5385();
								__eflags =  *((intOrPtr*)(_t88 + 0x54)) - _t110;
								if( *((intOrPtr*)(_t88 + 0x54)) != _t110) {
									_t90 = E011F04B0(E011C5322());
									__eflags = _t90;
									if(_t90 == 0) {
										E011F2623(_t111, 1);
									}
								}
							}
						}
						L13:
						_t97 =  *(_t111 + 0x90);
						 *(_t111 + 0x20) = _t110;
						__eflags = _t97;
						if(_t97 == 0) {
							L17:
							_t93 = _t110;
							L18:
							_t109 =  *(_t111 + 0x8c);
							 *(_t111 + 0x2c) = _t93;
							__eflags = _t109;
							if(_t109 != 0) {
								L20:
								_t58 = _t111 + 0x44;
								__eflags = _t58;
								if(_t58 != 0) {
									_t59 =  *(_t58 + 4);
								} else {
									_t59 = _t110;
								}
								__eflags = _t59;
								if(_t59 != 0) {
									goto L19;
								} else {
									_t61 = _t111 + 0x9c;
									__eflags = _t61;
									if(_t61 != 0) {
										_t18 = _t61 + 4; // 0x11ed423
										_t62 =  *_t18;
									} else {
										_t62 = _t110;
									}
									__eflags = _t62;
									if(_t62 != 0) {
										goto L19;
									} else {
										__eflags =  *(_t111 + 0xa4) - _t110;
										if( *(_t111 + 0xa4) != _t110) {
											goto L19;
										}
										__eflags = _t93;
										if(_t93 == 0) {
											L31:
											_t97 = _t109;
											L32:
											_t63 = SelectObject( *0x13a9524, _t97);
											_t94 =  *(_t112 + 8);
											_t94[2] = _t63;
											__eflags = _t63;
											if(_t63 != 0) {
												__eflags =  *((intOrPtr*)(_t111 + 0x40)) - _t110;
												if( *((intOrPtr*)(_t111 + 0x40)) == _t110) {
													L39:
													_t64 =  *(_t112 + 0xc);
													__eflags = _t64;
													if(_t64 <= 0) {
														L42:
														_t95 = _t111 + 0x64;
														 *_t95 =  *(_t111 + 0x54);
														_t95[1] =  *(_t111 + 0x58);
														L43:
														__eflags =  *((intOrPtr*)(_t111 + 8)) - 0x20;
														if( *((intOrPtr*)(_t111 + 8)) != 0x20) {
															 *(_t112 - 0x10) =  *(_t111 + 0xa8);
														} else {
															 *(_t112 - 0x10) =  *(_t112 - 0x10) | 0xffffffff;
														}
														_t68 = E011C1813(_t95,  *(_t111 + 0x54),  *(_t111 + 0x58));
														__eflags = _t68;
														if(_t68 != 0) {
															L48:
															_push(_t110);
															E011B85AB(_t112 - 0x24, _t109);
															 *(_t112 - 4) = _t110;
															 *(_t111 + 0x20) = E011C1813(_t95,  *(_t111 + 0x54),  *(_t111 + 0x58));
															E011B8E5C(_t111 + 0x44, CreateCompatibleDC(_t110));
															_t75 = CreateCompatibleBitmap( *(_t112 - 0x20),  *(_t111 + 0x54) + 2,  *(_t111 + 0x58) + 2);
															_t93 = _t111 + 0x9c;
															_t97 = _t93;
															E011B8E9D(_t97, _t109, _t110, _t75);
															__eflags = _t93;
															if(_t93 != 0) {
																_t53 = _t93 + 4; // 0x11ed423
																_t110 =  *_t53;
															}
															_t77 = E011B9645( *((intOrPtr*)(_t111 + 0x48)), _t110);
															 *(_t111 + 0xa4) = _t77;
															__eflags = _t77;
															if(_t77 == 0) {
																goto L19;
															} else {
																E011B8705(_t112 - 0x24, _t109);
																goto L52;
															}
														} else {
															__eflags =  *(_t112 - 0x10) - 0xffffffff;
															if( *(_t112 - 0x10) == 0xffffffff) {
																L52:
																_t80 = 1;
																__eflags = 1;
																L53:
																E012EA06C();
																return _t80;
															}
															goto L48;
														}
													}
													_t105 =  *(_t112 + 0x10);
													__eflags = _t105;
													if(_t105 <= 0) {
														goto L42;
													}
													_t95 = _t111 + 0x64;
													 *_t95 = _t64;
													_t95[1] = _t105;
													goto L43;
												}
												_t85 = CreateBitmap( *(_t111 + 0x54) + 2,  *(_t111 + 0x58) + 2, 1, 1, _t110);
												 *_t94 = _t85;
												_t86 = SelectObject( *0x13a9528, _t85);
												_t94[1] = _t86;
												__eflags =  *_t94 - _t110;
												if( *_t94 == _t110) {
													L38:
													E011BD6C7(_t94);
													goto L33;
												}
												__eflags = _t86;
												if(_t86 != 0) {
													goto L39;
												}
												goto L38;
											}
											L33:
											__eflags =  *0x13a94f8 - _t110; // 0x0
											if(__eflags != 0) {
												LeaveCriticalSection(0x13a953c);
											}
											goto L1;
										}
										__eflags =  *((intOrPtr*)(_t111 + 8)) - 0x20;
										if( *((intOrPtr*)(_t111 + 8)) < 0x20) {
											goto L32;
										}
										goto L31;
									}
								}
							}
							L19:
							E011B1E69(_t97);
							goto L20;
						}
						__eflags =  *((intOrPtr*)(_t111 + 8)) - 4;
						if( *((intOrPtr*)(_t111 + 8)) <= 4) {
							L16:
							__eflags =  *((intOrPtr*)(_t111 + 8)) - _t110;
							if( *((intOrPtr*)(_t111 + 8)) != _t110) {
								goto L18;
							}
							goto L17;
						}
						__eflags =  *((intOrPtr*)(_t111 + 0x38)) - _t110;
						if( *((intOrPtr*)(_t111 + 0x38)) == _t110) {
							goto L17;
						}
						goto L16;
					}
					__eflags =  *((intOrPtr*)(_t111 + 8)) - 0x20;
					if( *((intOrPtr*)(_t111 + 8)) >= 0x20) {
						goto L13;
					} else {
						__eflags =  *(_t111 + 0x90) - _t110;
						if( *(_t111 + 0x90) == _t110) {
							E011F2623(_t111, _t110);
						}
						goto L8;
					}
				}
				L1:
				_t80 = 0;
				goto L53;
			}

0x011f1793
0x011f179a
0x011f179f
0x011f17a1
0x011f17a9
0x011f17b2
0x011f17b8
0x011f17bf
0x011f17bf
0x011f17c5
0x011f17c8
0x011f17ca
0x011f17e2
0x011f17e2
0x011f17e6
0x011f17e8
0x011f17ee
0x011f17f0
0x011f17f5
0x011f17f8
0x011f1801
0x011f1806
0x011f1808
0x011f180e
0x011f180e
0x011f1808
0x011f17f8
0x011f17ee
0x011f1813
0x011f1813
0x011f1819
0x011f181c
0x011f181e
0x011f1830
0x011f1830
0x011f1832
0x011f1832
0x011f1838
0x011f183b
0x011f183d
0x011f1844
0x011f1844
0x011f1847
0x011f1849
0x011f184f
0x011f184b
0x011f184b
0x011f184b
0x011f1852
0x011f1854
0x00000000
0x011f1856
0x011f1856
0x011f185c
0x011f185e
0x011f1864
0x011f1864
0x011f1860
0x011f1860
0x011f1860
0x011f1867
0x011f1869
0x00000000
0x011f186b
0x011f186b
0x011f1871
0x00000000
0x00000000
0x011f1873
0x011f1875
0x011f187d
0x011f187d
0x011f187f
0x011f1886
0x011f188c
0x011f188f
0x011f1892
0x011f1894
0x011f18b2
0x011f18b5
0x011f18f2
0x011f18f2
0x011f18f5
0x011f18f7
0x011f190a
0x011f190d
0x011f1910
0x011f1915
0x011f1918
0x011f1918
0x011f191c
0x011f192a
0x011f191e
0x011f191e
0x011f191e
0x011f1935
0x011f193a
0x011f193c
0x011f1944
0x011f1944
0x011f1948
0x011f1952
0x011f195e
0x011f196b
0x011f1981
0x011f1987
0x011f198e
0x011f1990
0x011f1995
0x011f1997
0x011f1999
0x011f1999
0x011f1999
0x011f19a0
0x011f19a5
0x011f19ab
0x011f19ad
0x00000000
0x011f19b3
0x011f19b6
0x00000000
0x011f19b6
0x011f193e
0x011f193e
0x011f1942
0x011f19bb
0x011f19bd
0x011f19bd
0x011f19be
0x011f19be
0x011f19c3
0x011f19c3
0x00000000
0x011f1942
0x011f193c
0x011f18f9
0x011f18fc
0x011f18fe
0x00000000
0x00000000
0x011f1900
0x011f1903
0x011f1905
0x00000000
0x011f1905
0x011f18ca
0x011f18d7
0x011f18d9
0x011f18df
0x011f18e2
0x011f18e4
0x011f18ea
0x011f18eb
0x00000000
0x011f18eb
0x011f18e6
0x011f18e8
0x00000000
0x00000000
0x00000000
0x011f18e8
0x011f1896
0x011f1896
0x011f189c
0x011f18a7
0x011f18a7
0x00000000
0x011f189c
0x011f1877
0x011f187b
0x00000000
0x00000000
0x00000000
0x011f187b
0x011f1869
0x011f1854
0x011f183f
0x011f183f
0x00000000
0x011f183f
0x011f1820
0x011f1824
0x011f182b
0x011f182b
0x011f182e
0x00000000
0x00000000
0x00000000
0x011f182e
0x011f1826
0x011f1829
0x00000000
0x00000000
0x00000000
0x011f1829
0x011f17cc
0x011f17d0
0x00000000
0x011f17d2
0x011f17d2
0x011f17d8
0x011f17dd
0x011f17dd
0x00000000
0x011f17d8
0x011f17d0
0x011f17ab
0x011f17ab
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 011F179A
EnterCriticalSection.KERNEL32(013A953C,00000018,0121FF8A,?,?,00000007,00000000,?,00000000,?,?,?,?,00000000,?,?), ref: 011F17BF
SelectObject.GDI32(?,00000018), ref: 011F1886
LeaveCriticalSection.KERNEL32(013A953C,?,?,00000018,0121FF8A,?,?,00000007,00000000,?,00000000,?,?,?,?,00000000), ref: 011F18A7
CreateBitmap.GDI32(0000000E,0000000D,00000001,00000001,00000000), ref: 011F18CA
SelectObject.GDI32(00000000), ref: 011F18D9
CreateCompatibleDC.GDI32(00000000), ref: 011F1961
CreateCompatibleBitmap.GDI32(?,0000000E,0000000D), ref: 011F1981

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: ff51492c583d900225a4c6299f66ed8e7f48fafe18f4e8babce90e46ec7e21fa
Instruction ID: b6ced8ca2699d14e7f75ac59caba8578d01fc3d8ad4b77d741f11e81e95a3206
Opcode Fuzzy Hash: ff51492c583d900225a4c6299f66ed8e7f48fafe18f4e8babce90e46ec7e21fa
Instruction Fuzzy Hash: 3D617E31600B02EFDB3DDF69CA80AA6B7F5FF54718F14892DDA9A96251E770E440CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011BEF72 Relevance: 12.1, APIs: 8, Instructions: 101
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E011BEF72(long __ecx) {
				int _t36;
				long* _t38;
				long _t39;
				void* _t40;
				long _t48;
				signed int _t49;
				int _t50;
				void* _t54;
				void* _t56;
				void* _t58;
				struct _CRITICAL_SECTION* _t59;
				void* _t61;
				long* _t62;
				void* _t63;

				_t51 = __ecx;
				_push(0x10);
				_t36 = 0x1320317;
				E012EA10E();
				_t62 = __ecx;
				 *(_t63 - 0x18) = __ecx;
				_t59 = __ecx + 0x1c;
				 *(_t63 - 0x14) = _t59;
				EnterCriticalSection(_t59);
				_t49 =  *(_t63 + 8);
				if(_t49 <= 0 || _t49 >= _t62[3]) {
					LeaveCriticalSection(_t59);
				} else {
					_t36 = TlsGetValue( *_t62);
					if(0x1320317 == 0) {
						_t50 = 0;
						 *(_t63 - 4) = 0;
						_t61 = E011BEA3D(0x10);
						__eflags = _t61;
						if(_t61 == 0) {
							_t61 = 0;
						} else {
							 *_t61 = 0x1333fc4;
						}
						_t9 = _t63 - 4;
						 *_t9 =  *(_t63 - 4) | 0xffffffff;
						__eflags =  *_t9;
						 *(_t61 + 8) = _t50;
						 *(_t61 + 0xc) = _t50;
						_t38 = E011BEE9E( &(_t62[5]), _t61);
						_t51 = _t62[5];
						 *_t38 = _t62[5];
						_t62[5] = _t61;
						_t62 =  *(_t63 - 0x18);
						goto L10;
					} else {
						if(_t49 >=  *0x0132031F &&  *(_t63 + 0xc) != 0) {
							_t50 = 0;
							L10:
							_t71 =  *(_t61 + 0xc) - _t50;
							if( *(_t61 + 0xc) != _t50) {
								_t39 = E011B2297(_t50, _t51, _t61, _t62, __eflags, _t62[3], 4);
								_t54 = 2;
								_t40 = LocalReAlloc( *(_t61 + 0xc), _t39, ??);
							} else {
								_t48 = E011B2297(_t50, _t51, _t61, _t62, _t71, _t62[3], 4);
								_pop(_t54);
								_t40 = LocalAlloc(_t50, _t48);
							}
							_t58 = _t40;
							if(_t58 == 0) {
								LeaveCriticalSection( *(_t63 - 0x14));
								E011B1E83(_t54);
							}
							 *(_t61 + 0xc) = _t58;
							E012EE6E0(_t61, _t58 +  *(_t61 + 8) * 4, _t50, _t62[3] -  *(_t61 + 8) << 2);
							 *(_t61 + 8) = _t62[3];
							_t36 = TlsSetValue( *_t62, _t61);
							_t49 =  *(_t63 + 8);
						}
					}
					_t56 =  *(_t61 + 0xc);
					if(_t56 != 0 && _t49 <  *(_t61 + 8)) {
						_t36 =  *(_t63 + 0xc);
						 *(_t56 + _t49 * 4) = _t36;
					}
					LeaveCriticalSection( *(_t63 - 0x14));
				}
				E012EA06C();
				return _t36;
			}

0x011bef72
0x011bef72
0x011bef74
0x011bef79
0x011bef7e
0x011bef80
0x011bef83
0x011bef87
0x011bef8a
0x011bef90
0x011bef95
0x011bf0a6
0x011befa4
0x011befa6
0x011befb0
0x011befc9
0x011befcd
0x011befd5
0x011befd7
0x011befd9
0x011befe3
0x011befdb
0x011befdb
0x011befdb
0x011befe5
0x011befe5
0x011befe5
0x011befed
0x011beff0
0x011beff3
0x011beff8
0x011beffb
0x011beffd
0x011bf000
0x00000000
0x011befb2
0x011befb5
0x011befc5
0x011bf003
0x011bf003
0x011bf006
0x011bf025
0x011bf02b
0x011bf030
0x011bf008
0x011bf00d
0x011bf013
0x011bf016
0x011bf016
0x011bf036
0x011bf03a
0x011bf03f
0x011bf045
0x011bf045
0x011bf04d
0x011bf05e
0x011bf069
0x011bf06f
0x011bf075
0x011bf075
0x011befb5
0x011bf078
0x011bf07d
0x011bf084
0x011bf087
0x011bf087
0x011bf0a6
0x011bf0a6
0x011bf0ac
0x011bf0b1

APIs

__EH_prolog3_catch.LIBCMT ref: 011BEF79
EnterCriticalSection.KERNEL32(?,00000010,011BEE7A,?,00000000,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911), ref: 011BEF8A
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911,00000000,013FDC00), ref: 011BEFA6
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011BF016
LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004), ref: 011BF030
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911,00000000), ref: 011BF03F
TlsSetValue.KERNEL32(?,00000000), ref: 011BF06F
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911,00000000,013FDC00), ref: 011BF0A6

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$EnterH_prolog3_catch
String ID:
API String ID: 2715462074-0
Opcode ID: 0850c464f8221c2c6cf9f11229017282f4c70f0677ffa4575b835f5b814c1739
Instruction ID: 4e0bd996cbc988e0b79b788f23de6d1d30166f5e167935cc1417836aa9ae2779
Opcode Fuzzy Hash: 0850c464f8221c2c6cf9f11229017282f4c70f0677ffa4575b835f5b814c1739
Instruction Fuzzy Hash: 47318670500707EFDB39AF24C8C5AAAFBB6FF44314B20862DE516976A0CB31A915CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011E6107 Relevance: 12.1, APIs: 8, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011E6107(void* __ecx) {
				int _t14;
				int _t17;
				void _t19;
				void* _t24;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;

				_t27 = __ecx;
				 *((intOrPtr*)(__ecx + 0xc)) = 1;
				 *((intOrPtr*)(_t27 + 0x114)) = GetSystemMetrics(0x31);
				_t14 = GetSystemMetrics(0x32);
				_t3 = _t27 + 0x16c; // 0x13a938c
				_t28 = _t3;
				 *(_t27 + 0x118) = _t14;
				SetRectEmpty(_t28);
				if(EnumDisplayMonitors(0, 0, 0x11e5f9b, _t28) == 0) {
					SystemParametersInfoW(0x30, 0, _t28, 0);
				}
				_t17 = 0;
				_t5 = _t27 + 0x190; // 0x13a93b0
				_t29 = _t5;
				_t6 = _t27 + 0x194; // 0x13a93b4
				_t24 = _t6;
				 *0x13a920c = 0;
				 *_t29 = 0;
				 *_t24 = 0;
				if( *((intOrPtr*)(_t27 + 0x180)) == 0) {
					SystemParametersInfoW(0x1002, 0, _t29, 0);
					_t17 = 0;
					if( *_t29 != 0) {
						SystemParametersInfoW(0x1012, 0, _t24, 0);
						_t17 = 0;
					}
				}
				_t8 = _t27 + 0x1a4; // 0x13a93c4
				_t30 = _t8;
				 *(_t27 + 0x1c8) = _t17;
				 *((intOrPtr*)(_t27 + 0x1a8)) = 1;
				SystemParametersInfoW(0x100a, _t17, _t30, _t17);
				_t19 =  *_t30;
				 *((intOrPtr*)(_t27 + 0xc)) = 0;
				 *(_t27 + 0x1a0) = _t19;
				return _t19;
			}

0x011e610a
0x011e610e
0x011e611d
0x011e6123
0x011e6129
0x011e6129
0x011e612f
0x011e6136
0x011e614e
0x011e6155
0x011e6155
0x011e615b
0x011e615d
0x011e615d
0x011e6163
0x011e6163
0x011e6169
0x011e616e
0x011e6170
0x011e6178
0x011e6182
0x011e6188
0x011e618c
0x011e6196
0x011e619c
0x011e619c
0x011e618c
0x011e619f
0x011e619f
0x011e61a5
0x011e61b2
0x011e61bc
0x011e61c2
0x011e61c6
0x011e61c9
0x011e61d2

APIs

GetSystemMetrics.USER32 ref: 011E6115
GetSystemMetrics.USER32 ref: 011E6123
SetRectEmpty.USER32(013A938C), ref: 011E6136
EnumDisplayMonitors.USER32(00000000,00000000,011E5F9B,013A938C), ref: 011E6146
SystemParametersInfoW.USER32(00000030,00000000,013A938C,00000000), ref: 011E6155
SystemParametersInfoW.USER32(00001002,00000000,013A93B0,00000000), ref: 011E6182
SystemParametersInfoW.USER32(00001012,00000000,013A93B4,00000000), ref: 011E6196
SystemParametersInfoW.USER32(0000100A,00000000,013A93C4,00000000), ref: 011E61BC

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 74746a705b041f66aceca575f9156ec1b455d123048212d5c0ca6c4f3b0552f4
Instruction ID: 83d62ea9880bdf7360264b12e13a21dfdaf2ea9225c1a312f9a94af9dff9dfd8
Opcode Fuzzy Hash: 74746a705b041f66aceca575f9156ec1b455d123048212d5c0ca6c4f3b0552f4
Instruction Fuzzy Hash: 4E2156B0201616BFF3259FB58889BE3BBECFF08345F104129FA58C6141E7B0A850CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0125C7E8 Relevance: 10.8, APIs: 7, Instructions: 291
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0125C7E8(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8) {
				int _v0;
				intOrPtr _v4;
				signed int _v12;
				struct tagRECT _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				int _v52;
				void* __ebp;
				void* _t83;
				signed int _t84;
				signed int _t88;
				signed int _t94;
				signed int _t96;
				intOrPtr* _t98;
				signed int _t104;
				signed int _t105;
				signed int _t118;
				signed int _t121;
				int _t123;
				signed int _t124;
				void* _t126;
				signed int _t128;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t137;
				signed int _t138;
				signed int _t141;
				void* _t144;
				int _t153;
				signed int _t183;
				signed int _t184;
				signed int _t186;
				int _t188;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t199;
				signed int _t200;
				signed int _t203;
				signed int _t206;
				signed int _t207;
				intOrPtr _t212;

				_t144 = __ebx;
				_t192 = __ecx;
				_push(__edi);
				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t83 = L011A7024( *((intOrPtr*)(__ecx + 4)));
					 *(_t192 + 4) =  *(_t192 + 4) & 0x00000000;
				}
				_t212 = _a8;
				_t186 = _a4;
				if(_t212 == 0) {
					L5:
					 *(_t192 + 8) = _t186;
					return _t83;
				} else {
					_t84 = _t186;
					_t183 = 4;
					_t184 = _t84 * _t183 >> 0x20;
					_push( ~(_t212 > 0) | _t84 * _t183);
					_t153 = E011A701B( ~(_t212 > 0) | _t84 * _t183, _t212);
					 *(_t192 + 4) = _t153;
					if(_t153 == 0) {
						E011B1E69(_t153);
						asm("int3");
						_t206 = _t207;
						_t88 =  *0x139eff4; // 0xdde28b47
						_v28.right = _t88 ^ _t206;
						_push(_t144);
						_push(_t192);
						_push(_t186);
						_t188 = _t153;
						_v48 = _v4;
						_v52 = _t188;
						_t194 = E011BCE42(0x139e794, E011AB22F(_t153, _t184, GetParent( *(_t188 + 0x20))));
						_v44 = _t194;
						__eflags = _t194;
						if(_t194 == 0) {
							L8:
							_t156 = _t188;
							_t94 = E011AB4A1(_t188);
						} else {
							_t94 =  *(_t194 + 0x134);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L8;
							}
						}
						SendMessageW( *(_t94 + 0x20), 0x362, 0xe001, 0);
						__eflags = _t194;
						if(_t194 != 0) {
							_t137 = _t194;
							_t203 = 0;
							_v32 = _t137;
							while(1) {
								_t138 =  *(_t137 + 0x158);
								__eflags = _t138;
								if(_t138 == 0) {
									break;
								}
								_t141 = E011BCE42(0x139e628,  *((intOrPtr*)(_t138 + 0x6c)));
								_t156 = _v32;
								_t203 = _t141;
								_t137 = E01226A30(_v32, _t184);
								_v32 = _t137;
								__eflags = _t137;
								if(_t137 != 0) {
									continue;
								}
								break;
							}
							_v32 = _t203;
							__eflags = _t203;
							if(_t203 != 0) {
								L012EA066();
								_t156 = _v32;
								 *((intOrPtr*)( *((intOrPtr*)( *_t203 + 0x360))))();
							}
						}
						_t195 = _v0;
						__eflags = _t195;
						if(__eflags != 0) {
							E0125E55B(_t188, _t184, __eflags, 1);
							E0128FF73(_t188);
							_t156 = 1;
							__eflags =  *(_t188 + 0xd80);
							if( *(_t188 + 0xd80) == 0) {
								__eflags =  *(_t188 + 0xd70);
								if( *(_t188 + 0xd70) != 0) {
									_t118 =  *0x13aabb4; // 0x0
									__eflags = _t118;
									if(_t118 != 0) {
										 *(_t118 + 0x58) = _t195;
									}
								} else {
									_t121 = E011BCE42(0x139e794, E011AB22F(_t156, _t184, GetParent( *(_t188 + 0x20))));
									_v36 = _t121;
									_pop(_t156);
									__eflags = _t121;
									if(_t121 == 0) {
										L26:
										E011FB9BB(_t184, _t195);
										_t123 = _v36;
										__eflags = _t123;
										if(_t123 != 0) {
											_t156 = _t123;
											_t124 = E01228AF2(_t123, _t195);
											__eflags = _t124;
											if(_t124 == 0) {
												_t156 =  *0x13ab010;
												__eflags =  *0x13ab010;
												if(__eflags == 0) {
													L30:
													__eflags = 0x1ef - _t195 - 0xf000;
													asm("sbb esi, esi");
													_t126 = E011AB4A1(_t188);
													_t156 = _t195 + 0x112;
													PostMessageW( *(_t126 + 0x20), _t195 + 0x112, _v0, 0);
													_t200 = _v36;
													_t53 = _t200 + 0x116c; // 0xf9820ee8
													_t128 =  *_t53;
													_v36 = _t128;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L19;
													} else {
														E0126D417(_t128, _t184, 0);
														_t156 = _v36;
														 *(_t200 + 0x116c) = 0;
														_t195 = _v0;
														E0126CFEC(_v36, _t188, _t195, _t195);
													}
												} else {
													_t131 = E0125B0F8(_t156, __eflags, _t195);
													__eflags = _t131;
													if(_t131 == 0) {
														goto L30;
													}
												}
											}
										}
									} else {
										_t132 = E011BCE42(0x139eab4,  *((intOrPtr*)(_t121 + 0x158)));
										_v32 = _t132;
										_pop(_t156);
										__eflags = _t132;
										if(_t132 == 0) {
											goto L26;
										} else {
											L012EA066();
											_t156 = _v32;
											_t133 =  *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0xfc))))(_t188, _v40);
											_t195 = _v0;
											__eflags = _t133;
											if(_t133 == 0) {
												goto L26;
											}
										}
									}
								}
							} else {
								_t134 = _v36;
								__eflags = _t134;
								if(_t134 != 0) {
									L012EA066();
									_t156 = _v36;
									 *((intOrPtr*)( *((intOrPtr*)( *_t134 + 0x200))))(_t195);
									L19:
									_t195 = _v0;
								}
							}
						}
						_t96 = _v40;
						__eflags = _t96;
						if(_t96 != 0) {
							_t156 = _t188;
							 *0x139e92c = E011FC600(0, _t188, _t96);
						} else {
							 *0x139e92c =  *0x139e92c | 0xffffffff;
						}
						__eflags =  *(_t188 + 0xd78);
						if( *(_t188 + 0xd78) != 0) {
							_t104 = E011BCE42(0x139e794, E011AB22F(_t156, _t184, GetParent( *(_t188 + 0x20))));
							__eflags = _t104;
							if(_t104 != 0) {
								_t105 =  *(_t104 + 0x158);
								_v40 = _t105;
								__eflags = _t105;
								if(_t105 != 0) {
									__eflags =  *(_t105 + 0x6c);
									if( *(_t105 + 0x6c) != 0) {
										 *(_t105 + 0x20) = _t195;
										L012EA066();
										 *((intOrPtr*)( *_t105 + 0xc0))(E01234C6F(E01234CA7(), _v0, 0));
										_t199 = _v40;
										_v28.left = 0;
										_v28.top = 0;
										_v28.right = 0;
										_v28.bottom = 0;
										E0127EC2B(_t199,  &_v28);
										InvalidateRect( *( *((intOrPtr*)(_t199 + 0x6c)) + 0x20),  &_v28, 1);
										UpdateWindow( *( *((intOrPtr*)(_t199 + 0x6c)) + 0x20));
									}
								}
							}
						}
						_t98 = E011E590A(_t184, _t188);
						E0125E55B(_v44, _t184, __eflags, 0);
						L012EA066();
						 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 0x60))))();
						__eflags = _v12 ^ _t206;
						return E012E980C(_v12 ^ _t206);
					} else {
						_t83 = E012EE6E0(_t186, _t153, 0, _t186 << 2);
						goto L5;
					}
				}
			}

0x0125c7e8
0x0125c7ec
0x0125c7ee
0x0125c7f3
0x0125c7f8
0x0125c7fd
0x0125c801
0x0125c802
0x0125c806
0x0125c809
0x0125c83c
0x0125c83c
0x0125c842
0x0125c80b
0x0125c80d
0x0125c811
0x0125c812
0x0125c81b
0x0125c822
0x0125c824
0x0125c829
0x0125c845
0x0125c84a
0x0125c84c
0x0125c851
0x0125c858
0x0125c85e
0x0125c85f
0x0125c860
0x0125c861
0x0125c863
0x0125c866
0x0125c883
0x0125c885
0x0125c88a
0x0125c88c
0x0125c898
0x0125c898
0x0125c89a
0x0125c88e
0x0125c88e
0x0125c894
0x0125c896
0x00000000
0x00000000
0x0125c896
0x0125c8af
0x0125c8b5
0x0125c8b7
0x0125c8b9
0x0125c8bb
0x0125c8bd
0x0125c8c0
0x0125c8c0
0x0125c8c6
0x0125c8c8
0x00000000
0x00000000
0x0125c8d2
0x0125c8d9
0x0125c8dc
0x0125c8de
0x0125c8e3
0x0125c8e6
0x0125c8e8
0x00000000
0x00000000
0x00000000
0x0125c8e8
0x0125c8ea
0x0125c8ed
0x0125c8ef
0x0125c8fb
0x0125c900
0x0125c903
0x0125c903
0x0125c8ef
0x0125c905
0x0125c908
0x0125c90a
0x0125c910
0x0125c917
0x0125c91c
0x0125c91d
0x0125c923
0x0125c95b
0x0125c961
0x0125ca58
0x0125ca5d
0x0125ca5f
0x0125ca65
0x0125ca65
0x0125c967
0x0125c97c
0x0125c981
0x0125c985
0x0125c986
0x0125c988
0x0125c9c2
0x0125c9c3
0x0125c9c8
0x0125c9cb
0x0125c9cd
0x0125c9d4
0x0125c9d6
0x0125c9db
0x0125c9dd
0x0125c9e3
0x0125c9e9
0x0125c9eb
0x0125c9fb
0x0125ca06
0x0125ca0a
0x0125ca0c
0x0125ca15
0x0125ca1f
0x0125ca25
0x0125ca28
0x0125ca28
0x0125ca2e
0x0125ca31
0x0125ca33
0x00000000
0x0125ca39
0x0125ca3c
0x0125ca41
0x0125ca44
0x0125ca4a
0x0125ca4e
0x0125ca4e
0x0125c9ed
0x0125c9ee
0x0125c9f3
0x0125c9f5
0x00000000
0x00000000
0x0125c9f5
0x0125c9eb
0x0125c9dd
0x0125c98a
0x0125c995
0x0125c99a
0x0125c99e
0x0125c99f
0x0125c9a1
0x00000000
0x0125c9a3
0x0125c9b1
0x0125c9b6
0x0125c9b9
0x0125c9bb
0x0125c9be
0x0125c9c0
0x00000000
0x00000000
0x0125c9c0
0x0125c9a1
0x0125c988
0x0125c925
0x0125c925
0x0125c928
0x0125c92a
0x0125c937
0x0125c93c
0x0125c93f
0x0125c941
0x0125c941
0x0125c941
0x0125c92a
0x0125c923
0x0125c944
0x0125c947
0x0125c949
0x0125ca6e
0x0125ca75
0x0125c94f
0x0125c94f
0x0125c94f
0x0125ca7a
0x0125ca80
0x0125ca9b
0x0125caa2
0x0125caa4
0x0125caa6
0x0125caac
0x0125caaf
0x0125cab1
0x0125cab3
0x0125cab6
0x0125cabc
0x0125cad4
0x0125cadc
0x0125cae2
0x0125caeb
0x0125caee
0x0125caf1
0x0125caf4
0x0125caf7
0x0125cb08
0x0125cb14
0x0125cb14
0x0125cab6
0x0125cab1
0x0125caa4
0x0125cb1b
0x0125cb27
0x0125cb33
0x0125cb3a
0x0125cb41
0x0125cb4c
0x0125c82b
0x0125c834
0x00000000
0x0125c839
0x0125c829

APIs

Part of subcall function 011B1E69: __CxxThrowException@8.LIBVCRUNTIME ref: 011B1E7D

GetParent.USER32(00000000), ref: 0125C86C
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 0125C8AF
GetParent.USER32(00000000), ref: 0125C96A
PostMessageW.USER32(?,?,?,00000000), ref: 0125CA1F
GetParent.USER32(00000000), ref: 0125CA89
InvalidateRect.USER32(00000000,011D784C,00000001,011D784C,?,?,?,01220392,?,011D784C,?), ref: 0125CB08
UpdateWindow.USER32(00000000), ref: 0125CB14

Part of subcall function 0125E55B: GetParent.USER32(00000000), ref: 0125E56B

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Parent$Message$Exception@8InvalidatePostRectSendThrowUpdateWindow
String ID:
API String ID: 2756063873-0
Opcode ID: bbd6eda1b740ad293ddb113f023e917d72e7642b351d6b9f64f46a0ff0ee1f9f
Instruction ID: f87eab32b10ee38578de0f36cccaca15e89d33d2c06a239f0c715d7036920309
Opcode Fuzzy Hash: bbd6eda1b740ad293ddb113f023e917d72e7642b351d6b9f64f46a0ff0ee1f9f
Instruction Fuzzy Hash: 96A17671A107179FDF59EF69C884ABE7BB9FF58714F04406DEA05A7250EB30A910CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01222B9F Relevance: 10.8, APIs: 7, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E01222B9F(intOrPtr __ecx, void* __edx, signed long long __fp0) {
				void* _t93;
				struct HDC__* _t98;
				struct HBITMAP__* _t102;
				intOrPtr _t104;
				void* _t107;
				struct HDC__* _t111;
				signed int _t114;
				signed int* _t123;
				void* _t127;
				unsigned int _t128;
				signed int _t129;
				signed int _t135;
				signed int _t137;
				signed int _t141;
				signed char _t143;
				intOrPtr _t157;
				signed char _t158;
				signed int _t170;
				signed int* _t171;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				void* _t191;
				signed int _t193;
				signed char _t195;
				int _t197;
				int _t199;
				void* _t200;
				signed long long* _t201;
				signed long long _t206;

				_t206 = __fp0;
				_t191 = __edx;
				_push(0x5c);
				E012EA0A3();
				_t157 = __ecx;
				 *((intOrPtr*)(_t200 - 0x40)) = __ecx;
				if( *((intOrPtr*)(_t200 + 0x14)) -  *(_t200 + 0xc) <= 0 ||  *((intOrPtr*)(_t200 + 0x10)) -  *(_t200 + 8) <= 0) {
					L41:
					_t93 = 1;
				} else {
					if( *((intOrPtr*)(E011C5322() + 0x1ac)) > 8) {
						_t199 =  *((intOrPtr*)(_t200 + 0x10)) -  *(_t200 + 8);
						_t197 =  *((intOrPtr*)(_t200 + 0x14)) -  *(_t200 + 0xc);
						E011B84FA(_t200 - 0x34);
						 *(_t200 - 4) =  *(_t200 - 4) & 0x00000000;
						_t98 =  *(_t157 + 4);
						if(_t98 != 0) {
							_t98 =  *(_t98 + 4);
						}
						if(E011B8E5C(_t200 - 0x34, CreateCompatibleDC(_t98)) != 0) {
							 *(_t200 - 0x18) =  *(_t200 - 0x18) & 0x00000000;
							 *((intOrPtr*)(_t200 - 0x1c)) = 0x1331fa4;
							 *(_t200 - 4) = 1;
							_t102 = CreateCompatibleBitmap( *( *(_t157 + 4) + 4), _t199, _t197);
							_t164 = _t200 - 0x1c;
							if(E011B8E9D(_t200 - 0x1c, _t191, _t197, _t102) != 0) {
								_t104 = E011B9645( *(_t200 - 0x30),  *(_t200 - 0x18));
								 *((intOrPtr*)(_t200 - 0x44)) = _t104;
								if(_t104 == 0) {
									E011B1E69(_t164);
								}
								 *(_t200 - 0x50) = _t199;
								 *(_t200 - 0x4c) = _t197;
								_t107 = E01220458(_t157, _t197, _t199, _t200 - 0x50, _t200 - 0x10);
								 *(_t200 - 0x48) = _t107;
								if(_t107 == 0 ||  *(_t200 - 0x10) == 0) {
									goto L9;
								} else {
									SelectObject( *(_t200 - 0x30), _t107);
									_t111 =  *(_t157 + 4);
									if(_t111 != 0) {
										_t111 =  *(_t111 + 4);
									}
									BitBlt( *(_t200 - 0x30), 0, 0, _t199, _t197, _t111,  *(_t200 + 8),  *(_t200 + 0xc), 0xcc0020);
									_t158 =  *(_t200 + 0x1c);
									if(_t158 != 0xffffffff) {
										_t158 = _t158 >> 0x00000010 & 0x000000ff | (_t158 >> 0x00000008 & 0x000000ff | (_t158 & 0x000000ff) << 0x00000008) << 0x00000008;
									}
									if( *(_t200 + 0x20) == 0xffffffff) {
										 *(_t200 + 0x20) =  *(E011C5322() + 0x24);
									}
									_t114 = _t197 * _t199;
									 *(_t200 - 0x14) = _t114;
									if(_t114 > 0) {
										_t123 =  *(_t200 - 0x10);
										_t170 =  *(_t200 - 0x14);
										do {
											_t192 =  *_t123;
											if( *_t123 != _t158) {
												_t127 = E01223EC5(_t170, _t206, _t192, _t200 - 0x60, _t200 - 0x68, _t200 - 0x58);
												asm("fldz");
												_t201 = _t201 - 0x18;
												_t201[2] = _t206;
												_t201[1] =  *(_t200 - 0x58);
												_t206 =  *(_t200 - 0x60);
												 *_t201 = _t206;
												_t128 = E01222EA5(_t127);
												 *(_t200 - 0x38) = _t128;
												if( *((intOrPtr*)(_t200 + 0x18)) != 0xffffffff) {
													asm("fild dword [ebp+0x18]");
													_t201 = _t201 - 0x18;
													 *(_t200 - 0x3c) = _t206;
													_t206 =  *(_t200 - 0x3c) *  *0x13341f0;
													asm("fst qword [esp+0x10]");
													asm("fst qword [esp+0x8]");
													 *_t201 = _t206;
													_push(_t128);
													_t129 = E01223BB2(_t170);
													_t171 =  *(_t200 - 0x10);
													 *_t171 = _t129 | 0xff000000;
													_t123 = _t171;
												} else {
													_t193 = _t128 & 0x000000ff;
													_t175 = ( *(_t200 + 0x20) >> 0x00000010 & 0x000000ff) - _t193;
													if(_t175 < 0) {
														_t175 = _t175 + 1;
													}
													_t177 = (_t175 >> 1) + _t193;
													 *(_t200 - 0x24) = _t177;
													if(_t177 > 0xff) {
														 *(_t200 - 0x24) = 0xff;
													}
													_t195 =  *(_t200 + 0x20);
													_t178 = _t128 >> 0x00000008 & 0x000000ff;
													_t135 = (_t195 >> 0x00000008 & 0x000000ff) - _t178;
													if(_t135 < 0) {
														_t135 = _t135 + 1;
													}
													_t137 = (_t135 >> 1) + _t178;
													 *(_t200 - 0x20) = _t137;
													if(_t137 > 0xff) {
														 *(_t200 - 0x20) = 0xff;
													}
													_t180 =  *(_t200 - 0x38) >> 0x00000010 & 0x000000ff;
													_t141 = (_t195 & 0x000000ff) - _t180;
													if(_t141 < 0) {
														_t141 = _t141 + 1;
													}
													_t143 = (_t141 >> 1) + _t180;
													if(_t143 > 0xff) {
														_t143 = 0xff;
													}
													_t123 =  *(_t200 - 0x10);
													 *_t123 = ((_t143 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t200 - 0x20) & 0x000000ff) << 0x00000008 |  *(_t200 - 0x24) & 0x000000ff;
												}
												_t170 =  *(_t200 - 0x14);
											}
											_t123 =  &(_t123[1]);
											_t170 = _t170 - 1;
											 *(_t200 - 0x10) = _t123;
											 *(_t200 - 0x14) = _t170;
										} while (_t170 != 0);
									}
									BitBlt( *( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x40)) + 4)) + 4),  *(_t200 + 8),  *(_t200 + 0xc), _t199, _t197,  *(_t200 - 0x30), 0, 0, 0xcc0020);
									E011B9645( *(_t200 - 0x30),  *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x44)) + 4)));
									DeleteObject( *(_t200 - 0x48));
									 *((intOrPtr*)(_t200 - 0x1c)) = 0x1331fa4;
									E011681B0(_t158, _t200 - 0x1c, _t197, _t199);
									E011B865B(_t200 - 0x34);
									goto L41;
								}
							} else {
								L9:
								 *((intOrPtr*)(_t200 - 0x1c)) = 0x1331fa4;
								E011681B0(_t157, _t200 - 0x1c, _t197, _t199);
								goto L7;
							}
						} else {
							L7:
							E011B865B(_t200 - 0x34);
							_t93 = 0;
						}
					} else {
						E011EFDD7( *(_t157 + 4), _t200 + 8);
						goto L41;
					}
				}
				E012EA06C();
				return _t93;
			}

0x01222b9f
0x01222b9f
0x01222b9f
0x01222ba6
0x01222bab
0x01222bad
0x01222bb8
0x01222e9a
0x01222e9c
0x01222bcc
0x01222bd8
0x01222bf4
0x01222bf7
0x01222bfa
0x01222bff
0x01222c03
0x01222c08
0x01222c0a
0x01222c0a
0x01222c1f
0x01222c30
0x01222c34
0x01222c40
0x01222c47
0x01222c4e
0x01222c58
0x01222c71
0x01222c76
0x01222c7b
0x01222c7d
0x01222c7d
0x01222c85
0x01222c8c
0x01222c90
0x01222c95
0x01222c9a
0x00000000
0x01222ca3
0x01222ca7
0x01222cad
0x01222cb2
0x01222cb4
0x01222cb4
0x01222ccc
0x01222cd2
0x01222cd8
0x01222cf3
0x01222cf3
0x01222cf9
0x01222d03
0x01222d03
0x01222d08
0x01222d0b
0x01222d10
0x01222d16
0x01222d19
0x01222d1c
0x01222d1c
0x01222d20
0x01222d33
0x01222d38
0x01222d3a
0x01222d3d
0x01222d44
0x01222d48
0x01222d4b
0x01222d4e
0x01222d57
0x01222d5a
0x01222e05
0x01222e08
0x01222e0b
0x01222e11
0x01222e17
0x01222e1b
0x01222e1f
0x01222e22
0x01222e23
0x01222e28
0x01222e30
0x01222e32
0x01222d60
0x01222d66
0x01222d6c
0x01222d72
0x01222d74
0x01222d74
0x01222d79
0x01222d80
0x01222d85
0x01222d87
0x01222d87
0x01222d8a
0x01222d90
0x01222d9b
0x01222da1
0x01222da3
0x01222da3
0x01222da8
0x01222daf
0x01222db4
0x01222db6
0x01222db6
0x01222dbf
0x01222dc5
0x01222dcb
0x01222dcd
0x01222dcd
0x01222dd2
0x01222ddb
0x01222ddd
0x01222ddd
0x01222dfe
0x01222e01
0x01222e01
0x01222e34
0x01222e34
0x01222e37
0x01222e3a
0x01222e3d
0x01222e40
0x01222e40
0x01222d1c
0x01222e66
0x01222e75
0x01222e7d
0x01222e86
0x01222e8d
0x01222e95
0x00000000
0x01222e95
0x01222c5a
0x01222c5a
0x01222c5d
0x01222c64
0x00000000
0x01222c64
0x01222c21
0x01222c21
0x01222c24
0x01222c29
0x01222c29
0x01222bda
0x01222be1
0x00000000
0x01222be1
0x01222bd8
0x01222e9d
0x01222ea2

APIs

__EH_prolog3.LIBCMT ref: 01222BA6
CreateCompatibleDC.GDI32(00000007), ref: 01222C0E

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CompatibleCreateH_prolog3
String ID:
API String ID: 1380196318-0
Opcode ID: b37ca4e5e0c821c998a758811fb47e7e36ec0c56706c7987583aff34bd07b26c
Instruction ID: e0de88ca05e80717df161319fb41944670265f4842794f8035b4d59d7483684b
Opcode Fuzzy Hash: b37ca4e5e0c821c998a758811fb47e7e36ec0c56706c7987583aff34bd07b26c
Instruction Fuzzy Hash: A9917931A1022AEBDB18DFA8CD84AEE7BB4FF58305F004129F505EB291DB35E904DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0130909F Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E0130909F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x139eff4; // 0xdde28b47
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x13ad0c0 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x13ad0c0 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0130AA41(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x13ad0c0 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x13ad0c0 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x13ad0c0 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E0130B64A( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E0130B64A();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E012E980C(_v8 ^ _t136);
			}

0x013090a7
0x013090ae
0x013090b1
0x013090b9
0x013090bd
0x013090c9
0x013090cc
0x013090cf
0x013090d6
0x013090de
0x013090e1
0x013090e7
0x013090ed
0x013090f2
0x013090f4
0x013090f7
0x013090fc
0x01309106
0x0130910d
0x01309110
0x01309117
0x0130911e
0x0130914a
0x01309170
0x01309172
0x00000000
0x0130914c
0x0130914f
0x01309216
0x01309222
0x0130922d
0x01309232
0x01309155
0x0130915c
0x01309161
0x01309167
0x0130916d
0x00000000
0x0130916d
0x01309167
0x0130914f
0x01309120
0x01309124
0x01309127
0x0130912d
0x0130912f
0x01309132
0x01309136
0x01309173
0x01309176
0x01309177
0x0130917c
0x01309182
0x01309188
0x01309197
0x0130919d
0x013091a3
0x013091a8
0x013091c4
0x01309237
0x0130923d
0x013091c6
0x013091ce
0x013091d7
0x013091dd
0x00000000
0x013091df
0x013091e1
0x013091e4
0x013091fd
0x00000000
0x013091ff
0x01309203
0x01309205
0x01309208
0x00000000
0x01309208
0x01309203
0x013091fd
0x013091dd
0x013091d7
0x013091c4
0x013091a8
0x01309182
0x00000000
0x0130920b
0x0130920b
0x0130923f
0x01309251

APIs

GetConsoleCP.KERNEL32(00004000,00004000,?,?,?,?,?,?,?,01309814,00000014,00004000,00004000,00004000,00004000), ref: 013090E1
__fassign.LIBCMT ref: 0130915C
__fassign.LIBCMT ref: 01309177
WideCharToMultiByte.KERNEL32(?,00000000,00004000,00000001,00004000,00000005,00000000,00000000), ref: 0130919D
WriteFile.KERNEL32(?,00004000,00000000,01309814,00000000,?,?,?,?,?,?,?,?,?,01309814,00000014), ref: 013091BC
WriteFile.KERNEL32(?,00000014,00000001,01309814,00000000,?,?,?,?,?,?,?,?,?,01309814,00000014), ref: 013091F5

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91c9efb5020693ea5affa4eed1d2df8fa119842a42543a2bb7ea1ba984b2e22f
Instruction ID: 9f25167e79b5ebb9283850e6cffc4c58842f00db7f11b1c81fd8d36e06f3e2f8
Opcode Fuzzy Hash: 91c9efb5020693ea5affa4eed1d2df8fa119842a42543a2bb7ea1ba984b2e22f
Instruction Fuzzy Hash: C851E470E002499FDB25CFA8D895BEEBBFCEF19318F14411AE555E7282E7309941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 011EFC18 Relevance: 10.6, APIs: 7, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E011EFC18(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t43;
				int _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t53;
				void* _t54;
				int _t55;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t81;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				void* _t93;

				_t81 = __edx;
				_t75 = __ecx;
				_push(__esi);
				_t88 = _a4;
				_t69 = __ecx;
				_push(__edi);
				if( *((intOrPtr*)(__ecx + 0x40)) != 0) {
					SelectObject( *0x13a9528,  *(_t88 + 4));
					E011BD6C7(_t88);
				}
				_t43 = SelectObject( *0x13a9524,  *(_t88 + 8));
				 *((intOrPtr*)(_t69 + 0x64)) = 0;
				 *((intOrPtr*)(_t69 + 0x68)) = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if( *((intOrPtr*)(_t69 + 8)) != 0x20) {
					_t14 = _t69 + 0xa8; // 0x0
					_t44 =  *_t14;
				} else {
					_t44 = _t43 | 0xffffffff;
				}
				if( *((intOrPtr*)(_t69 + 0x20)) != 0 || _t44 != 0xffffffff) {
					_t16 = _t69 + 0xa4; // 0x0
					_t45 =  *_t16;
					if( *_t16 == 0) {
						E011B1E69(_t75);
						asm("int3");
						_push(0xc);
						E012EA0A3();
						_t91 = _t75;
						_t85 = _a4;
						if(_t85 < 0 || _t85 >=  *((intOrPtr*)(_t91 + 4))) {
							_t48 = 0;
						} else {
							_t49 =  *((intOrPtr*)(_t91 + 8));
							_t71 = 0 | _t49 != 0x00000020;
							if(_t49 == 8) {
								_t72 = _t71 | 0x00000008;
							} else {
								if(_t49 == 0x10) {
									_t72 = _t71 | 0x00000010;
								} else {
									if(_t49 == 0x18) {
										_t72 = _t71 | 0x00000018;
									} else {
										if(_t49 == 0x20) {
											_t72 = _t71 | 0x00000020;
										} else {
											_t72 = _t71 | 0x00000004;
										}
									}
								}
							}
							E011A812C( &_v28);
							_t77 =  &_v28;
							_v8 = 0;
							E011A8647( &_v28,  *((intOrPtr*)(_t91 + 0x54)),  *((intOrPtr*)(_t91 + 0x58)), _t72, 0, 0);
							_t53 = CopyImage( *(_t91 + 0x8c), 0, 0, 0, 0x2000);
							_t92 =  *((intOrPtr*)(_t91 + 0xa8));
							_v20 = _t53;
							if(_t92 == 0xffffffff) {
								_t92 =  *((intOrPtr*)(E011C5322() + 0x1c));
								_t53 = _v20;
							}
							_t54 = E011B9185(_t77, _t81, _t85, _t92, _t53);
							if(_t54 != 0) {
								_t55 =  *((intOrPtr*)(_t54 + 4));
							} else {
								_t55 = 0;
							}
							_push(_t92);
							_push(_t55);
							_push(_v24);
							E011C56A1(_t77, _t85);
							E011BD6C7( &_v20);
							_push(0);
							_push(_t85);
							_push(_v24);
							_t93 = E011C575C(_t77);
							E011A8180(0,  &_v28, _t85, _t93);
							_t48 = _t93;
						}
						E012EA06C();
						return _t48;
					} else {
						_t18 = _t69 + 0x48; // 0x0
						E011B9645( *_t18,  *((intOrPtr*)(_t45 + 4)));
						_t19 = _t69 + 0x9c; // 0x13aa84c
						 *((intOrPtr*)(_t69 + 0xa4)) = 0;
						DeleteObject(E011B9069(_t19, _t81));
						_t21 = _t69 + 0x44; // 0x13aa7f4
						_t44 = DeleteDC(E011B902D(_t21, _t81));
						goto L9;
					}
				} else {
					L9:
					 *((intOrPtr*)(_t69 + 0x2c)) = 0;
					if( *0x13a94f8 != 0) {
						LeaveCriticalSection(0x13a953c);
					}
					return _t44;
				}
			}

0x011efc18
0x011efc18
0x011efc1f
0x011efc20
0x011efc23
0x011efc25
0x011efc2b
0x011efc36
0x011efc3d
0x011efc3d
0x011efc4b
0x011efc58
0x011efc5b
0x011efc5e
0x011efc61
0x011efc64
0x011efc67
0x011efc6d
0x011efc6e
0x011efc6f
0x011efc70
0x011efc71
0x011efc78
0x011efc78
0x011efc73
0x011efc73
0x011efc73
0x011efc83
0x011efc8a
0x011efc8a
0x011efc92
0x011efce6
0x011efceb
0x011efcec
0x011efcf3
0x011efcf8
0x011efcfa
0x011efcff
0x011efdcd
0x011efd0e
0x011efd0e
0x011efd16
0x011efd1c
0x011efd41
0x011efd1e
0x011efd21
0x011efd3c
0x011efd23
0x011efd26
0x011efd37
0x011efd28
0x011efd2b
0x011efd32
0x011efd2d
0x011efd2d
0x011efd2d
0x011efd2b
0x011efd26
0x011efd21
0x011efd47
0x011efd4e
0x011efd57
0x011efd5d
0x011efd72
0x011efd78
0x011efd7e
0x011efd84
0x011efd8b
0x011efd8e
0x011efd8e
0x011efd92
0x011efd99
0x011efd9f
0x011efd9b
0x011efd9b
0x011efd9b
0x011efda2
0x011efda3
0x011efda4
0x011efda7
0x011efdb0
0x011efdb5
0x011efdb6
0x011efdb7
0x011efdc2
0x011efdc4
0x011efdc9
0x011efdc9
0x011efdcf
0x011efdd4
0x011efc94
0x011efc97
0x011efc9a
0x011efc9f
0x011efca5
0x011efcb1
0x011efcb7
0x011efcc0
0x00000000
0x011efcc0
0x011efcc6
0x011efcc6
0x011efcc6
0x011efcd3
0x011efcda
0x011efcda
0x011efce3
0x011efce3

APIs

__EH_prolog3.LIBCMT ref: 011EFCF3
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 011EFD72
SelectObject.GDI32(00000007,00000000), ref: 011EFC36

Part of subcall function 011BD6C7: DeleteObject.GDI32(?), ref: 011BD6D9

Part of subcall function 011B1E69: __CxxThrowException@8.LIBVCRUNTIME ref: 011B1E7D

SelectObject.GDI32(00000000,00000000), ref: 011EFC4B
DeleteObject.GDI32(00000000), ref: 011EFCB1
DeleteDC.GDI32(00000000), ref: 011EFCC0
LeaveCriticalSection.KERNEL32(013A953C), ref: 011EFCDA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$Delete$Select$CopyCriticalException@8H_prolog3ImageLeaveSectionThrow
String ID:
API String ID: 12896057-0
Opcode ID: 57aa2575e88676adeb463f11ef2e50d39cdd024dcce9f18a39a1147fce0b2a42
Instruction ID: 8bf5a4a1534b1e8b0ab6404f9b10a04255ac80754bc658b9d87f9e1d6cfe72d8
Opcode Fuzzy Hash: 57aa2575e88676adeb463f11ef2e50d39cdd024dcce9f18a39a1147fce0b2a42
Instruction Fuzzy Hash: 9C51C471900606DFDB29AFE8C8C89AEBFF9FF05314F144429EE249B151C771A842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011DCE07 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E011DCE07(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t89;
				signed int _t95;
				signed int _t96;
				struct tagRECT* _t98;
				intOrPtr _t99;
				intOrPtr _t116;
				struct tagRECT* _t117;
				intOrPtr* _t118;
				struct tagRECT* _t119;
				void* _t121;
				void* _t122;

				_t122 = __eflags;
				_push(8);
				E012EA0A3();
				_t116 = __ecx;
				 *((intOrPtr*)(_t121 - 0x10)) = __ecx;
				E011A91EB(__ecx);
				 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x1337c84;
				E0121F22F(__ecx + 0x80);
				 *(_t121 - 4) = 1;
				E01232562(_t116 + 0x120, _t122);
				 *(_t121 - 4) = 2;
				E0123310F(_t116 + 0x1d8);
				_t118 = _t116 + 0x278;
				 *(_t121 - 4) = 3;
				 *((intOrPtr*)(_t121 - 0x14)) = _t118;
				E011A91EB(_t118);
				 *_t118 = 0x1331d88;
				 *(_t121 - 4) = 4;
				E01143CD0(_t116 + 0x310, E011B2411());
				 *(_t121 - 4) = 5;
				E01143CD0(_t116 + 0x314, E011B2411());
				 *((intOrPtr*)(_t116 + 0x320)) = 0x1331f94;
				 *((intOrPtr*)(_t116 + 0x324)) = 0;
				_t98 = _t116 + 0x328;
				_t98->left = 0;
				_t117 = _t116 + 0x368;
				_t98->top = 0;
				_t98->right = 0;
				_t98->bottom = 0;
				_t119 =  *((intOrPtr*)(_t121 - 0x10)) + 0x378;
				_t117->left = 0;
				_t117->top = 0;
				_t117->right = 0;
				_t117->bottom = 0;
				_t119->left = 0;
				_t119->top = 0;
				_t119->right = 0;
				_t119->bottom = 0;
				E011DCDE1( *((intOrPtr*)(_t121 - 0x10)) + 0x3a0, 0xa);
				E011DCDE1( *((intOrPtr*)(_t121 - 0x10)) + 0x3bc, 0xa);
				_t89 =  *((intOrPtr*)(_t121 - 0x10));
				 *((intOrPtr*)(_t89 + 0x400)) = 0;
				 *((intOrPtr*)(_t89 + 0x3fc)) = 0x13320c4;
				 *(_t89 + 0x338) =  *(_t89 + 0x338) | 0xffffffff;
				 *(_t121 - 4) = 0xa;
				 *((intOrPtr*)(_t89 + 0x31c)) = 0;
				 *((intOrPtr*)(_t89 + 0x344)) = 0;
				 *((intOrPtr*)(_t89 + 0x348)) = 0;
				 *((intOrPtr*)(_t89 + 0x2f8)) = 1;
				 *((intOrPtr*)(_t89 + 0x2fc)) = 0;
				 *((intOrPtr*)(_t89 + 0x33c)) = 3;
				 *((intOrPtr*)(_t89 + 0x304)) = 0;
				 *((intOrPtr*)(_t89 + 0x308)) = 0;
				SetRectEmpty(_t98);
				_t99 =  *((intOrPtr*)(_t121 - 0x10));
				 *(_t99 + 0x358) =  *(_t99 + 0x358) & 0x00000000;
				SetRectEmpty(_t117);
				SetRectEmpty(_t119);
				 *((intOrPtr*)(_t99 + 0x300)) = 1;
				 *((intOrPtr*)(_t99 + 0x354)) = 0;
				 *((intOrPtr*)(_t99 + 0x350)) = 0;
				 *((intOrPtr*)(_t99 + 0x35c)) = 0;
				 *((intOrPtr*)(_t99 + 0x360)) = 0;
				 *((intOrPtr*)(_t99 + 0x364)) = 0;
				 *((intOrPtr*)(_t99 + 0x3d8)) = 0;
				 *((intOrPtr*)(_t99 + 0x390)) = 0;
				 *((intOrPtr*)(_t99 + 0x340)) = 0;
				 *((intOrPtr*)(_t99 + 0x388)) = 0;
				 *((intOrPtr*)(_t99 + 0x38c)) = 0;
				E01144900(_t99 + 0x310, L"True");
				E01144900(_t99 + 0x314, L"False");
				_t95 = 0x2c;
				 *(_t99 + 0x318) = _t95;
				 *((intOrPtr*)(_t99 + 0x394)) = 0;
				_t96 = _t95 | 0xffffffff;
				 *((intOrPtr*)(_t99 + 0x398)) = 1;
				 *(_t99 + 0x3e0) = _t96;
				 *(_t99 + 0x3e4) = _t96;
				 *(_t99 + 0x3e8) = _t96;
				 *(_t99 + 0x3ec) = _t96;
				 *(_t99 + 0x3f0) = _t96;
				 *(_t99 + 0x3f4) = _t96;
				 *(_t99 + 0x3f8) = _t96;
				 *((intOrPtr*)(_t99 + 0x39c)) = 1;
				 *((intOrPtr*)(_t99 + 0x30c)) = 0;
				 *((intOrPtr*)(_t99 + 0x404)) = 0;
				 *((char*)(_t99 + 0x24)) = 1;
				E012EA06C();
				return _t99;
			}

0x011dce07
0x011dce07
0x011dce0e
0x011dce13
0x011dce15
0x011dce18
0x011dce1d
0x011dce27
0x011dce2d
0x011dce38
0x011dce3c
0x011dce47
0x011dce4b
0x011dce50
0x011dce56
0x011dce5c
0x011dce5f
0x011dce64
0x011dce6a
0x011dce7a
0x011dce7f
0x011dce8f
0x011dce96
0x011dcea0
0x011dcea9
0x011dceaf
0x011dceb1
0x011dceb7
0x011dceba
0x011dcebd
0x011dcec0
0x011dcec6
0x011dcec8
0x011dcecb
0x011dcece
0x011dced1
0x011dced3
0x011dced6
0x011dced9
0x011dcee4
0x011dcef4
0x011dcef9
0x011dcefe
0x011dcf04
0x011dcf0e
0x011dcf16
0x011dcf1a
0x011dcf20
0x011dcf26
0x011dcf2c
0x011dcf36
0x011dcf3c
0x011dcf46
0x011dcf4c
0x011dcf52
0x011dcf58
0x011dcf5b
0x011dcf63
0x011dcf6a
0x011dcf72
0x011dcf87
0x011dcf8d
0x011dcf93
0x011dcf99
0x011dcf9f
0x011dcfa5
0x011dcfab
0x011dcfb1
0x011dcfb7
0x011dcfbd
0x011dcfc3
0x011dcfd3
0x011dcfda
0x011dcfdd
0x011dcfe5
0x011dcfeb
0x011dcfee
0x011dcff4
0x011dcffa
0x011dd000
0x011dd006
0x011dd00c
0x011dd012
0x011dd018
0x011dd020
0x011dd026
0x011dd02c
0x011dd032
0x011dd035
0x011dd03a

APIs

__EH_prolog3.LIBCMT ref: 011DCE0E

Part of subcall function 0121F22F: __EH_prolog3.LIBCMT ref: 0121F236

Part of subcall function 0123310F: SetRectEmpty.USER32(?), ref: 0123314A

SetRectEmpty.USER32(?), ref: 011DCF52
SetRectEmpty.USER32 ref: 011DCF63
SetRectEmpty.USER32(?), ref: 011DCF6A

Strings

True, xrefs: 011DCF7C
False, xrefs: 011DCFC8

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 5e3a468e5d0d7c44d997e1d2c9e44a6148128f77fbbabbcc93b060913f43a417
Instruction ID: 88a364ce7c34fe4f2ceef3dfcc5670a56b9b952e7283a3ab84977fbad690c061
Opcode Fuzzy Hash: 5e3a468e5d0d7c44d997e1d2c9e44a6148128f77fbbabbcc93b060913f43a417
Instruction Fuzzy Hash: CB51D4B09153169FCB0ADF28D4947A8BBE8BF18704F1881BEE81D9B296DB741244CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0130D6CE Relevance: 10.6, APIs: 7, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0130D6CE(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E0130CBE6(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0130B125(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E012F91E1(GetLastError());
								}
							}
							E0130B4D5(_t40);
							_t14 = _t35;
						} else {
							E012F91E1(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E012F9217())) = 0x16;
						E012F9CEA();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E012F9217())) = 0x16;
				E012F9CEA();
				return 0;
			}

0x0130d6d3
0x0130d6d8
0x0130d6f2
0x0130d6f5
0x0130d6f7
0x0130d710
0x0130d712
0x0130d719
0x0130d71b
0x0130d724
0x0130d725
0x0130d729
0x0130d72f
0x0130d732
0x0130d734
0x0130d74e
0x0130d751
0x0130d753
0x0130d760
0x0130d766
0x0130d768
0x0130d77c
0x0130d77e
0x0130d782
0x0130d782
0x0130d783
0x0130d76a
0x0130d771
0x0130d776
0x0130d768
0x0130d786
0x0130d78b
0x0130d736
0x0130d73d
0x0130d742
0x0130d742
0x0130d6f9
0x0130d6fe
0x0130d704
0x0130d709
0x0130d709
0x00000000
0x0130d790
0x0130d6df
0x0130d6e5
0x00000000

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8ee032209b3d47cbb3488472df521132246a24fe1aaceb85624ff322a4fa3f
Instruction ID: 88f6706a827c655c2440739897e3d5990db9793bdd37ab050176335b54628025
Opcode Fuzzy Hash: 9f8ee032209b3d47cbb3488472df521132246a24fe1aaceb85624ff322a4fa3f
Instruction Fuzzy Hash: 9B11BB715142596FEB227FF98C58E6B7BDCDB95778F100628F915D7180DA3088408770

Uniqueness

Uniqueness Score: -1.00%

Function 01312EB5 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01312EB5(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E01312BFC(_t45, 7);
					E01312BFC(_t45 + 0x1c, 7);
					E01312BFC(_t45 + 0x38, 0xc);
					E01312BFC(_t45 + 0x68, 0xc);
					E01312BFC(_t45 + 0x98, 2);
					E0130B4D5( *((intOrPtr*)(_t45 + 0xa0)));
					E0130B4D5( *((intOrPtr*)(_t45 + 0xa4)));
					E0130B4D5( *((intOrPtr*)(_t45 + 0xa8)));
					E01312BFC(_t45 + 0xb4, 7);
					E01312BFC(_t45 + 0xd0, 7);
					E01312BFC(_t45 + 0xec, 0xc);
					E01312BFC(_t45 + 0x11c, 0xc);
					E01312BFC(_t45 + 0x14c, 2);
					E0130B4D5( *((intOrPtr*)(_t45 + 0x154)));
					E0130B4D5( *((intOrPtr*)(_t45 + 0x158)));
					E0130B4D5( *((intOrPtr*)(_t45 + 0x15c)));
					return E0130B4D5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x01312ebb
0x01312ec0
0x01312ec9
0x01312ed4
0x01312edf
0x01312eea
0x01312ef8
0x01312f03
0x01312f0e
0x01312f19
0x01312f27
0x01312f35
0x01312f46
0x01312f54
0x01312f62
0x01312f6d
0x01312f78
0x01312f83
0x00000000
0x01312f93
0x01312f98

APIs

Part of subcall function 01312BFC: _free.LIBCMT ref: 01312C25

_free.LIBCMT ref: 01312F03

Part of subcall function 0130B4D5: RtlFreeHeap.NTDLL(00000000,00000000,?,01312C2A,?,00000000,?,00000000,?,01312ECE,?,00000007,?,?,0131334A,?), ref: 0130B4EB
Part of subcall function 0130B4D5: GetLastError.KERNEL32(?,?,01312C2A,?,00000000,?,00000000,?,01312ECE,?,00000007,?,?,0131334A,?,?), ref: 0130B4FD

_free.LIBCMT ref: 01312F0E
_free.LIBCMT ref: 01312F19
_free.LIBCMT ref: 01312F6D
_free.LIBCMT ref: 01312F78
_free.LIBCMT ref: 01312F83
_free.LIBCMT ref: 01312F8E

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c380c80edf6b1788f909ab77aa2059d32dc94e5abbe3249c4250cff1d7eb0521
Instruction ID: d387bc18d6e3967335325196194b4ca74ba6d5fb7b0b62caf20f81cf9cacd6fa
Opcode Fuzzy Hash: c380c80edf6b1788f909ab77aa2059d32dc94e5abbe3249c4250cff1d7eb0521
Instruction Fuzzy Hash: 0D118E31940B05AAD621FFF8CC05FCBFBDCAF20704F418814B29AA6094DA74B6499790

Uniqueness

Uniqueness Score: -1.00%

Function 011F07DE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E011F07DE(intOrPtr __ecx, void* __edx, void* __fp0, WCHAR* _a4, struct HINSTANCE__* _a8) {
				void* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t8;
				void* _t9;
				struct HRSRC__* _t15;
				void* _t19;
				void* _t21;
				struct HINSTANCE__* _t24;
				void* _t26;
				void* _t31;

				_t31 = __fp0;
				_t19 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t24 = _a8;
				_v12 = __ecx;
				if(_t24 == 0) {
					_t24 =  *(E011B72B6(_t24) + 0xc);
				}
				_t8 = FindResourceW(_t24, _a4, "PNG");
				_t15 = _t8;
				if(_t15 != 0) {
					_t8 = LoadResource(_t24, _t15);
					_t21 = _t8;
					if(_t21 != 0) {
						_t9 = LockResource(_t21);
						_v8 = _t9;
						if(_t9 != 0) {
							_push(SizeofResource(_t24, _t15));
							_push(_v8);
							_t26 = E011F0855(_t15, _v12, _t19, _t21, _t24, _t31);
						} else {
							_t26 = 0;
						}
						FreeResource(_t21);
						_t8 = _t26;
					}
				}
				return _t8;
			}

0x011f07de
0x011f07de
0x011f07e1
0x011f07e2
0x011f07e5
0x011f07e8
0x011f07ed
0x011f07f4
0x011f07f4
0x011f0800
0x011f0806
0x011f080a
0x011f080f
0x011f0815
0x011f0819
0x011f081c
0x011f0822
0x011f0827
0x011f0838
0x011f0839
0x011f0841
0x011f0829
0x011f0829
0x011f0829
0x011f0844
0x011f084a
0x011f084a
0x011f084c
0x011f0852

APIs

FindResourceW.KERNEL32(?,?,PNG,?,?,01339C3C,01339C3C,?,011F15F0,?,00000000,?), ref: 011F0800
LoadResource.KERNEL32(?,00000000,?,?,01339C3C,01339C3C,?,011F15F0,?,00000000,?), ref: 011F080F
LockResource.KERNEL32(00000000,?,01339C3C,01339C3C,?,011F15F0,?,00000000,?), ref: 011F081C
SizeofResource.KERNEL32(?,00000000,?,01339C3C,01339C3C,?,011F15F0,?,00000000,?), ref: 011F082F

Part of subcall function 011F0855: GlobalAlloc.KERNEL32(00000002,?,00000000,?,?,?,011F0841,00000000,00000000,?,01339C3C,01339C3C,?,011F15F0,?,00000000), ref: 011F0862

FreeResource.KERNEL32(00000000,00000000,00000000,?,01339C3C,01339C3C,?,011F15F0,?,00000000,?), ref: 011F0844

Strings

PNG, xrefs: 011F07F7

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Resource$AllocFindFreeGlobalLoadLockSizeof
String ID: PNG
API String ID: 169377235-364855578
Opcode ID: 19813a4da3d048777f8d56eed6253380b74da9de90dae5e577e2b38f62de6eb5
Instruction ID: 49278803cd1641fad79c6e3bea51e5439823c864fa44f04865f2226cb548a281
Opcode Fuzzy Hash: 19813a4da3d048777f8d56eed6253380b74da9de90dae5e577e2b38f62de6eb5
Instruction Fuzzy Hash: 3F01713A900615AB97266F949C45CBEBB6DDB4D265F01416DFE05A3202EB309D0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 0130F104 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E0130F104(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x139eff4; // 0xdde28b47
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0130B4B9(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E012E980C(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E012EBCAE(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0130D129(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E012EBCAE(_t101);
									goto L36;
								}
								_t62 = E0130D129(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E012EBCAE(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0130B125(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E012EA400();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0130D129(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0130B125(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E012EA400();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x0130f109
0x0130f10a
0x0130f10b
0x0130f112
0x0130f116
0x0130f117
0x0130f11d
0x0130f123
0x0130f129
0x0130f12c
0x0130f12c
0x0130f12f
0x0130f131
0x0130f131
0x0130f12f
0x0130f133
0x0130f138
0x0130f13f
0x0130f142
0x0130f142
0x0130f15e
0x0130f164
0x0130f169
0x0130f2fc
0x0130f30f
0x0130f16f
0x0130f16f
0x0130f172
0x0130f177
0x0130f17b
0x0130f1cf
0x0130f1cf
0x0130f1d1
0x0130f1d3
0x0130f2f1
0x0130f2f1
0x0130f2f3
0x0130f2f4
0x00000000
0x0130f2fa
0x0130f1e4
0x0130f1ea
0x0130f1ec
0x00000000
0x00000000
0x0130f1f2
0x0130f204
0x0130f209
0x0130f20d
0x00000000
0x00000000
0x0130f21a
0x0130f254
0x0130f257
0x0130f25a
0x0130f25c
0x0130f25e
0x0130f260
0x0130f2ac
0x0130f2ac
0x0130f2ae
0x0130f2ae
0x0130f2b0
0x0130f2ea
0x0130f2eb
0x00000000
0x0130f2f0
0x0130f2c4
0x0130f2c9
0x0130f2cb
0x00000000
0x00000000
0x0130f2cf
0x0130f2d0
0x0130f2d1
0x0130f2d4
0x0130f310
0x0130f313
0x0130f2d6
0x0130f2d6
0x0130f2d7
0x0130f2d7
0x0130f2e4
0x0130f2e6
0x0130f2e8
0x0130f319
0x00000000
0x00000000
0x00000000
0x00000000
0x0130f2e8
0x0130f262
0x0130f265
0x0130f267
0x0130f269
0x0130f26b
0x0130f26e
0x0130f273
0x0130f28e
0x0130f290
0x0130f29a
0x0130f29c
0x0130f29d
0x0130f29f
0x00000000
0x00000000
0x0130f2a1
0x0130f2a7
0x0130f2a7
0x00000000
0x0130f2a7
0x0130f275
0x0130f277
0x0130f27b
0x0130f280
0x0130f282
0x0130f284
0x00000000
0x00000000
0x0130f286
0x00000000
0x0130f286
0x0130f21c
0x0130f221
0x00000000
0x00000000
0x0130f227
0x0130f229
0x00000000
0x00000000
0x0130f240
0x0130f245
0x0130f249
0x00000000
0x00000000
0x00000000
0x0130f24f
0x0130f182
0x0130f184
0x0130f186
0x0130f18e
0x0130f1ad
0x0130f1af
0x0130f1b9
0x0130f1bb
0x0130f1bc
0x0130f1be
0x00000000
0x00000000
0x0130f1c4
0x0130f1ca
0x0130f1ca
0x00000000
0x0130f1ca
0x0130f192
0x0130f196
0x0130f19b
0x0130f19f
0x00000000
0x00000000
0x0130f1a5
0x00000000
0x0130f1a5

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000005,012F83B4,012F83B4,?,?,?,0130F355,00000001,00000001,DBE85006), ref: 0130F15E
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0130F355,00000001,00000001,DBE85006,?,?,?), ref: 0130F1E4
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,DBE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0130F2DE
__freea.LIBCMT ref: 0130F2EB

Part of subcall function 0130B125: RtlAllocateHeap.NTDLL(00000000,8007000E,?,?,011A700E,8007000E,00000000,?,?,011B186B,0000000C,00000004,011447AC,8007000E), ref: 0130B157

__freea.LIBCMT ref: 0130F2F4
__freea.LIBCMT ref: 0130F319

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2f26be1455a94090675b9ef88fcf6876e0e9a9daa0eae96d1aa1331ec4572bdf
Instruction ID: 0227a315f4484af021bd4bdcb89979310080385eee567b4c8f34349648448a56
Opcode Fuzzy Hash: 2f26be1455a94090675b9ef88fcf6876e0e9a9daa0eae96d1aa1331ec4572bdf
Instruction Fuzzy Hash: 3A51F376610216AFEB3A8E68DC61EBA7BEDEF54658F250228FD04E6180DB34DC548690

Uniqueness

Uniqueness Score: -1.00%

Function 011EED2A Relevance: 9.1, APIs: 6, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EED2A(void* __ecx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				long _t25;
				int _t29;
				struct HDC__* _t40;
				void* _t42;

				_t42 = __ecx;
				PatBlt( *0x13a9528, 0, 0,  *((intOrPtr*)(__ecx + 0x54)) + 2,  *((intOrPtr*)(__ecx + 0x58)) + 2, 0xff0062);
				if( *((intOrPtr*)(__ecx + 8)) == 0x20) {
					L2:
					_t25 =  *(E011C5322() + 0x1c);
				} else {
					_t25 =  *(__ecx + 0xa8);
					if(_t25 == 0xffffffff) {
						goto L2;
					}
				}
				SetBkColor( *0x13a9524, _t25);
				_t29 = BitBlt( *0x13a9528, 0, 0,  *(_t42 + 0x54),  *(_t42 + 0x58),  *0x13a9524,  *(_t42 + 0x54) * _a4, 0, 0xcc0020);
				if(_a8 != 0) {
					SetBkColor( *0x13a9524,  *(E011C5322() + 0x24));
					_t29 = BitBlt( *0x13a9528, 0, 0,  *(_t42 + 0x54),  *(_t42 + 0x58),  *0x13a9524,  *(_t42 + 0x54) * _a4, 0, 0xee0086);
					if(_a12 != 0) {
						_t40 =  *0x13a9528; // 0x0
						return BitBlt(_t40, 1, 1,  *(_t42 + 0x54) + 1,  *(_t42 + 0x58) + 1, _t40, 0, 0, 0x8800c6);
					}
				}
				return _t29;
			}

0x011eed2f
0x011eed4e
0x011eed58
0x011eed65
0x011eed6a
0x011eed5a
0x011eed5a
0x011eed63
0x00000000
0x00000000
0x011eed63
0x011eed74
0x011eed9c
0x011eeda5
0x011eedb5
0x011eeddd
0x011eede6
0x011eede8
0x00000000
0x011eee05
0x011eede6
0x011eee0e

APIs

PatBlt.GDI32(00000000,00000000,0000000E,0000000D,00FF0062,?), ref: 011EED4E
SetBkColor.GDI32(?), ref: 011EED74
BitBlt.GDI32(00000000,00000000,00000010,0000000F,?,00000000,00CC0020,?,011EF617), ref: 011EED9C
SetBkColor.GDI32(?), ref: 011EEDB5
BitBlt.GDI32(00000000,00000000,00000010,0000000F,?,00000000,00EE0086,?,011EF617), ref: 011EEDDD
BitBlt.GDI32(00000000,00000001,00000001,00000011,00000010,00000000,00000000,00000000,008800C6), ref: 011EEE05

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 705f1d39be88ea9f65505a12cf99ea9821f2475b809365eff47829efa5f3961f
Instruction ID: df654bcaef2c8b45d319873b06940f641a37cd42f571d26a28fb7e4debd4273c
Opcode Fuzzy Hash: 705f1d39be88ea9f65505a12cf99ea9821f2475b809365eff47829efa5f3961f
Instruction Fuzzy Hash: 7C213E32100640FFD7399F99DD4AEA77FBEFB89B14B40442CF6419A164C7B1A850DB20

Uniqueness

Uniqueness Score: -1.00%

Function 011B6D03 Relevance: 9.1, APIs: 6, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011B6D03(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__* _t14;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t14 = _a4;
				_t17 = _t14;
				if(_t14 != 0) {
					L4:
					if((GetWindowLongW(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L7:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L9:
							if(_t14 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L8;
						}
						do {
							L8:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L9;
					}
					_t17 = GetParent(_t17);
					L6:
					if(_t17 != 0) {
						goto L4;
					}
					goto L7;
				}
				_t13 = E011B6CF7();
				if(_t13 != 0) {
					L3:
					_t17 =  *(_t13 + 0x20);
					goto L6;
				}
				_t13 = E01168AF0();
				if(_t13 == 0) {
					goto L7;
				}
				goto L3;
			}

0x011b6d07
0x011b6d0b
0x011b6d10
0x011b6d29
0x011b6d37
0x011b6d46
0x011b6d46
0x011b6d48
0x011b6d4c
0x011b6d5b
0x011b6d5d
0x011b6d6a
0x011b6d6a
0x011b6d6c
0x011b6d71
0x011b6d75
0x011b6d93
0x011b6d86
0x011b6d89
0x011b6d8b
0x011b6d8b
0x011b6d75
0x011b6d9c
0x00000000
0x00000000
0x00000000
0x011b6d4e
0x011b6d4e
0x011b6d4f
0x011b6d51
0x011b6d57
0x00000000
0x011b6d4e
0x011b6d40
0x011b6d42
0x011b6d44
0x00000000
0x00000000
0x00000000
0x011b6d44
0x011b6d12
0x011b6d19
0x011b6d24
0x011b6d24
0x00000000
0x011b6d24
0x011b6d1b
0x011b6d22
0x00000000
0x00000000
0x00000000

APIs

GetWindowLongW.USER32(?,000000F0), ref: 011B6D2C
GetParent.USER32(?), ref: 011B6D3A
GetParent.USER32(?), ref: 011B6D51
GetLastActivePopup.USER32(?), ref: 011B6D64
IsWindowEnabled.USER32(?), ref: 011B6D78
EnableWindow.USER32(?,00000000), ref: 011B6D8B

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 1a3065c8ad92a01432eae1fa8f3ed4dd64d7b371e80a51979f34959d3046b6d2
Instruction ID: c7ed966d782ec5054e4138035591f746e609292910bca7544b1a70c2f9094321
Opcode Fuzzy Hash: 1a3065c8ad92a01432eae1fa8f3ed4dd64d7b371e80a51979f34959d3046b6d2
Instruction Fuzzy Hash: 2211A93260132157E73A2E5DD9C47EE7A9CAF75B61F050138EE45DB284DB60DC81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0130BB14 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0130BB14(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x139f2c0; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E0130A9E4(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E0130CE17(_t25, _t36, __eflags,  *0x139f2c0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E0130B986(_t25, _t31, 0x13ad0bc);
							E0130B4D5(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E0130B4D5();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E0130B0E2(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x139f2c0; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E0130A9E4(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E0130CE17(_t27, _t37, __eflags,  *0x139f2c0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E0130B986(_t27, _t32, 0x13ad0bc);
									E0130B4D5(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E0130B4D5();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0130CDC1(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0130CDC1(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x0130bb14
0x0130bb14
0x0130bb14
0x0130bb1e
0x0130bb20
0x0130bb25
0x0130bb28
0x0130bb36
0x0130bb3d
0x0130bb42
0x0130bb45
0x0130bb48
0x0130bb5a
0x0130bb5f
0x0130bb61
0x0130bb6c
0x0130bb73
0x0130bb78
0x0130bb7b
0x0130bb7d
0x00000000
0x00000000
0x00000000
0x00000000
0x0130bb63
0x0130bb63
0x00000000
0x0130bb63
0x0130bb4a
0x0130bb4a
0x0130bb4b
0x0130bb4b
0x0130bb50
0x0130bb8b
0x0130bb8c
0x0130bb92
0x0130bb97
0x0130bb9a
0x0130bb9b
0x0130bb9c
0x0130bba3
0x0130bba5
0x0130bba7
0x0130bbac
0x0130bbaf
0x0130bbbd
0x0130bbc9
0x0130bbcc
0x0130bbcf
0x0130bbe1
0x0130bbe6
0x0130bbe8
0x0130bbf3
0x0130bbf9
0x0130bc01
0x0130bc03
0x00000000
0x00000000
0x00000000
0x00000000
0x0130bbea
0x0130bbea
0x00000000
0x0130bbea
0x0130bbd1
0x0130bbd1
0x0130bbd2
0x0130bbd2
0x0130bc05
0x0130bc06
0x0130bc06
0x0130bbb1
0x0130bbb7
0x0130bbbb
0x0130bc0e
0x0130bc0f
0x0130bc15
0x00000000
0x00000000
0x00000000
0x0130bbbb
0x0130bc1c
0x0130bc1c
0x0130bb2a
0x0130bb30
0x0130bb34
0x0130bb7f
0x0130bb80
0x0130bb8a
0x00000000
0x00000000
0x00000000
0x0130bb34

APIs

GetLastError.KERNEL32(?,?,013092F7,00004000,00004000,01141D61,?,013097DB,00004000,00004000,?,00004000), ref: 0130BB18
_free.LIBCMT ref: 0130BB4B
_free.LIBCMT ref: 0130BB73
SetLastError.KERNEL32(00000000,00004000,?,00004000), ref: 0130BB80
SetLastError.KERNEL32(00000000,00004000,?,00004000), ref: 0130BB8C
_abort.LIBCMT ref: 0130BB92

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8f1d80510d19b2e547e3ece8535cbb18e579416f1c3d9d803bd825228cb7ec19
Instruction ID: 9faecbcb70d96c1aee2bc9c5467dd622711058ef8b8477467af392b678c55d11
Opcode Fuzzy Hash: 8f1d80510d19b2e547e3ece8535cbb18e579416f1c3d9d803bd825228cb7ec19
Instruction Fuzzy Hash: ABF0A93D544A0167D633767C6C75F1AAADD9BD1BFDF110128F515D21CCEE6188028221

Uniqueness

Uniqueness Score: -1.00%

Function 011EE9D2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E011EE9D2(void* __ebx, unsigned int __ecx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				char _v1032;
				signed int _v1036;
				signed int _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				intOrPtr _v1060;
				signed int _v1064;
				unsigned int _v1068;
				char _v1072;
				intOrPtr _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1096;
				intOrPtr _v1104;
				char _v1112;
				void* _v1124;
				void* __ebp;
				signed int _t106;
				signed int _t108;
				void* _t109;
				signed int _t112;
				signed int _t124;
				signed int _t131;
				intOrPtr _t135;
				signed int _t136;
				signed int _t147;
				unsigned int _t148;
				signed int _t154;
				signed int _t161;
				signed int _t166;
				unsigned int _t168;
				signed int _t174;
				signed int _t175;
				unsigned int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t183;
				signed int _t184;
				unsigned int* _t185;
				signed int _t186;
				signed int _t187;

				_t106 =  *0x139eff4; // 0xdde28b47
				_v8 = _t106 ^ _t186;
				_t181 = _a4;
				_t177 = __ecx;
				_v1036 = _a4;
				_v1068 = __ecx;
				_t108 = E011EFEDE(_a4);
				_t147 = 0;
				_v1048 = _t108;
				_v1040 = 0;
				_v1064 = 0x22009;
				_t174 = 0x20;
				_v1052 = _t174;
				if((_t108 & 0x00020000) != 0) {
					_v1064 = _t108;
					_v1052 = _t108 >> 0x00000008 & 0x000000ff;
				}
				_t190 = _t108 & 0x00040000;
				if((_t108 & 0x00040000) != 0) {
					_v1052 = _t174;
					_v1040 = 1;
					_v1064 = 0x26200a;
				}
				_t109 = E011EFE6E(_t181);
				if(E011EE8ED(_t174, _t190, E011EFF00(_v1036), _t109, _v1052, _t147, _t147, _v1040) != 0) {
					_t154 = _v1048;
					_t183 = _t147;
					_v1040 = _t183;
					_v1056 = _t183;
					__eflags = _t154 & 0x00010000;
					if((_t154 & 0x00010000) == 0) {
						L19:
						_t112 = _v1064;
						__eflags = _t112 - _t154;
						if(_t112 != _t154) {
							E011ECDB6( &_v1088,  *(_t177 + 0xc),  *((intOrPtr*)(_t177 + 0x10)),  *((intOrPtr*)(_t177 + 0x14)), _t112,  *((intOrPtr*)(_t177 + 8)));
							E011ECFB7( &_v1072,  &_v1088);
							E011EFB60( &_v1072, _v1036, _t147, _t147);
							_push(_v1072);
							L012EC262();
							_push(_v1084);
							L012EC220();
							while(1) {
								L34:
								__eflags = _t183;
								if(_t183 == 0) {
									break;
								}
								_t183 =  *_t183;
								L012F9FB5(_t183);
							}
							goto L36;
						}
						_v1080 =  *(_t177 + 0xc);
						_v1076 =  *((intOrPtr*)(_t177 + 0x10));
						_push( &_v1112);
						_push(_t154);
						_push(1);
						_v1088 = _t147;
						_push( &_v1088);
						_t124 = _v1036;
						_v1084 = _t147;
						_push( *((intOrPtr*)(_t124 + 4)));
						L012EC256();
						_t161 = _t124;
						__eflags = _t161;
						if(_t161 == 0) {
							_t161 = _t147;
						} else {
							 *(_v1036 + 8) = _t161;
						}
						__eflags = _t161;
						if(_t161 == 0) {
							_v1044 = _t147;
							_v1068 =  *(_t177 + 0xc) * _v1052 + 7 >> 3;
							_v1056 =  *((intOrPtr*)(_t177 + 8));
							_t130 = _v1096;
							_v1048 = _v1096;
							__eflags =  *((intOrPtr*)(_t177 + 0x10)) - _t147;
							if( *((intOrPtr*)(_t177 + 0x10)) <= _t147) {
								L30:
								_t178 = _v1036;
								_t131 =  &_v1112;
								_push(_t131);
								_push( *((intOrPtr*)(_t178 + 4)));
								L012EC25C();
								__eflags = _t131;
								if(_t131 != 0) {
									 *(_t178 + 8) = _t131;
								}
								goto L34;
							}
							_t148 = _v1068;
							_t184 = _v1056;
							do {
								E011B1E31(_t161, _t184, _t148, _t130, _t148);
								_t187 = _t187 + 0x10;
								_t130 = _v1048 + _v1104;
								_t184 = _t184 +  *((intOrPtr*)(_t177 + 0x14));
								_t161 = _v1044 + 1;
								_v1048 = _v1048 + _v1104;
								_v1044 = _t161;
								__eflags = _t161 -  *((intOrPtr*)(_t177 + 0x10));
							} while (_t161 <  *((intOrPtr*)(_t177 + 0x10)));
							_t183 = _v1040;
							_t147 = 0;
							__eflags = 0;
							goto L30;
						} else {
							L25:
							_t147 = 0x8007000e;
							goto L34;
						}
					}
					_t135 = E011EFEB8(_v1036);
					_v1060 = _t135;
					__eflags = _t135 - 0x400;
					if(__eflags > 0) {
						L10:
						_t136 = E011EDEEF( &_v1056, __eflags, _t135);
						_t183 = _v1056;
						_v1040 = _t183;
						L11:
						_v1044 = _t136;
						__eflags = _t136;
						if(_t136 == 0) {
							goto L25;
						}
						E011EFE94(_t136, _v1036, _t136, _v1060);
						_t175 = _v1044;
						_t166 =  *(_t175 + 4);
						__eflags = _t166;
						if(_t166 == 0) {
							L22:
							_t147 = 0x80004005;
							goto L34;
						}
						__eflags = _t166 - 0x100;
						if(_t166 > 0x100) {
							goto L22;
						}
						__eflags = _t166;
						if(_t166 == 0) {
							L18:
							E011F1A57(_t177, _t147,  *(_t175 + 4),  &_v1032);
							_t154 = _v1048;
							goto L19;
						}
						_t185 = _t175 + 8;
						_t179 = _t147;
						do {
							_t168 =  *_t185;
							_t185 =  &(_t185[1]);
							 *((char*)(_t186 + _t179 * 4 - 0x402)) = _t168 >> 0x10;
							 *((char*)(_t186 + _t179 * 4 - 0x403)) = _t168 >> 8;
							 *(_t186 + _t179 * 4 - 0x404) = _t168;
							 *(_t186 + _t179 * 4 - 0x401) = _t147;
							_t179 = _t179 + 1;
							__eflags = _t179 -  *(_t175 + 4);
						} while (_t179 <  *(_t175 + 4));
						_t183 = _v1040;
						_t177 = _v1068;
						goto L18;
					}
					_push(_t135);
					__eflags = E011F291F(__eflags);
					_t135 = _v1060;
					if(__eflags == 0) {
						goto L10;
					}
					E012EA400();
					_t136 = _t187;
					goto L11;
				} else {
					L36:
					return E012E980C(_v8 ^ _t186);
				}
			}

0x011ee9db
0x011ee9e2
0x011ee9e7
0x011ee9eb
0x011ee9ed
0x011ee9f5
0x011ee9fb
0x011eea02
0x011eea04
0x011eea0a
0x011eea10
0x011eea1a
0x011eea1b
0x011eea26
0x011eea2a
0x011eea36
0x011eea36
0x011eea3c
0x011eea41
0x011eea48
0x011eea4e
0x011eea58
0x011eea58
0x011eea60
0x011eea8b
0x011eea97
0x011eea9d
0x011eea9f
0x011eeaa5
0x011eeaab
0x011eeab1
0x011eeb9c
0x011eeb9c
0x011eeba2
0x011eeba4
0x011eecc0
0x011eecd2
0x011eece5
0x011eecea
0x011eecf0
0x011eecf5
0x011eecfb
0x011eed0b
0x011eed0b
0x011eed0b
0x011eed0d
0x00000000
0x00000000
0x011eed03
0x011eed05
0x011eed0a
0x00000000
0x011eed0f
0x011eebad
0x011eebb6
0x011eebc2
0x011eebc3
0x011eebc4
0x011eebcc
0x011eebd2
0x011eebd3
0x011eebd9
0x011eebdf
0x011eebe2
0x011eebe7
0x011eebe9
0x011eebeb
0x011eec02
0x011eebed
0x011eebf3
0x011eebf3
0x011eec04
0x011eec06
0x011eec1c
0x011eec28
0x011eec31
0x011eec37
0x011eec3d
0x011eec43
0x011eec46
0x011eec8f
0x011eec8f
0x011eec95
0x011eec9b
0x011eec9c
0x011eec9f
0x011eeca4
0x011eeca6
0x011eeca8
0x011eeca8
0x00000000
0x011eeca6
0x011eec48
0x011eec4e
0x011eec54
0x011eec58
0x011eec63
0x011eec66
0x011eec72
0x011eec75
0x011eec76
0x011eec7c
0x011eec82
0x011eec82
0x011eec87
0x011eec8d
0x011eec8d
0x00000000
0x011eec08
0x011eec08
0x011eec08
0x00000000
0x011eec08
0x011eec06
0x011eeabd
0x011eeac2
0x011eeac8
0x011eeacd
0x011eeae9
0x011eeaf0
0x011eeaf5
0x011eeafb
0x011eeb01
0x011eeb01
0x011eeb07
0x011eeb09
0x00000000
0x00000000
0x011eeb1c
0x011eeb21
0x011eeb27
0x011eeb2a
0x011eeb2c
0x011eebf8
0x011eebf8
0x00000000
0x011eebf8
0x011eeb32
0x011eeb38
0x00000000
0x00000000
0x011eeb3e
0x011eeb40
0x011eeb84
0x011eeb91
0x011eeb96
0x00000000
0x011eeb96
0x011eeb42
0x011eeb45
0x011eeb47
0x011eeb47
0x011eeb4e
0x011eeb51
0x011eeb5d
0x011eeb64
0x011eeb6b
0x011eeb72
0x011eeb73
0x011eeb73
0x011eeb78
0x011eeb7e
0x00000000
0x011eeb7e
0x011eeacf
0x011eead5
0x011eead7
0x011eeade
0x00000000
0x00000000
0x011eeae0
0x011eeae5
0x00000000
0x011eea8d
0x011eed11
0x011eed27
0x011eed27

APIs

Part of subcall function 011EFEDE: GdipGetImagePixelFormat.GDIPLUS(?,013A953C,00000000,00000000,?,011EEA00,?,00000000,013A953C), ref: 011EFEEC

GdipBitmapLockBits.GDIPLUS(00000007,?,00000001,?,?,00000000,00000000,?,00000000,00000000,?,?,00000000,013A953C), ref: 011EEBE2

Part of subcall function 011EFEB8: GdipGetImagePaletteSize.GDIPLUS(00000007,00000000,00000000,?,?,011EEAC2,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 011EFECA

GdipBitmapUnlockBits.GDIPLUS(00000007,?,00000007,?,00000001,?,?,00000000,00000000,?,00000000,00000000,?,?,00000000,013A953C), ref: 011EEC9F

Part of subcall function 011ECDB6: GdipCreateBitmapFromScan0.GDIPLUS(00000000,?,?,00000000,00000000,013A953C,00000000,?,?,011EECC5,?,?,?,00022009,?,00000000), ref: 011ECDDD

Part of subcall function 011ECFB7: GdipGetImageGraphicsContext.GDIPLUS(?,013A953C,00000000,?,?,011EECD7,?,?,?,?,00022009,?,00000000,00000000,?,00000000), ref: 011ECFD1

Part of subcall function 011EFB60: GdipDrawImageI.GDIPLUS(?,00000000,?,?,00000000,?,011EECEA,?,00000000,00000000,?,?,?,?,00022009,?), ref: 011EFB7D

GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000,00000000,?), ref: 011EECF0
GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000,00000000), ref: 011EECFB

Strings

&, xrefs: 011EEA43

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Gdip$Image$Bitmap$BitsGraphics$ContextCreateDeleteDisposeDrawFormatFromLockPalettePixelScan0SizeUnlock
String ID: &
API String ID: 1598553542-3042966939
Opcode ID: 5ffb68d62c6b58b82b9eced0ea29407f25d67630f9058153c65933285a9cb878
Instruction ID: 849a64bf393c4e25031b9589bd7029d7bbb95dd8d5b7a2710a207053c79dd1c5
Opcode Fuzzy Hash: 5ffb68d62c6b58b82b9eced0ea29407f25d67630f9058153c65933285a9cb878
Instruction Fuzzy Hash: 559140F1A015299BDF28CF54CC94AA9B7B5BB48304F4441E9EA09A7201D730AEC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 011F0930 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E011F0930(void* __ecx, void* __edx, void* __fp0) {
				int _t56;
				void* _t57;
				int _t58;
				void* _t59;
				int _t61;
				void* _t62;
				signed int _t63;
				void* _t77;
				void* _t80;
				int _t87;
				signed int _t93;
				void* _t104;
				void* _t105;
				void* _t110;
				int* _t111;
				void* _t113;
				void* _t115;

				_t115 = __fp0;
				_t104 = __edx;
				_push(0x28);
				E012EA0A3();
				_t105 = __ecx;
				_t87 = 0;
				if( *((intOrPtr*)(__ecx + 0x28)) == 0) {
					__eflags =  *(_t113 + 8);
					if( *(_t113 + 8) == 0) {
						goto L1;
					}
					asm("sbb esi, esi");
					_t110 =  !( ~( *(_t113 + 8) & 0xffff0000)) &  *(_t113 + 8);
					 *(_t113 - 0x14) = _t110;
					__eflags =  *(_t113 + 0x10);
					if( *(_t113 + 0x10) != 0) {
						__eflags = _t110;
						if(_t110 == 0) {
							L5:
							 *(_t113 - 0x18) = _t87;
							 *((intOrPtr*)(_t113 - 0x1c)) = 0x1339c3c;
							 *(_t113 - 4) = _t87;
							_t57 = E011F07DE(_t113 - 0x1c, _t104, _t115,  *(_t113 + 8),  *(_t113 + 0xc));
							__eflags = _t57;
							if(_t57 == 0) {
								__eflags =  *(_t113 + 0xc);
								if( *(_t113 + 0xc) == 0) {
									 *(_t113 + 0xc) =  *(E011B72B6(_t110) + 0xc);
								}
								_t58 = 0x2000;
								__eflags =  *((intOrPtr*)(_t105 + 0x34)) - _t87;
								if( *((intOrPtr*)(_t105 + 0x34)) != _t87) {
									_t77 = E011C5322();
									__eflags =  *((intOrPtr*)(_t77 + 0x184)) - _t87;
									_t58 = 0x3000;
									if( *((intOrPtr*)(_t77 + 0x184)) != _t87) {
										_t58 = 0x2000;
									}
								}
								_t59 = LoadImageW( *(_t113 + 0xc),  *(_t113 + 8), _t87, _t87, _t87, _t58);
							} else {
								_t59 = E011B9069(_t113 - 0x1c, _t104);
							}
							 *(_t113 - 0x10) = _t59;
							__eflags = _t59;
							if(_t59 == 0) {
								L35:
								 *((intOrPtr*)(_t113 - 0x1c)) = 0x1331fa4;
								E011681B0(_t87, _t113 - 0x1c, _t105, _t110);
								_t56 = _t87;
								L36:
								E012EA06C();
								return _t56;
							} else {
								_t61 = GetObjectW(_t59, 0x18, _t113 - 0x34);
								__eflags = _t61;
								if(_t61 != 0) {
									__eflags =  *(_t113 - 0x22) - 0x20;
									if( *(_t113 - 0x22) < 0x20) {
										__eflags =  *(_t113 - 0x22) - 8;
										if( *(_t113 - 0x22) <= 8) {
											L23:
											_t62 = E011C5322();
											__eflags =  *((intOrPtr*)(_t62 + 0x184)) - _t87;
											if( *((intOrPtr*)(_t62 + 0x184)) == _t87) {
												L25:
												_t93 =  *(_t113 - 0x22) & 0x0000ffff;
												_t63 =  *(_t105 + 8);
												__eflags = _t63 - _t93;
												if(_t63 <= _t93) {
													_t63 = _t93;
												}
												__eflags =  *(_t113 + 0x10);
												 *(_t105 + 8) = _t63;
												if( *(_t113 + 0x10) == 0) {
													 *(_t105 + 0x8c) =  *(_t113 - 0x10);
												} else {
													__eflags = _t110;
													if(__eflags != 0) {
														 *((intOrPtr*)(E011ED1D2(_t87, _t104, _t105, __eflags,  *(_t113 - 0x14)))) =  *((intOrPtr*)(_t105 + 4));
														_t110 =  *(_t113 - 0x14);
													}
													E011EDB29(_t105, _t115,  *(_t113 - 0x10), _t87);
													__eflags = _t110;
													if(_t110 != 0) {
														E011D763A(_t105 + 0xc0, _t110);
														E011D763A(_t105 + 0xdc,  *(_t113 + 0xc));
													}
													DeleteObject( *(_t113 - 0x10));
												}
												E011F24B0(_t105);
												_t111 = _t105 + 0x90;
												E011BD6C7(_t111);
												 *_t111 = _t87;
												_t110 = _t105 + 0x94;
												E011BD6C7(_t110);
												 *_t110 = _t87;
												_t87 = 1;
												__eflags = 1;
												goto L35;
											}
											L24:
											E011F0B31(_t104, _t115, _t113 - 0x10, _t87, 0xffffffff, 0xffffffff);
											goto L25;
										}
										__eflags =  *((intOrPtr*)(_t105 + 0x34)) - _t87;
										if( *((intOrPtr*)(_t105 + 0x34)) != _t87) {
											goto L24;
										}
										goto L23;
									}
									E011F16D0(_t87, _t105, _t110,  *(_t113 - 0x10),  *((intOrPtr*)(_t105 + 0x3c)));
									goto L25;
								}
								DeleteObject( *(_t113 - 0x10));
								goto L35;
							}
						}
						_t80 = E011EFDF4(__ecx + 0xc0, _t110, 0);
						__eflags = _t80;
						if(_t80 == 0) {
							goto L5;
						}
						_t56 = 1;
						goto L36;
					}
					E011BD6C7(__ecx + 0x8c);
					E01251820(__ecx + 0xc0);
					E01251820(_t105 + 0xdc);
					E011F1A12(_t105 + 0xf8, _t105);
					goto L5;
				}
				L1:
				_t56 = 0;
				goto L36;
			}

0x011f0930
0x011f0930
0x011f0930
0x011f0937
0x011f093c
0x011f093e
0x011f0943
0x011f094c
0x011f094f
0x00000000
0x00000000
0x011f095c
0x011f0960
0x011f0963
0x011f0966
0x011f0969
0x011f09c1
0x011f09c3
0x011f0998
0x011f0998
0x011f099b
0x011f09a8
0x011f09ae
0x011f09b3
0x011f09b5
0x011f09de
0x011f09e2
0x011f09ec
0x011f09ec
0x011f09ef
0x011f09f4
0x011f09f7
0x011f09f9
0x011f09fe
0x011f0a04
0x011f0a09
0x011f0a0b
0x011f0a0b
0x011f0a09
0x011f0a1a
0x011f09b7
0x011f09ba
0x011f09ba
0x011f0a20
0x011f0a23
0x011f0a25
0x011f0b18
0x011f0b1b
0x011f0b22
0x011f0b27
0x011f0b29
0x011f0b29
0x011f0b2e
0x011f0a2b
0x011f0a32
0x011f0a38
0x011f0a3a
0x011f0a4a
0x011f0a4f
0x011f0a5e
0x011f0a63
0x011f0a6a
0x011f0a6a
0x011f0a6f
0x011f0a75
0x011f0a85
0x011f0a85
0x011f0a89
0x011f0a8c
0x011f0a8e
0x011f0a90
0x011f0a90
0x011f0a92
0x011f0a96
0x011f0a99
0x011f0aec
0x011f0a9b
0x011f0a9b
0x011f0a9d
0x011f0ab0
0x011f0ab2
0x011f0ab2
0x011f0abb
0x011f0ac0
0x011f0ac2
0x011f0acb
0x011f0ad9
0x011f0ad9
0x011f0ae1
0x011f0ae1
0x011f0af4
0x011f0af9
0x011f0b00
0x011f0b05
0x011f0b07
0x011f0b0e
0x011f0b13
0x011f0b17
0x011f0b17
0x00000000
0x011f0b17
0x011f0a77
0x011f0a80
0x00000000
0x011f0a80
0x011f0a65
0x011f0a68
0x00000000
0x00000000
0x00000000
0x011f0a68
0x011f0a57
0x00000000
0x011f0a57
0x011f0a3f
0x00000000
0x011f0a3f
0x011f0a25
0x011f09cd
0x011f09d2
0x011f09d4
0x00000000
0x00000000
0x011f09d8
0x00000000
0x011f09d8
0x011f0972
0x011f097d
0x011f0988
0x011f0993
0x00000000
0x011f0993
0x011f0945
0x011f0945
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 011F0937

Strings

, xrefs: 011F0A4A

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-3916222277
Opcode ID: 8c7046da229f1f311f126a92b9665353a9a796e9f3152ba765020bcd4f479d84
Instruction ID: d94efb322f823a791da5f57098788ba5bd3759b450c05c206ea0a51c9288f02a
Opcode Fuzzy Hash: 8c7046da229f1f311f126a92b9665353a9a796e9f3152ba765020bcd4f479d84
Instruction Fuzzy Hash: 40319575D0061BDFEF189FA4C884AFEBB76BF18308F04852DFA4566142E7749954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012F97C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F97C2(void* __ebx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* _t4;

				_t21 = __edi;
				_t10 = __ebx;
				if(_a4 != 0) {
					_t23 = E012ED807(_a4, 0x2e);
					if(_t3 == 0 || E012FF8D6(__ebx, __edi, _t23, _t23, L".exe") != 0 && E012FF8D6(__ebx, __edi, _t23, _t23, L".cmd") != 0 && E012FF8D6(_t10, _t21, _t23, _t23, L".bat") != 0 && E012FF8D6(_t10, _t21, _t23, _t23, L".com") != 0) {
						_t4 = 0;
					} else {
						_t4 = 1;
					}
					return _t4;
				} else {
					return 0;
				}
			}

0x012f97c2
0x012f97c2
0x012f97cb
0x012f97dc
0x012f97e2
0x012f9828
0x012f982c
0x012f982c
0x012f982c
0x012f9830
0x012f97cd
0x012f97d0
0x012f97d0

APIs

_wcsrchr.LIBVCRUNTIME ref: 012F97D7

Strings

.bat, xrefs: 012F9806
.cmd, xrefs: 012F97F5
.com, xrefs: 012F9817
.exe, xrefs: 012F97E4

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 9571636f897eb77db2d8d88a533e613e20751fe933e38d4a337918e495cc5bc2
Instruction ID: 9598e706734f748f6b994e7fb79fd519446178a003a29acbaeb6125795d4df86
Opcode Fuzzy Hash: 9571636f897eb77db2d8d88a533e613e20751fe933e38d4a337918e495cc5bc2
Instruction Fuzzy Hash: 5BF0682B56972B65EF252029BC02FBB9B8DCF12578F10007EFB0855981DE41D48141D4

Uniqueness

Uniqueness Score: -1.00%

Function 011C00FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E011C00FB(void* __eflags) {
				WCHAR* _t20;
				signed char _t25;
				void* _t26;
				struct HWND__** _t38;
				void* _t39;

				_push(4);
				E012EA0A3();
				E01143CD0(_t39 - 0x10, E011B2411());
				 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
				_t20 = E011444A0(_t39 - 0x10, 0x400);
				E011447D0(_t39 - 0x10, 0x400);
				_t38 =  *(_t39 + 8);
				GetClassNameW( *_t38, _t20, 0x400);
				E01167EE0(_t39 - 0x10, 0xffffffff);
				if(E011678E0(_t39 - 0x10, L"ComboBox") == 0 || E011678E0(_t39 - 0x10, L"ComboBoxEx32") == 0) {
					_t25 = GetWindowLongW( *_t38, 0xfffffff0);
					if(_t38[0xd] > 0 && (_t25 & 0x00000001) == 0) {
						_t38[0xd] = _t38[0xd] & 0x00000000;
					}
				}
				_t26 = E01144240( *((intOrPtr*)(_t39 - 0x10)) - 0x10);
				E012EA06C();
				return _t26;
			}

0x011c00fb
0x011c0102
0x011c0110
0x011c0115
0x011c0122
0x011c012d
0x011c0134
0x011c0139
0x011c0144
0x011c0158
0x011c016f
0x011c0179
0x011c017f
0x011c017f
0x011c0179
0x011c0189
0x011c018e
0x011c0193

APIs

__EH_prolog3.LIBCMT ref: 011C0102
GetClassNameW.USER32 ref: 011C0139

Part of subcall function 011678E0: __CrtIsValidPointer.LIBCMTD ref: 011678F2

GetWindowLongW.USER32(?,000000F0), ref: 011C016F

Strings

ComboBox, xrefs: 011C0149
ComboBoxEx32, xrefs: 011C015A

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ClassH_prolog3LongNamePointerValidWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 14650570-1907415764
Opcode ID: d17a218fe1a5bae4a41b6cbe7bba1682681c22451c21c25f41cd47cede65aa36
Instruction ID: be29fdde29e2a0952dd87716c7eba09ae953d419a6930923fc50fa2ee3401b7f
Opcode Fuzzy Hash: d17a218fe1a5bae4a41b6cbe7bba1682681c22451c21c25f41cd47cede65aa36
Instruction Fuzzy Hash: AC01AD758201229BCB28EB54CC54BBEB378BF70B68F240A2CE421A24D0DF30AA05CB14

Uniqueness

Uniqueness Score: -1.00%

Function 011C716E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E011C716E(void** __ecx, short* _a4) {
				long _t6;
				struct HINSTANCE__* _t7;
				intOrPtr* _t15;

				_t13 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0x13a8fe8 != 0) {
						_t15 =  *0x13a8fe4; // 0x0
					} else {
						_t7 = GetModuleHandleW(L"Advapi32.dll");
						if(_t7 == 0) {
							_t15 =  *0x13a8fe4; // 0x0
						} else {
							_t15 = GetProcAddress(_t7, "RegDeleteKeyExW");
							 *0x13a8fe4 = _t15;
						}
						 *0x13a8fe8 = 1;
					}
					if(_t15 == 0) {
						_t6 = RegDeleteKeyW( *_t13, _a4);
					} else {
						L012EA066();
						_t6 =  *_t15( *_t13, _a4, _t13[1], 0);
					}
					return _t6;
				}
				return E011B674A(_t11,  *((intOrPtr*)(__ecx)), _a4);
			}

0x011c7172
0x011c7174
0x011c7179
0x011c718f
0x011c71c5
0x011c7191
0x011c7196
0x011c719e
0x011c71b6
0x011c71a0
0x011c71ac
0x011c71ae
0x011c71ae
0x011c71bc
0x011c71bc
0x011c71cd
0x011c71e9
0x011c71cf
0x011c71db
0x011c71e0
0x011c71e0
0x00000000
0x011c71ef
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,?,011D4855,?,?,?,?,00000000,?,?), ref: 011C7196
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 011C71A6

Part of subcall function 011B674A: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,?,011C7185,?,?,?,?,011D4855,?,?,?,?,00000000), ref: 011B675D
Part of subcall function 011B674A: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 011B676D

Strings

Advapi32.dll, xrefs: 011C7191
RegDeleteKeyExW, xrefs: 011C71A0

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 457e54a08a72af366e63468aa86b06e1199acc2a89a28b4a271c6e4637077f17
Instruction ID: 050c2e1747bee7a0235dc2f103defbdd19c4b86da7dcd0b4e036eebd8af90495
Opcode Fuzzy Hash: 457e54a08a72af366e63468aa86b06e1199acc2a89a28b4a271c6e4637077f17
Instruction Fuzzy Hash: 2301A739604111ABDB395F65E808FA87F6FAFA8B52F05406EFA0553298C7B15860CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01306D7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01306D71,0130B124,?,01306D11,0130B124,013990E0,0000000C,01306E24,0130B124,00000002), ref: 01306D9C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01306DAF
FreeLibrary.KERNEL32(00000000,?,?,?,01306D71,0130B124,?,01306D11,0130B124,013990E0,0000000C,01306E24,0130B124,00000002,00000000), ref: 01306DD2

Strings

mscoree.dll, xrefs: 01306D95
CorExitProcess, xrefs: 01306DA7

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f5131384162699988d3aa2727eaa764cefccf2bfa039c35daf1f586a858cd2bf
Instruction ID: f9755634901753d8778a919cb07dc302067501fe67f68b7721d881304c73ac7b
Opcode Fuzzy Hash: f5131384162699988d3aa2727eaa764cefccf2bfa039c35daf1f586a858cd2bf
Instruction Fuzzy Hash: B6F0C870A00219FBDB35AF95D81AB9DBFFCEF04716F00406DF905A2284CB304980CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01308373 Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E01308373(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x139eff4; // 0xdde28b47
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0130AFB9( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E012E9C91(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E012E9C91(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E012E9C91(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E01304C2F(_t56);
						_t40 = E0130B4D5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E01304C2F(_t56);
						E0130B4D5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x139eff4;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x01308373
0x0130837d
0x01308381
0x01308383
0x01308387
0x01308391
0x013083a2
0x013083a7
0x013083a9
0x013083ab
0x013083ad
0x013083af
0x013083b3
0x0130846d
0x0130847b
0x0130847d
0x01308482
0x01308489
0x0130848b
0x01308499
0x013084a8
0x013084ab
0x013084ad
0x00000000
0x013084ae
0x013083bb
0x013083c0
0x013083c5
0x013083c7
0x013083c7
0x013083c9
0x013083ce
0x013083d2
0x013083d2
0x013083d5
0x013083f4
0x013083f4
0x013083f6
0x013083f9
0x01308402
0x01308405
0x0130840a
0x0130840d
0x01308412
0x00000000
0x00000000
0x01308414
0x00000000
0x013083d7
0x013083d7
0x013083d9
0x013083e2
0x013083e5
0x013083ea
0x013083ed
0x013083f2
0x0130841c
0x0130841f
0x01308421
0x01308424
0x0130842c
0x01308432
0x01308439
0x0130843b
0x01308443
0x01308452
0x01308456
0x01308458
0x0130845b
0x00000000
0x00000000
0x0130845d
0x01308460
0x01308462
0x01308462
0x01308463
0x01308465
0x01308468
0x00000000
0x01308462
0x00000000
0x013083f2
0x013083d5
0x00000000

APIs

_free.LIBCMT ref: 013083E5
_free.LIBCMT ref: 01308405

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b04dd94e5982d72a7df2b437be2673a3fa2609f21b08a391089ee637a8fac5d2
Instruction ID: 8389472e759dcb1b8684781d42a9420ba4e1616f54994afe276052331c8557ae
Opcode Fuzzy Hash: b04dd94e5982d72a7df2b437be2673a3fa2609f21b08a391089ee637a8fac5d2
Instruction Fuzzy Hash: B741D136E002149FCB26DF7CC890A5AB7F5EF88318F1645ADD515EB381DB31A901CB81

Uniqueness

Uniqueness Score: -1.00%

Function 011F0855 Relevance: 7.6, APIs: 5, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E011F0855(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, signed int _a4, struct HINSTANCE__* _a8, void* _a12) {
				signed int _v8;
				void* _v20;
				void* _v24;
				int _v28;
				char _v32;
				signed short _v38;
				void _v56;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr* _t71;
				void* _t74;
				void* _t75;
				int _t78;
				void* _t79;
				int _t80;
				void* _t81;
				int _t83;
				void* _t84;
				signed int _t85;
				void* _t99;
				void* _t102;
				int _t112;
				void* _t118;
				void* _t120;
				signed int _t124;
				void* _t135;
				void* _t137;
				void* _t139;
				void* _t141;
				void* _t144;
				void* _t149;
				int* _t150;
				void* _t159;

				_t159 = __fp0;
				_t135 = __edx;
				_push(__ecx);
				_push(__esi);
				_push(__edi);
				_t137 = __ecx;
				_t141 = GlobalAlloc(2, _a8);
				if(_t141 != 0) {
					_v8 = _v8 & 0x00000000;
					E012EE160(GlobalLock(_t141), _a4, _a8);
					_t67 =  &_v8;
					__imp__CreateStreamOnHGlobal(_t141, 1, _t67);
					__eflags = _t67;
					if(_t67 != 0) {
						goto L1;
					} else {
						_push(__ebx);
						__eflags =  *0x13a94f8 - _t67;
						if( *0x13a94f8 != _t67) {
							EnterCriticalSection(0x13a953c);
						}
						_t69 =  *0x13a9530; // 0x0
						__eflags = _t69;
						if(__eflags != 0) {
							L10:
							E011F04DE(0x13a953c, _t69, _t137, __eflags, _v8);
							_t71 = _v8;
							L012EA066();
							 *((intOrPtr*)( *((intOrPtr*)( *_t71 + 8))))(_t71);
							_t118 =  *0x13a9530; // 0x0
							_t74 = E011B8E9D(_t137, _t135, _t137, E011EEF6E(_t118));
							__eflags =  *0x13a94f8;
							_t144 = _t74;
							if( *0x13a94f8 != 0) {
								LeaveCriticalSection(0x13a953c);
							}
							_t68 = _t144;
							goto L13;
						} else {
							_t75 = E011A6FE4(__eflags, 0x34);
							_pop(_t120);
							__eflags = _t75;
							if(_t75 == 0) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t120 = _t75;
								_t69 = E011ECDF4(_t120);
							}
							 *0x13a9530 = _t69;
							__eflags = _t69;
							if(__eflags == 0) {
								E011B1E69(_t120);
								asm("int3");
								_push(0x28);
								E012EA0A3();
								_t139 = _t120;
								_t112 = 0;
								__eflags =  *(_t139 + 0x28);
								if( *(_t139 + 0x28) == 0) {
									__eflags = _a4;
									if(_a4 == 0) {
										goto L16;
									} else {
										asm("sbb esi, esi");
										_t149 =  !( ~(_a4 & 0xffff0000)) & _a4;
										_v24 = _t149;
										__eflags = _a12;
										if(_a12 != 0) {
											__eflags = _t149;
											if(_t149 == 0) {
												goto L20;
											} else {
												_t102 = E011EFDF4(_t139 + 0xc0, _t149, 0);
												__eflags = _t102;
												if(_t102 == 0) {
													goto L20;
												} else {
													_t78 = 1;
												}
											}
										} else {
											E011BD6C7(_t139 + 0x8c);
											E01251820(_t139 + 0xc0);
											E01251820(_t139 + 0xdc);
											E011F1A12(_t139 + 0xf8, _t139);
											L20:
											_v28 = _t112;
											_v32 = 0x1339c3c;
											_v8 = _t112;
											_t79 = E011F07DE( &_v32, _t135, _t159, _a4, _a8);
											__eflags = _t79;
											if(_t79 == 0) {
												__eflags = _a8;
												if(_a8 == 0) {
													_a8 =  *((intOrPtr*)(E011B72B6(_t149) + 0xc));
												}
												_t80 = 0x2000;
												__eflags =  *((intOrPtr*)(_t139 + 0x34)) - _t112;
												if( *((intOrPtr*)(_t139 + 0x34)) != _t112) {
													_t99 = E011C5322();
													__eflags =  *((intOrPtr*)(_t99 + 0x184)) - _t112;
													_t80 = 0x3000;
													if( *((intOrPtr*)(_t99 + 0x184)) != _t112) {
														_t80 = 0x2000;
													}
												}
												_t81 = LoadImageW(_a8, _a4, _t112, _t112, _t112, _t80);
											} else {
												_t81 = E011B9069( &_v32, _t135);
											}
											_v20 = _t81;
											__eflags = _t81;
											if(_t81 != 0) {
												_t83 = GetObjectW(_t81, 0x18,  &_v56);
												__eflags = _t83;
												if(_t83 != 0) {
													__eflags = _v38 - 0x20;
													if(_v38 < 0x20) {
														__eflags = _v38 - 8;
														if(_v38 <= 8) {
															L38:
															_t84 = E011C5322();
															__eflags =  *((intOrPtr*)(_t84 + 0x184)) - _t112;
															if( *((intOrPtr*)(_t84 + 0x184)) != _t112) {
																goto L39;
															}
														} else {
															__eflags =  *((intOrPtr*)(_t139 + 0x34)) - _t112;
															if( *((intOrPtr*)(_t139 + 0x34)) != _t112) {
																L39:
																E011F0B31(_t135, _t159,  &_v20, _t112, 0xffffffff, 0xffffffff);
															} else {
																goto L38;
															}
														}
													} else {
														E011F16D0(_t112, _t139, _t149, _v20,  *((intOrPtr*)(_t139 + 0x3c)));
													}
													_t124 = _v38 & 0x0000ffff;
													_t85 =  *(_t139 + 8);
													__eflags = _t85 - _t124;
													if(_t85 <= _t124) {
														_t85 = _t124;
													}
													__eflags = _a12;
													 *(_t139 + 8) = _t85;
													if(_a12 == 0) {
														 *((intOrPtr*)(_t139 + 0x8c)) = _v20;
													} else {
														__eflags = _t149;
														if(__eflags != 0) {
															 *((intOrPtr*)(E011ED1D2(_t112, _t135, _t139, __eflags, _v24))) =  *((intOrPtr*)(_t139 + 4));
															_t149 = _v24;
														}
														E011EDB29(_t139, _t159, _v20, _t112);
														__eflags = _t149;
														if(_t149 != 0) {
															E011D763A(_t139 + 0xc0, _t149);
															E011D763A(_t139 + 0xdc, _a8);
														}
														DeleteObject(_v20);
													}
													E011F24B0(_t139);
													_t150 = _t139 + 0x90;
													E011BD6C7(_t150);
													 *_t150 = _t112;
													_t149 = _t139 + 0x94;
													E011BD6C7(_t149);
													 *_t149 = _t112;
													_t112 = 1;
													__eflags = 1;
												} else {
													DeleteObject(_v20);
												}
											}
											_v32 = 0x1331fa4;
											E011681B0(_t112,  &_v32, _t139, _t149);
											_t78 = _t112;
										}
									}
								} else {
									L16:
									_t78 = 0;
								}
								E012EA06C();
								return _t78;
							} else {
								goto L10;
							}
						}
					}
				} else {
					L1:
					_t68 = 0;
					L13:
					return _t68;
				}
			}

0x011f0855
0x011f0855
0x011f0858
0x011f0859
0x011f085a
0x011f085e
0x011f0868
0x011f086c
0x011f0875
0x011f0887
0x011f088f
0x011f0896
0x011f089c
0x011f089e
0x00000000
0x011f08a0
0x011f08a0
0x011f08a6
0x011f08ac
0x011f08af
0x011f08af
0x011f08b5
0x011f08ba
0x011f08bc
0x011f08de
0x011f08e3
0x011f08e8
0x011f08f3
0x011f08f8
0x011f08fa
0x011f0908
0x011f090d
0x011f0914
0x011f0916
0x011f0919
0x011f0919
0x011f091f
0x00000000
0x011f08be
0x011f08c0
0x011f08c5
0x011f08c6
0x011f08c8
0x011f08d3
0x011f08d3
0x011f08ca
0x011f08ca
0x011f08cc
0x011f08cc
0x011f08d5
0x011f08da
0x011f08dc
0x011f092a
0x011f092f
0x011f0930
0x011f0937
0x011f093c
0x011f093e
0x011f0940
0x011f0943
0x011f094c
0x011f094f
0x00000000
0x011f0951
0x011f095c
0x011f0960
0x011f0963
0x011f0966
0x011f0969
0x011f09c1
0x011f09c3
0x00000000
0x011f09c5
0x011f09cd
0x011f09d2
0x011f09d4
0x00000000
0x011f09d6
0x011f09d8
0x011f09d8
0x011f09d4
0x011f096b
0x011f0972
0x011f097d
0x011f0988
0x011f0993
0x011f0998
0x011f0998
0x011f099b
0x011f09a8
0x011f09ae
0x011f09b3
0x011f09b5
0x011f09de
0x011f09e2
0x011f09ec
0x011f09ec
0x011f09ef
0x011f09f4
0x011f09f7
0x011f09f9
0x011f09fe
0x011f0a04
0x011f0a09
0x011f0a0b
0x011f0a0b
0x011f0a09
0x011f0a1a
0x011f09b7
0x011f09ba
0x011f09ba
0x011f0a20
0x011f0a23
0x011f0a25
0x011f0a32
0x011f0a38
0x011f0a3a
0x011f0a4a
0x011f0a4f
0x011f0a5e
0x011f0a63
0x011f0a6a
0x011f0a6a
0x011f0a6f
0x011f0a75
0x00000000
0x00000000
0x011f0a65
0x011f0a65
0x011f0a68
0x011f0a77
0x011f0a80
0x00000000
0x00000000
0x00000000
0x011f0a68
0x011f0a51
0x011f0a57
0x011f0a57
0x011f0a85
0x011f0a89
0x011f0a8c
0x011f0a8e
0x011f0a90
0x011f0a90
0x011f0a92
0x011f0a96
0x011f0a99
0x011f0aec
0x011f0a9b
0x011f0a9b
0x011f0a9d
0x011f0ab0
0x011f0ab2
0x011f0ab2
0x011f0abb
0x011f0ac0
0x011f0ac2
0x011f0acb
0x011f0ad9
0x011f0ad9
0x011f0ae1
0x011f0ae1
0x011f0af4
0x011f0af9
0x011f0b00
0x011f0b05
0x011f0b07
0x011f0b0e
0x011f0b13
0x011f0b17
0x011f0b17
0x011f0a3c
0x011f0a3f
0x011f0a3f
0x011f0a3a
0x011f0b1b
0x011f0b22
0x011f0b27
0x011f0b27
0x011f0969
0x011f0945
0x011f0945
0x011f0945
0x011f0945
0x011f0b29
0x011f0b2e
0x00000000
0x00000000
0x00000000
0x011f08dc
0x011f08bc
0x011f086e
0x011f086e
0x011f086e
0x011f0922
0x011f0927
0x011f0927

APIs

GlobalAlloc.KERNEL32(00000002,?,00000000,?,?,?,011F0841,00000000,00000000,?,01339C3C,01339C3C,?,011F15F0,?,00000000), ref: 011F0862
GlobalLock.KERNEL32 ref: 011F087A
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 011F0896
EnterCriticalSection.KERNEL32(013A953C,00000000), ref: 011F08AF
LeaveCriticalSection.KERNEL32(013A953C,00000000), ref: 011F0919

Part of subcall function 011B1E69: __CxxThrowException@8.LIBVCRUNTIME ref: 011B1E7D

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterException@8LeaveLockStreamThrow
String ID:
API String ID: 1527564800-0
Opcode ID: 02aac77d1e1c8d06d5aa90048a2861e79003ef327096323b5407000226b2edfb
Instruction ID: 481ac8851a1a2333f69f39ff418e5b573fc1c90349ff5c0407117c74860857b7
Opcode Fuzzy Hash: 02aac77d1e1c8d06d5aa90048a2861e79003ef327096323b5407000226b2edfb
Instruction Fuzzy Hash: F021A475A00216EBDB39AB74DC59B6E77AEBB1C715F00002DFA05E7245EB71D900C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0128FF73 Relevance: 7.6, APIs: 5, Instructions: 64
threadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0128FF73(signed int __edi) {
				void* _t8;
				intOrPtr _t9;
				signed int _t19;
				int _t23;
				intOrPtr _t24;
				void* _t25;
				intOrPtr* _t26;

				_push(0);
				_t8 = 0x1329341;
				E012EA0A3();
				if( *0x139e788 != 0) {
					if( *0x139ead0 != 0xfffffffe) {
						_t9 =  *((intOrPtr*)(_t25 + 8));
						 *0x139ead0 = _t9;
						_t8 =  ~(_t9 + 1);
						asm("sbb eax, eax");
						 *0x13ab670 =  *0x13ab670 & _t8;
						__eflags =  *0x13ab670;
					} else {
						_t24 =  *((intOrPtr*)(_t25 + 8));
						_t23 = __edi | 0xffffffff;
						if(_t24 != _t23) {
							_t19 =  *0x13ac8fc; // 0x0
							_t20 =  *((intOrPtr*)( *[fs:0x2c] + _t19 * 4));
							if( *0x13ab6b8 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t19 * 4)) + 4))) {
								E012E9B8D(0x13ab6b8);
								_pop(_t20);
								_t32 =  *0x13ab6b8 - _t23;
								if( *0x13ab6b8 == _t23) {
									 *(_t25 - 4) = 0;
									E011685C0(0x13ab698, _t32);
									E012E9F01(_t32, 0x132d0fb);
									 *(_t25 - 4) = _t23;
									 *_t26 = 0x13ab6b8;
									E012E9B4E(_t24);
									_pop(_t20);
								}
							}
							EnterCriticalSection(0x13ab6a0);
							if( *0x13ab670 != 0) {
								E011B1E69(_t20);
							}
							_t8 = E01303515(_t20, 0x1290070, 0, 0);
							 *0x13ab670 = _t8;
							if(_t8 == 0 || _t8 == _t23) {
								 *0x13ab670 = 0;
							} else {
								_t8 = SetThreadPriority(_t8, _t23);
								 *0x139ead0 = _t24;
							}
							LeaveCriticalSection(0x13ab6a0);
						}
					}
				}
				E012EA06C();
				return _t8;
			}

0x0128ff73
0x0128ff75
0x0128ff7a
0x0128ff86
0x0128ff93
0x01290057
0x0129005a
0x01290060
0x01290062
0x01290064
0x01290064
0x0128ff99
0x0128ff99
0x0128ff9c
0x0128ffa1
0x0128ffaf
0x0128ffb5
0x0128ffc3
0x0128ffca
0x0128ffcf
0x0128ffd0
0x0128ffd6
0x0128ffdd
0x0128ffe0
0x0128ffea
0x0128ffef
0x0128fff2
0x0128fff9
0x0128fffe
0x0128fffe
0x0128ffd6
0x01290004
0x01290011
0x01290013
0x01290013
0x0129001f
0x01290027
0x0129002e
0x01290044
0x01290034
0x01290036
0x0129003c
0x0129003c
0x0129004f
0x0129004f
0x0128ffa1
0x0128ff93
0x0129006a
0x0129006f

APIs

__EH_prolog3.LIBCMT ref: 0128FF7A
__Init_thread_footer.LIBCMT ref: 0128FFF9
EnterCriticalSection.KERNEL32(013AB6A0,00000000,0125C91C,00000001,00000001,?,?,?,01220392,?,011D784C,?), ref: 01290004
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,01220392,?,011D784C,?), ref: 01290036
LeaveCriticalSection.KERNEL32(013AB6A0,?,?,?,?,?,01220392,?,011D784C,?), ref: 0129004F

Part of subcall function 012E9F01: __onexit.LIBCMT ref: 012E9F07

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3Init_thread_footerLeavePriorityThread__onexit
String ID:
API String ID: 3710264076-0
Opcode ID: 6034abe03ae73ffb3fbd51fbf50f0192966a1a79d7072c7ee4747140b834f574
Instruction ID: 6b0497412e129d23d8d7022951941f3fc5916edd4aeab986fd0fc34545b5c9e2
Opcode Fuzzy Hash: 6034abe03ae73ffb3fbd51fbf50f0192966a1a79d7072c7ee4747140b834f574
Instruction Fuzzy Hash: 4621903156021ADFDF30FFACD489A28BBADFB51728F94062DE20187298DB759881CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0130BB98 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0130BB98(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x139f2c0; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E0130A9E4(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E0130CE17(_t13, _t16, __eflags,  *0x139f2c0, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E0130B986(_t13, _t15, 0x13ad0bc);
							E0130B4D5(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E0130B4D5();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E0130CDC1(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x0130bb98
0x0130bba3
0x0130bba5
0x0130bba7
0x0130bbac
0x0130bbaf
0x0130bbbd
0x0130bbc9
0x0130bbcc
0x0130bbcf
0x0130bbe1
0x0130bbe6
0x0130bbe8
0x0130bbf3
0x0130bbf9
0x0130bc01
0x0130bc03
0x00000000
0x00000000
0x00000000
0x00000000
0x0130bbea
0x0130bbea
0x00000000
0x0130bbea
0x0130bbd1
0x0130bbd1
0x0130bbd2
0x0130bbd2
0x0130bc05
0x0130bc06
0x0130bc06
0x0130bbb1
0x0130bbb7
0x0130bbbb
0x0130bc0e
0x0130bc0f
0x0130bc15
0x00000000
0x00000000
0x00000000
0x0130bbbb
0x0130bc1c

APIs

GetLastError.KERNEL32(?,?,?,012F921C,0130AA36,?,?,011A2CDD,00000008,00000804), ref: 0130BB9D
_free.LIBCMT ref: 0130BBD2
_free.LIBCMT ref: 0130BBF9
SetLastError.KERNEL32(00000000), ref: 0130BC06
SetLastError.KERNEL32(00000000), ref: 0130BC0F

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ff243cbfa3efac0734abb85c809f385a24aacfb746ec7fc761cc8d9e1409d7ed
Instruction ID: 96af438ccbbaf77ff5a1f6ee6dc970a48905161d78bc18c7ba5a693bddbdd0a1
Opcode Fuzzy Hash: ff243cbfa3efac0734abb85c809f385a24aacfb746ec7fc761cc8d9e1409d7ed
Instruction Fuzzy Hash: FE01D63E14060227D633B96C5CA5D2A95DD9BD17FDB120539F905E21CDEE7588014220

Uniqueness

Uniqueness Score: -1.00%

Function 01312977 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01312977(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x139f148; // 0x139f140
					if(_t23 != 0) {
						E0130B4D5(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x139f14c; // 0x13acce8
					if(_t24 != 0) {
						E0130B4D5(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x139f150; // 0x13acce8
					if(_t25 != 0) {
						E0130B4D5(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x139f178; // 0x139f144
					if(_t26 != 0) {
						E0130B4D5(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x139f17c; // 0x13accec
					if(_t27 != 0) {
						return E0130B4D5(_t6);
					}
				}
				return _t6;
			}

0x0131297d
0x01312982
0x01312986
0x0131298c
0x0131298f
0x01312994
0x01312998
0x0131299e
0x013129a1
0x013129a6
0x013129aa
0x013129b0
0x013129b3
0x013129b8
0x013129bc
0x013129c2
0x013129c5
0x013129ca
0x013129cb
0x013129ce
0x013129d4
0x00000000
0x013129dc
0x013129d4
0x013129df

APIs

_free.LIBCMT ref: 0131298F

Part of subcall function 0130B4D5: RtlFreeHeap.NTDLL(00000000,00000000,?,01312C2A,?,00000000,?,00000000,?,01312ECE,?,00000007,?,?,0131334A,?), ref: 0130B4EB
Part of subcall function 0130B4D5: GetLastError.KERNEL32(?,?,01312C2A,?,00000000,?,00000000,?,01312ECE,?,00000007,?,?,0131334A,?,?), ref: 0130B4FD

_free.LIBCMT ref: 013129A1
_free.LIBCMT ref: 013129B3
_free.LIBCMT ref: 013129C5
_free.LIBCMT ref: 013129D7

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e72393b49def57926fd9bec35bc8e953c3b3110747442133aaee2f386467ceee
Instruction ID: 4974c97842ec8883d0575105e9a9bfd8a6fe59f113efa86b4084532393f347ce
Opcode Fuzzy Hash: e72393b49def57926fd9bec35bc8e953c3b3110747442133aaee2f386467ceee
Instruction Fuzzy Hash: 7DF096724002006BD738DE6CF485C1BBBEEAB517B4B764805F148E7948CB31F8908BA0

Uniqueness

Uniqueness Score: -1.00%

Function 011B674A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E011B674A(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				intOrPtr* _t13;
				intOrPtr* _t14;

				_t14 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyW();
				}
				_t7 = GetModuleHandleW(L"Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t13 = GetProcAddress(_t7, "RegDeleteKeyTransactedW");
				if(_t13 == 0) {
					goto L6;
				}
				L012EA066();
				return  *_t13(_a4, _a8, 0, 0,  *_t14, 0);
			}

0x011b674f
0x011b6756
0x011b6792
0x011b679e
0x00000000
0x011b67a0
0x011b6798
0x011b6798
0x011b675d
0x011b6765
0x00000000
0x00000000
0x011b6773
0x011b6777
0x00000000
0x00000000
0x011b6786
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,?,011C7185,?,?,?,?,011D4855,?,?,?,?,00000000), ref: 011B675D
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 011B676D

Strings

Advapi32.dll, xrefs: 011B6758
RegDeleteKeyTransactedW, xrefs: 011B6767

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 37e9054d96ba038d77d65b4f13b49ecc857c4d22fe7f122a42e90932e2ec24b8
Instruction ID: c99692c858e9a4b6f046fa91e7be29bc645164a7eb4e6af77d034d10804174cb
Opcode Fuzzy Hash: 37e9054d96ba038d77d65b4f13b49ecc857c4d22fe7f122a42e90932e2ec24b8
Instruction Fuzzy Hash: 9CF0B437204609BFEB342E99ACC48B77BDDEF906AA714803EF24582140DA318C11C760

Uniqueness

Uniqueness Score: -1.00%

Function 011B626B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,011C794A,?,00000000,00000000,?,?,?,?,?,?,011D47F9), ref: 011B627C
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 011B628C

Strings

Advapi32.dll, xrefs: 011B6277
RegOpenKeyTransactedW, xrefs: 011B6286

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 15c8de427b6d7f79fb8968d8e9e60e3187b01b911a205b64066e1a64f04080d9
Instruction ID: b086e310b1a4436c736c83687138ed8265fac5caad62f6414e2b4b74823ece3d
Opcode Fuzzy Hash: 15c8de427b6d7f79fb8968d8e9e60e3187b01b911a205b64066e1a64f04080d9
Instruction Fuzzy Hash: EFF0B436240205ABFB362E99DC09BFA3FA9EBD4762F04807DFB01A1158D771C465DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0130BD47 Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0130BD47(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E012F6BB6(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xc75ff10
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E013196B0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E013196B0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E012EE6E0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E013196B0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E013196D0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E013196D0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E013196D0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E0130C04A(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E01319870(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E012F9217();
					_t183 = 0x22;
					 *_t129 = _t183;
					E012F9CEA();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x0130bd47
0x0130bd52
0x0130bd59
0x0130bd5b
0x0130bd5b
0x0130bd5d
0x0130bd66
0x0130bd68
0x0130bd6d
0x0130bd73
0x0130bd89
0x0130bd8e
0x0130bd91
0x0130bd9e
0x0130bda3
0x0130bdf7
0x0130bdff
0x0130be01
0x0130be03
0x0130be06
0x0130be06
0x0130be06
0x0130be0c
0x0130be14
0x0130be27
0x0130be2a
0x0130be2c
0x0130be2f
0x0130be30
0x0130be51
0x0130be54
0x0130be54
0x0130be32
0x0130be32
0x0130be34
0x0130be3f
0x0130be3f
0x0130be41
0x0130be48
0x0130be43
0x0130be43
0x0130be43
0x0130be41
0x0130be55
0x0130be57
0x0130be58
0x0130be5b
0x0130be5d
0x0130be67
0x0130be71
0x0130be5f
0x0130be5f
0x0130be5f
0x0130be76
0x0130be76
0x0130be7b
0x0130be7e
0x0130be89
0x0130be89
0x0130be89
0x0130be89
0x0130be8d
0x0130be94
0x0130be95
0x0130be98
0x0130be9b
0x0130be9b
0x0130be9d
0x00000000
0x00000000
0x0130beb5
0x0130bebc
0x0130bec0
0x0130bec3
0x0130bec6
0x0130bec8
0x0130bec8
0x0130bec8
0x0130beca
0x0130becd
0x0130bed0
0x0130bed2
0x0130beda
0x0130bee0
0x0130bee3
0x0130bee6
0x0130bee7
0x0130beea
0x0130beed
0x0130beed
0x0130bef2
0x0130bef5
0x00000000
0x00000000
0x0130bf0d
0x0130bf12
0x0130bf16
0x00000000
0x00000000
0x0130bf1a
0x0130bf1a
0x0130bf1d
0x0130bf1e
0x0130bf1e
0x0130bf20
0x0130bf23
0x00000000
0x00000000
0x0130bf25
0x0130bf28
0x0130bf2f
0x0130bf32
0x0130bf35
0x0130bf4b
0x0130bf4b
0x0130bf4b
0x0130bf37
0x0130bf37
0x0130bf39
0x0130bf3c
0x0130bf47
0x0130bf3e
0x0130bf41
0x0130bf41
0x0130bf3c
0x00000000
0x0130bf35
0x0130bf2a
0x0130bf2a
0x0130bf2c
0x0130bf2c
0x0130be80
0x0130be80
0x0130be83
0x0130bf4e
0x0130bf4e
0x0130bf50
0x0130bf52
0x0130bf55
0x0130bf56
0x0130bf57
0x0130bf58
0x0130bf60
0x0130bf60
0x0130bf60
0x0130bf62
0x0130bf65
0x0130bf68
0x0130bf6a
0x0130bf6a
0x0130bf6c
0x0130bf7e
0x0130bf82
0x0130bf85
0x0130bf8c
0x0130bf94
0x0130bf94
0x0130bf97
0x0130bf99
0x0130bfaa
0x0130bfaa
0x0130bfae
0x0130bfae
0x0130bfb1
0x0130bfb3
0x0130bfb6
0x00000000
0x0130bf9b
0x0130bf9b
0x0130bfa1
0x0130bfa1
0x0130bfa5
0x0130bfb8
0x0130bfb8
0x0130bfbc
0x0130bfbd
0x0130bfbf
0x0130bfc1
0x0130c002
0x0130c002
0x0130c004
0x0130c011
0x0130c011
0x0130c013
0x0130c015
0x0130c016
0x0130c017
0x0130c01e
0x0130c021
0x0130c023
0x0130c023
0x0130c024
0x0130c026
0x0130c029
0x0130c029
0x0130c02b
0x0130c02d
0x00000000
0x0130c02d
0x0130c006
0x0130c008
0x00000000
0x00000000
0x0130c00a
0x00000000
0x00000000
0x0130c00c
0x0130c00f
0x00000000
0x00000000
0x00000000
0x0130c00f
0x0130bfc8
0x0130bfce
0x0130bfce
0x0130bfd0
0x0130bfd1
0x0130bfd2
0x0130bfd3
0x0130bfda
0x0130bfdd
0x0130bfdf
0x0130bfe0
0x0130bfe2
0x0130bfef
0x0130bfef
0x0130bff1
0x0130bff3
0x0130bff4
0x0130bff5
0x0130bffc
0x0130bfff
0x0130c001
0x0130c001
0x00000000
0x0130c001
0x0130bfe4
0x0130bfe4
0x0130bfe6
0x00000000
0x00000000
0x0130bfe8
0x00000000
0x00000000
0x0130bfea
0x0130bfed
0x00000000
0x00000000
0x00000000
0x0130bfed
0x0130bfca
0x0130bfcc
0x00000000
0x00000000
0x00000000
0x0130bfcc
0x0130bf9d
0x0130bf9f
0x00000000
0x00000000
0x00000000
0x0130bf9f
0x0130bf99
0x00000000
0x0130be83
0x0130be7e
0x0130bda5
0x0130bda7
0x00000000
0x0130bda9
0x0130bdbf
0x0130bdc4
0x0130bdc6
0x0130bdd2
0x0130bdd8
0x0130bdd9
0x0130bddb
0x0130bddd
0x0130bde8
0x0130bde8
0x0130bdeb
0x0130bded
0x0130bded
0x0130bdf0
0x0130bdc8
0x0130bdc8
0x0130bdc8
0x00000000
0x0130bdc6
0x0130bd75
0x0130bd75
0x0130bd7c
0x0130bd7d
0x0130bd7f
0x0130c031
0x0130c035
0x0130c03a
0x0130c03a
0x0130c049
0x0130c049

APIs

_strrchr.LIBCMT ref: 0130BDD2
__alldvrm.LIBCMT ref: 0130BFD3
__alldvrm.LIBCMT ref: 0130BFF5

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 1509091f8e0a0c6a76c62462d1f8abbfb0b6bb8dba6c1ec273412af2d6f9af34
Instruction ID: 134c7742e861a3740be1174b38cefbe9a3d78c9b85523527beab8112ca6e3541
Opcode Fuzzy Hash: 1509091f8e0a0c6a76c62462d1f8abbfb0b6bb8dba6c1ec273412af2d6f9af34
Instruction Fuzzy Hash: 21A1553AA042869FE727CF1CC8A17AEFFE5EF11358F1841ADE6859B2C5C2358845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011F1487 Relevance: 6.2, APIs: 4, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E011F1487(intOrPtr __ecx, void* __edx, intOrPtr _a8) {
				void* _v0;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _v16;
				WCHAR* _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _v28;
				int _v32;
				char _v36;
				int _v40;
				int _v44;
				signed short _v50;
				void _v68;
				intOrPtr _v72;
				short _v74;
				signed int _v84;
				signed int _v88;
				void _v96;
				intOrPtr _t107;
				signed int _t116;
				intOrPtr* _t133;
				signed int _t150;
				intOrPtr _t152;
				intOrPtr _t155;
				intOrPtr* _t160;
				intOrPtr _t164;
				signed int _t165;
				signed short _t169;
				void* _t182;
				signed short _t183;
				intOrPtr* _t185;
				signed char* _t186;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				signed int _t194;
				int _t196;
				signed int _t203;
				signed long long _t214;

				_push(0x38);
				_t107 = 0x13225ec;
				E012EA0A3();
				_t152 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					L14:
					E012EA06C();
					return _t107;
				} else {
					_t214 =  *((long long*)(__ecx + 0xb8));
					asm("fld1");
					asm("fucom st1");
					asm("fnstsw ax");
					st1 = _t214;
					if(0x44 != 0) {
						st0 = _t214;
					} else {
						_t150 =  *(__ecx + 0xac);
						 *((intOrPtr*)(__ecx + 8)) = 0;
						 *((long long*)(__ecx + 0xb8)) = _t214;
						if(_t150 != 0xffffffff) {
							 *(__ecx + 0xac) =  *(__ecx + 0xac) | 0xffffffff;
							 *(__ecx + 0xa8) = _t150;
						}
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						asm("movsd");
						 *((intOrPtr*)(_t152 + 0x54)) =  *((intOrPtr*)(_t152 + 0x5c));
						_t107 =  *((intOrPtr*)(_t152 + 0x60));
						asm("movsd");
						 *((intOrPtr*)(_t152 + 0x58)) = _t107;
						 *((intOrPtr*)(_t152 + 0x5c)) = 0;
						 *((intOrPtr*)(_t152 + 0x60)) = 0;
						asm("movsd");
						 *((intOrPtr*)(_t152 + 0x64)) = 0;
						 *((intOrPtr*)(_t152 + 0x68)) = 0;
						asm("movsd");
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t190 = _t152 + 0x8c;
					if( *_t190 == 0) {
						L9:
						E011F24B0(_t152);
						if( *0x13a952c != 0) {
							_push( *((intOrPtr*)(_t152 + 0x54)));
							_push(_t190);
							E011F0F3A();
						}
						_t191 = _t152 + 0x90;
						E011BD6C7(_t191);
						 *_t191 = 0;
						_t192 = _t152 + 0x94;
						E011BD6C7(_t192);
						 *_t192 = 0;
						if( *((intOrPtr*)(_t152 + 0x30)) != 0) {
							E011EFF26(_t152, _t214,  *((intOrPtr*)(_t152 + 0xc)));
						}
						_t107 =  *((intOrPtr*)(E011C5322() + 0x20));
						 *((intOrPtr*)(_t152 + 0xb0)) = _t107;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t152 + 0x18)) == 0) {
							if( *((intOrPtr*)(_t152 + 0xcc)) == 0) {
								goto L14;
							} else {
								E011BD6C7(_t190);
								_t185 =  *((intOrPtr*)(_t152 + 0xc4));
								_t160 =  *((intOrPtr*)(_t152 + 0xe0));
								if(_t185 == 0) {
									goto L9;
								} else {
									while(_t160 != 0) {
										_t183 =  *(_t185 + 8);
										_t185 =  *_t185;
										if(_t183 == 0) {
											break;
										} else {
											_v32 = _v32 & 0x00000000;
											_v28 =  *_t160;
											_v24 =  *((intOrPtr*)(_t160 + 8));
											_v36 = 0x1339c3c;
											_v4 = _v4 & 0x00000000;
											_v20 = _t183 & 0x0000ffff;
											if(E011F07DE( &_v36, _t183, _t214, _t183 & 0x0000ffff,  *((intOrPtr*)(_t160 + 8))) == 0) {
												L21:
												_t196 = 0x2000;
												if( *((intOrPtr*)(_t152 + 0x34)) != 0 && E011F04B0(E011C5322()) == 0) {
													_t196 = 0x3000;
												}
												_t190 = LoadImageW(_v24, _v20, 0, 0, 0, _t196);
												_v16 = _t190;
											} else {
												_t190 = E011B9069( &_v36, _t183);
												_v16 = _t190;
												if(_t190 == 0) {
													goto L21;
												}
											}
											GetObjectW(_t190, 0x18,  &_v68);
											_t169 = _v50;
											 *(_t152 + 8) = _t169 & 0x0000ffff;
											if(_t169 < 0x20) {
												if(_t169 <= 8 ||  *((intOrPtr*)(_t152 + 0x34)) == 0) {
													if( *((intOrPtr*)(E011C5322() + 0x184)) != 0) {
														goto L30;
													}
												} else {
													L30:
													E011F0B31(_t183, _t214,  &_v16, 0, 0xffffffff, 0xffffffff);
													_t190 = _v16;
												}
											} else {
												_push( *((intOrPtr*)(_t152 + 0x3c)));
												_push(_t190);
												L34();
											}
											E011EDB29(_t152, _t214, _t190, 0);
											DeleteObject(_t190);
											_v4 = _v4 | 0xffffffff;
											_v36 = 0x1331fa4;
											E011681B0(_t152,  &_v36, _t185, _t190);
											_t160 = _v28;
											if(_t185 != 0) {
												continue;
											} else {
												_t190 = _t152 + 0x8c;
												goto L9;
											}
										}
										goto L52;
									}
									E011B1E69(_t160);
									asm("int3");
									_t201 = _t203;
									_t116 =  *0x139eff4; // 0xdde28b47
									_v12 = _t116 ^ _t203;
									if(GetObjectW(_v0, 0x54,  &_v96) != 0) {
										if(_v74 != 0x20) {
											goto L35;
										} else {
											_t164 = _v72;
											if(_t164 == 0) {
												goto L35;
											} else {
												_push(_t152);
												_push(_t190);
												_t194 = _v84 * _v88;
												if(_a8 == 0) {
													L46:
													if(_t194 > 0) {
														_push(_t185);
														_t186 = _t164 + 1;
														do {
															_t165 = _t186[2] & 0x000000ff;
															_t186[1] = (_t186[1] & 0x000000ff) * _t165 / 0xff;
															 *_t186 = ( *_t186 & 0x000000ff) * _t165 / 0xff;
															_t186 =  &(_t186[4]);
															 *(_t186 - 5) = ( *(_t186 - 5) & 0x000000ff) * _t165 / 0xff;
															_t194 = _t194 - 1;
														} while (_t194 != 0);
													}
												} else {
													_t182 = 0;
													if(_t194 > 0) {
														_t133 = _t164 + 3;
														while(1) {
															_t155 =  *_t133;
															if( *((intOrPtr*)(_t133 - 1)) > _t155 ||  *((intOrPtr*)(_t133 - 2)) > _t155 ||  *((intOrPtr*)(_t133 - 3)) > _t155) {
																goto L46;
															}
															_t133 = _t133 + 4;
															_t182 = _t182 + 1;
															if(_t182 < _t194) {
																continue;
															} else {
															}
															goto L50;
														}
														goto L46;
													}
												}
												L50:
											}
										}
									} else {
										L35:
									}
									return E012E980C(_v8 ^ _t201);
								}
							}
						} else {
							E011F0560(_t152, _t214,  *((intOrPtr*)(_t152 + 0x98)), 0);
							goto L9;
						}
					}
				}
				L52:
			}

0x011f1487
0x011f1489
0x011f148e
0x011f1493
0x011f149a
0x011f158d
0x011f158d
0x011f1592
0x011f14a0
0x011f14a0
0x011f14a6
0x011f14a8
0x011f14aa
0x011f14ac
0x011f14b1
0x011f151a
0x011f14b3
0x011f14b3
0x011f14b9
0x011f14bc
0x011f14c5
0x011f14c7
0x011f14ce
0x011f14ce
0x011f14d4
0x011f14da
0x011f14e0
0x011f14e3
0x011f14e6
0x011f14ea
0x011f14ed
0x011f14f0
0x011f14f1
0x011f14f4
0x011f14f7
0x011f14fa
0x011f14fb
0x011f14fe
0x011f1501
0x011f1502
0x011f1508
0x011f150e
0x011f1511
0x011f1514
0x011f1515
0x011f1516
0x011f1517
0x011f1517
0x011f151c
0x011f1524
0x011f1539
0x011f153b
0x011f1547
0x011f1549
0x011f154c
0x011f154d
0x011f154d
0x011f1552
0x011f1559
0x011f1560
0x011f1562
0x011f1569
0x011f156e
0x011f1573
0x011f157a
0x011f157a
0x011f1584
0x011f1587
0x00000000
0x011f1526
0x011f1529
0x011f1599
0x00000000
0x011f159b
0x011f159c
0x011f15a1
0x011f15a7
0x011f15af
0x00000000
0x011f15b1
0x011f15b1
0x011f15b9
0x011f15bc
0x011f15c0
0x00000000
0x011f15c6
0x011f15cb
0x011f15cf
0x011f15d2
0x011f15d5
0x011f15dc
0x011f15e4
0x011f15f2
0x011f1605
0x011f1609
0x011f160e
0x011f1620
0x011f1620
0x011f1637
0x011f1639
0x011f15f4
0x011f15fc
0x011f15fe
0x011f1603
0x00000000
0x00000000
0x011f1603
0x011f1643
0x011f1649
0x011f1650
0x011f1657
0x011f1668
0x011f167c
0x00000000
0x00000000
0x011f167e
0x011f167e
0x011f1688
0x011f168d
0x011f168d
0x011f1659
0x011f1659
0x011f165c
0x011f165d
0x011f165d
0x011f1695
0x011f169b
0x011f16a1
0x011f16a8
0x011f16af
0x011f16b4
0x011f16b9
0x00000000
0x011f16bf
0x011f16bf
0x00000000
0x011f16bf
0x011f16b9
0x00000000
0x011f15c0
0x011f16ca
0x011f16cf
0x011f16d1
0x011f16d6
0x011f16dd
0x011f16f2
0x011f1700
0x00000000
0x011f1702
0x011f1702
0x011f1707
0x00000000
0x011f1709
0x011f1709
0x011f170a
0x011f170e
0x011f1716
0x011f173c
0x011f173e
0x011f1740
0x011f1741
0x011f1749
0x011f1749
0x011f175a
0x011f1767
0x011f1769
0x011f1775
0x011f1778
0x011f1778
0x011f177d
0x011f1718
0x011f1718
0x011f171c
0x011f171e
0x011f1721
0x011f1721
0x011f1726
0x00000000
0x00000000
0x011f1732
0x011f1735
0x011f1738
0x00000000
0x00000000
0x011f173a
0x00000000
0x011f1738
0x00000000
0x011f1721
0x011f171c
0x011f177e
0x011f1782
0x011f1707
0x011f16f4
0x011f16f4
0x011f16f4
0x011f1790
0x011f1790
0x011f15af
0x011f152b
0x011f1534
0x00000000
0x011f1534
0x011f1529
0x011f1524
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 011F148E
LoadImageW.USER32 ref: 011F1631
GetObjectW.GDI32(00000000,00000018,?), ref: 011F1643
DeleteObject.GDI32(00000000), ref: 011F169B

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Object$DeleteH_prolog3ImageLoad
String ID:
API String ID: 91933946-0
Opcode ID: 4ef372bf9a1140e2f314464b0fc6bb215a4ef415d6fbaba78ec0e65445261e71
Instruction ID: c3afb79d83e1d889ac4ac93cb300d1c7a727405ccb5ba5dbbe9b698836983ff7
Opcode Fuzzy Hash: 4ef372bf9a1140e2f314464b0fc6bb215a4ef415d6fbaba78ec0e65445261e71
Instruction Fuzzy Hash: 7171A971800215DBCF1DEF68C8847EE7BB5BF09324F18416DEE196B296C7719944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 012F93BD Relevance: 6.2, APIs: 4, Instructions: 172
pipeCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012F93BD(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v48;
				char _v64;
				void _v72;
				long _v76;
				intOrPtr _v80;
				char _v84;
				signed int _t53;
				intOrPtr _t66;
				int _t71;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				intOrPtr _t101;
				signed int _t106;
				signed int _t111;
				signed int _t113;
				signed int _t120;
				void* _t123;
				intOrPtr* _t129;
				signed int _t130;
				intOrPtr _t140;

				_t120 = __edx;
				_t53 =  *0x139eff4; // 0xdde28b47
				_v8 = _t53 ^ _t130;
				_t129 = _a16;
				_t123 = _a12;
				_v80 = _a4;
				_v76 = _t123;
				_t106 = GetFileType(_t123) & 0xffff7fff;
				if(_t106 != 1) {
					__eflags = _t106 - 2;
					if(_t106 == 2) {
						L16:
						__eflags = _t106 - 2;
						 *((short*)(_t129 + 6)) = ((0 | _t106 != 0x00000002) - 0x00000001 & 0x00001000) + 0x1000;
						 *((short*)(_t129 + 8)) = 1;
						_t66 = _a8;
						 *((intOrPtr*)(_t129 + 0x10)) = _t66;
						 *_t129 = _t66;
						__eflags = _t106 - 2;
						if(_t106 != 2) {
							_t71 = PeekNamedPipe(_t123, 0, 0, 0,  &_v76, 0);
							__eflags = _t71;
							if(_t71 != 0) {
								 *((intOrPtr*)(_t129 + 0x14)) = _v76;
							}
						}
						__eflags = 1;
						L20:
						return E012E980C(_v8 ^ _t130);
					}
					__eflags = _t106 - 3;
					if(_t106 == 3) {
						goto L16;
					}
					__eflags = _t106;
					if(_t106 != 0) {
						L15:
						E012F91E1(GetLastError());
						L14:
						goto L20;
					}
					 *((intOrPtr*)(E012F9217())) = 9;
					goto L14;
				}
				 *((short*)(_t129 + 8)) = 1;
				_t76 = _v80;
				if(_v80 == 0) {
					L4:
					_t111 = 0xa;
					memset( &_v48, 0, _t111 << 2);
					if(E0130CE70(0, _t129, _t140, _v76, 0,  &_v48, 0x28) == 0) {
						goto L15;
					}
					 *((short*)(_t129 + 6)) = E012F96EF(0, _v16, _v80);
					_t83 = E012F9575(_v32, _v28, 0, 0);
					 *(_t129 + 0x20) = _t83;
					 *(_t129 + 0x24) = _t120;
					if((_t83 & _t120) == 0xffffffff) {
						goto L14;
					}
					_t24 = _t129 + 0x20; // 0x83cc758d
					_t85 = E012F9575(_v40, _v36,  *_t24, _t120);
					 *(_t129 + 0x18) = _t85;
					 *(_t129 + 0x1c) = _t120;
					if((_t85 & _t120) == 0xffffffff) {
						goto L14;
					}
					_t29 = _t129 + 0x24; // 0xcb830cc4
					_t30 = _t129 + 0x20; // 0x83cc758d
					_t87 = E012F9575(_v48, _v44,  *_t30,  *_t29);
					 *(_t129 + 0x28) = _t87;
					 *(_t129 + 0x2c) = _t120;
					_t144 = (_t87 & _t120) - 0xffffffff;
					if((_t87 & _t120) == 0xffffffff) {
						goto L14;
					}
					_t113 = 6;
					memset( &_v72, 0, _t113 << 2);
					if(E0130CE70(0, _t129, _t144, _v76, 1,  &_v72, 0x18) == 0) {
						goto L15;
					}
					_t39 = _t129 + 0x14; // 0x12f92ff
					E012F96BD( &_v64, _t39);
					goto L20;
				}
				_v84 = 0;
				if(E012F9755(_t76,  &_v84) == 0) {
					goto L14;
				}
				_t101 = _v84 - 1;
				_t140 = _t101;
				 *((intOrPtr*)(_t129 + 0x10)) = _t101;
				 *_t129 = _t101;
				goto L4;
			}

0x012f93bd
0x012f93c5
0x012f93cc
0x012f93d4
0x012f93d8
0x012f93dc
0x012f93df
0x012f93ec
0x012f93f5
0x012f94f0
0x012f94f3
0x012f951c
0x012f9523
0x012f952e
0x012f9535
0x012f9539
0x012f953c
0x012f953f
0x012f9541
0x012f9544
0x012f9551
0x012f9557
0x012f9559
0x012f955e
0x012f955e
0x012f9559
0x012f9563
0x012f9564
0x012f9574
0x012f9574
0x012f94f5
0x012f94f8
0x00000000
0x00000000
0x012f94fa
0x012f94fc
0x012f950d
0x012f9514
0x012f9509
0x00000000
0x012f9509
0x012f9503
0x00000000
0x012f9503
0x012f93fb
0x012f9401
0x012f9406
0x012f9428
0x012f942a
0x012f9432
0x012f9443
0x00000000
0x00000000
0x012f945a
0x012f9461
0x012f9466
0x012f946e
0x012f9474
0x00000000
0x00000000
0x012f947b
0x012f9484
0x012f9489
0x012f9491
0x012f9497
0x00000000
0x00000000
0x012f9499
0x012f949c
0x012f94a5
0x012f94aa
0x012f94b2
0x012f94b5
0x012f94b8
0x00000000
0x00000000
0x012f94bc
0x012f94c2
0x012f94d8
0x00000000
0x00000000
0x012f94da
0x012f94e2
0x00000000
0x012f94eb
0x012f940b
0x012f9419
0x00000000
0x00000000
0x012f9422
0x012f9422
0x012f9423
0x012f9426
0x00000000

APIs

GetFileType.KERNEL32(00000000,00000000,00000000,00000000), ref: 012F93E2

Part of subcall function 012F9755: __dosmaperr.LIBCMT ref: 012F9798

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,012F92EB), ref: 012F950D
__dosmaperr.LIBCMT ref: 012F9514
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 012F9551

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
String ID:
API String ID: 3955570002-0
Opcode ID: 2802f6c30d1c97e611b3870baa3e77619f4f9bd71fcab74f9ce013b0df76ee64
Instruction ID: 7eb0bc8d1d7ba636264bc4d118b2b87900b66b94ac7645d48df600bba277cd61
Opcode Fuzzy Hash: 2802f6c30d1c97e611b3870baa3e77619f4f9bd71fcab74f9ce013b0df76ee64
Instruction Fuzzy Hash: 52517B7291020AAFDF24DFA8DC45AAEFBF9EF48314F14493DF616D2160E73199858B50

Uniqueness

Uniqueness Score: -1.00%

Function 013150E1 Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E013150E1(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E0130A71D(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E0130A71D(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E0130A71D(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E012F9217()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E0130A71D(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E0130617F(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E012F9217())) = 0xd;
							_t30 = E012F9204();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E0130A9E4(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E01306EE0(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E0130971A(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E012F9204();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E012F9217())) = 0xd;
										}
										L23:
										_t38 = E012F9217();
										E0130B4D5(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E01306EE0(_t56, _t59, _v12);
							E0130B4D5(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E012F9217())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E012F9217()));
			}

0x013150e1
0x013150eb
0x013150ee
0x013150f5
0x013150fc
0x01315101
0x01315104
0x0131510a
0x0131511d
0x01315124
0x01315127
0x01315129
0x0131512c
0x00000000
0x00000000
0x01315132
0x01315132
0x01315134
0x01315137
0x01315139
0x0131513c
0x0131521a
0x0131521a
0x0131521c
0x013151d3
0x013151db
0x013151e5
0x013151e8
0x01315269
0x01315269
0x0131526b
0x00000000
0x0131526b
0x013151ea
0x013151ef
0x00000000
0x013151ef
0x0131521e
0x01315224
0x0131522c
0x01315233
0x01315236
0x01315239
0x00000000
0x00000000
0x01315243
0x01315249
0x0131524b
0x00000000
0x00000000
0x01315252
0x01315258
0x01315265
0x00000000
0x01315265
0x01315220
0x01315222
0x00000000
0x00000000
0x00000000
0x01315222
0x01315142
0x0131514c
0x01315158
0x0131515b
0x0131515c
0x0131515e
0x0131517c
0x0131517f
0x01315182
0x01315183
0x01315183
0x01315185
0x01315198
0x01315198
0x0131519a
0x0131519d
0x013151a2
0x013151a5
0x013151a8
0x013151f3
0x013151f8
0x013151fb
0x01315202
0x01315202
0x01315208
0x01315208
0x01315210
0x01315216
0x00000000
0x01315216
0x013151aa
0x013151ab
0x013151ad
0x013151b0
0x013151b2
0x013151b5
0x013151b7
0x01315191
0x01315191
0x00000000
0x01315191
0x013151b9
0x00000000
0x00000000
0x00000000
0x013151b9
0x01315187
0x00000000
0x00000000
0x01315189
0x0131518f
0x00000000
0x00000000
0x00000000
0x013151bb
0x013151bb
0x013151bb
0x013151c3
0x013151c9
0x013151ce
0x013151d1
0x013151d1
0x00000000
0x013151d1
0x01315165
0x00000000
0x01315165
0x01315144
0x01315146
0x00000000
0x00000000
0x00000000
0x01315146
0x0131510c
0x00000000

APIs

_free.LIBCMT ref: 01315210

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: af636abd0d83249784e4cae0014ec738dc9848fa5d59a8d97549bc3fef06233e
Instruction ID: fdc10797ec70a6322ec55b0975ff9f97ed8acecb250ca118a306992a597e8265
Opcode Fuzzy Hash: af636abd0d83249784e4cae0014ec738dc9848fa5d59a8d97549bc3fef06233e
Instruction Fuzzy Hash: EF412B326002026BEF2B6BBC8C44BBE7AE8EFD327CF140239F919971D5D67448918661

Uniqueness

Uniqueness Score: -1.00%

Function 011BD334 Relevance: 6.1, APIs: 4, Instructions: 126
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E011BD334(void** __ecx, intOrPtr _a4, short _a8) {
				void** _v8;
				intOrPtr _v12;
				short* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t52;
				void* _t53;
				intOrPtr _t55;
				signed int _t61;
				signed int _t73;
				void* _t78;
				intOrPtr _t84;
				short* _t89;
				signed int* _t95;
				signed int _t98;
				void* _t100;
				void** _t101;
				void* _t103;

				_v8 = __ecx;
				if(__ecx[1] != 0) {
					_t95 = GlobalLock( *__ecx);
					_t98 = _t95[0] & 0x0000ffff;
					_v24 = _t98;
					_v20 = E011BD319(_t95);
					_t78 = 2 + (0 | _t98 == 0x0000ffff) * 4;
					if(_t98 != 0xffff) {
						 *_t95 =  *_t95 | 0x00000040;
					} else {
						_t95[3] = _t95[3] | 0x00000040;
					}
					if(_a4 != 0) {
						_t52 = E013004F8(_a4);
						if(_t52 >= 0x20) {
							goto L21;
						}
						goto L8;
					} else {
						_t52 = 0;
						L8:
						_t55 = _t78 + (_t52 + 1) * 2;
						_v12 = _t55;
						if(_t55 < _t78) {
							L21:
							_t53 = 0;
							L24:
							return _t53;
						}
						_t89 = E011BD1CF(_t95);
						_v16 = _t89;
						if(_v20 == 0) {
							_t100 = 0;
						} else {
							_t87 = _t89 + _t78;
							if(_t89 + _t78 != 0) {
								_t73 = E013004F8(_t87);
								_t89 = _v16;
							} else {
								_t73 = 0;
							}
							_t22 = _t78 + 2; // 0x2
							_t100 = _t22 + _t73 * 2;
						}
						_t84 = _v12;
						_t26 = _t89 + 3; // 0x3
						_v20 = _t26 + _t100 & 0xfffffffc;
						_t92 = _t89 + 0x00000003 + _t84 & 0xfffffffc;
						_v28 = _t89 + 0x00000003 + _t84 & 0xfffffffc;
						if(_v24 != 0xffff) {
							_t61 = _t95[2] & 0x0000ffff;
						} else {
							_t61 = _t95[4] & 0x0000ffff;
						}
						_t101 = _v8;
						if(_t84 == _t100 || _t61 == 0) {
							L23:
							 *_v16 = _a8;
							E011BD590(_t84 - _t78, _v16 + _t78, _t84 - _t78, _a4, _t84 - _t78);
							_t101[1] = _t101[1] + _v28 - _v20;
							GlobalUnlock( *_t101);
							_t101[2] = _t101[2] & 0x00000000;
							_t53 = 1;
							goto L24;
						} else {
							_t86 = _v20;
							_t71 = _t101[1] - _v20 + _t95;
							if(_t101[1] - _v20 + _t95 <= _t101[1]) {
								E011BD590(_t86, _t92, _t71, _t86, _t71);
								_t84 = _v12;
								_t103 = _t103 + 0x10;
								goto L23;
							}
							goto L21;
						}
					}
				}
				return 0;
			}

0x011bd33c
0x011bd343
0x011bd357
0x011bd35a
0x011bd360
0x011bd36a
0x011bd379
0x011bd383
0x011bd38b
0x011bd385
0x011bd385
0x011bd385
0x011bd392
0x011bd39b
0x011bd3a4
0x00000000
0x00000000
0x00000000
0x011bd394
0x011bd394
0x011bd3aa
0x011bd3ad
0x011bd3b0
0x011bd3b5
0x011bd431
0x011bd431
0x011bd479
0x00000000
0x011bd47b
0x011bd3c1
0x011bd3c4
0x011bd3c7
0x011bd3e6
0x011bd3c9
0x011bd3c9
0x011bd3ce
0x011bd3d5
0x011bd3da
0x011bd3d0
0x011bd3d0
0x011bd3d0
0x011bd3de
0x011bd3e1
0x011bd3e1
0x011bd3e8
0x011bd3eb
0x011bd3f8
0x011bd3fb
0x011bd403
0x011bd40a
0x011bd412
0x011bd40c
0x011bd40c
0x011bd40c
0x011bd418
0x011bd41b
0x011bd444
0x011bd451
0x011bd459
0x011bd467
0x011bd46c
0x011bd472
0x011bd478
0x00000000
0x011bd422
0x011bd425
0x011bd42a
0x011bd42f
0x011bd439
0x011bd43e
0x011bd441
0x00000000
0x011bd441
0x00000000
0x011bd42f
0x011bd41b
0x011bd392
0x00000000

APIs

GlobalLock.KERNEL32 ref: 011BD351

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: GlobalLock
String ID:
API String ID: 2848605275-0
Opcode ID: 09696d456102f7e6cd228670f89bef198b5683cea3ca92b6d4d36f165de50b9a
Instruction ID: e2aaeaa6bb1070c1d4a64905dc7e6426a53202660750dce21e4011306b1e5b74
Opcode Fuzzy Hash: 09696d456102f7e6cd228670f89bef198b5683cea3ca92b6d4d36f165de50b9a
Instruction Fuzzy Hash: ED41D2719041169FDF2C9FACE8C56FEBBB4FF44318F108929E415E7551EB34AA448B90

Uniqueness

Uniqueness Score: -1.00%

Function 011AB9BE Relevance: 6.1, APIs: 4, Instructions: 112
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E011AB9BE(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _t32;
				long _t38;
				intOrPtr _t41;
				void* _t46;
				long _t47;
				int _t48;
				void* _t59;
				intOrPtr* _t78;
				void* _t80;
				struct HMENU__* _t84;
				signed int _t85;

				_t32 =  *0x139eff4; // 0xdde28b47
				_v8 = _t32 ^ _t85;
				_t78 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L12:
					return E012E980C(_v8 ^ _t85);
				}
				_t80 = E011BCE42(0x132ee28, __ecx);
				_t59 = E011BCE42(0x1334740, _t78);
				if((E011B0661(_t78) & 0x40000000) != 0) {
					L8:
					if(_t59 != 0) {
						L11:
						goto L12;
					}
					L9:
					_t38 = E011BCE42(0x133456c, _t78);
					if(_t38 == 0) {
						_v24.left = _t38;
						_v24.top = _t38;
						_v24.right = _t38;
						_v24.bottom = _t38;
						GetClientRect( *(_t78 + 0x20),  &_v24);
						_t41 =  *((intOrPtr*)(_t78 + 0x58));
						 *((intOrPtr*)(_t41 + 8)) = _v24.right - _v24.left;
						 *((intOrPtr*)(_t41 + 0xc)) = _v24.bottom - _v24.top;
					}
					goto L11;
				}
				if(_t80 != 0 || _t59 != 0) {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(_t78 + 0x20),  &_v24);
					E011B0858(_t78, 0x80, 0x80040000, 0);
					L012EA066();
					_t46 =  *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x6c))))();
					if(_t46 != 0) {
						_t84 =  *(_t46 + 4);
					} else {
						_t84 = 0;
					}
					_t47 = E011B02BE(_t78);
					_t48 = IsMenu(_t84);
					AdjustWindowRectEx( &_v24, E011B0661(_t78), _t48, _t47);
					E011B0C78(_t78, 0, 0, 0, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x236);
					goto L8;
				} else {
					goto L9;
				}
			}

0x011ab9c4
0x011ab9cb
0x011ab9cf
0x011ab9d5
0x011abae6
0x011abaf4
0x011abaf4
0x011ab9ee
0x011ab9fa
0x011aba06
0x011abaa1
0x011abaa3
0x011abae4
0x00000000
0x011abae5
0x011abaa5
0x011abaab
0x011abab4
0x011abab6
0x011abab9
0x011ababc
0x011ababf
0x011abac9
0x011abad5
0x011abade
0x011abae1
0x011abae1
0x00000000
0x011abab4
0x011aba0e
0x011aba21
0x011aba24
0x011aba27
0x011aba2a
0x011aba2d
0x011aba40
0x011aba4c
0x011aba53
0x011aba57
0x011aba5d
0x011aba59
0x011aba59
0x011aba59
0x011aba62
0x011aba69
0x011aba7c
0x011aba9c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 011B0661: GetWindowLongW.USER32(?,000000F0), ref: 011B066E

GetClientRect.USER32 ref: 011ABA2D
IsMenu.USER32 ref: 011ABA69
AdjustWindowRectEx.USER32(?,00000000,00000000), ref: 011ABA7C
GetClientRect.USER32 ref: 011ABAC9

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Rect$ClientWindow$AdjustLongMenu
String ID:
API String ID: 3435883281-0
Opcode ID: 10cf3b22b4219590bd662fe414c76147ad8887b52a39f356f0776dd628a8da30
Instruction ID: c4373ce9ad40d3532f9656aab950edf39cee79a78b3c98a1e9b9106035d19a8c
Opcode Fuzzy Hash: 10cf3b22b4219590bd662fe414c76147ad8887b52a39f356f0776dd628a8da30
Instruction Fuzzy Hash: C8319575E0025AAFDB19EFA9C994DBFBFBDEF48604F10416AE805E7200DB749900CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01313018 Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E01313018(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x139eff4; // 0xdde28b47
				_v8 = _t34 ^ _t70;
				E012F6BB6(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E012E980C(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x1368ae0
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E012EE6E0(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E012EBCAE(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x1368ae0
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x1368ae0
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E0130B125(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E012EA400();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x01313020
0x01313027
0x01313033
0x01313038
0x0131303d
0x01313042
0x01313045
0x01313047
0x01313047
0x0131304c
0x01313065
0x0131306b
0x01313070
0x0131310f
0x01313113
0x01313118
0x01313118
0x01313134
0x01313134
0x01313076
0x01313079
0x0131307e
0x01313082
0x013130ce
0x013130d0
0x013130d2
0x013130d7
0x013130ee
0x013130f6
0x01313106
0x01313106
0x013130f6
0x01313108
0x01313109
0x00000000
0x0131310e
0x01313084
0x01313089
0x0131308b
0x0131308d
0x0131308d
0x01313095
0x013130b2
0x013130bc
0x013130c1
0x00000000
0x00000000
0x013130c3
0x013130c9
0x013130c9
0x00000000
0x013130c9
0x01313099
0x0131309d
0x013130a2
0x013130a6
0x00000000
0x00000000
0x013130a8
0x00000000

APIs

MultiByteToWideChar.KERNEL32(01368AD8,00000000,?,?,00000000,00000000,01304712,?,00000000,01368AD8,00000001,?,?,00000001,01304712,?), ref: 01313065
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 013130EE
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,012FE943,?), ref: 01313100
__freea.LIBCMT ref: 01313109

Part of subcall function 0130B125: RtlAllocateHeap.NTDLL(00000000,8007000E,?,?,011A700E,8007000E,00000000,?,?,011B186B,0000000C,00000004,011447AC,8007000E), ref: 0130B157

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 394952163bb9d6bf5c556283d85756025a3e70b446f6b9e271a01a5c9c437158
Instruction ID: cecd948ad9167ead21479b661c1b0779394ded6347d775040e006c7cb74f1879
Opcode Fuzzy Hash: 394952163bb9d6bf5c556283d85756025a3e70b446f6b9e271a01a5c9c437158
Instruction Fuzzy Hash: 6531CE32A1021AABEF29DF69CC45DBE7FA5EB50324F050268EC05D7194EB35C954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B27FA Relevance: 6.1, APIs: 4, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E011B27FA(void* __ecx, void* __edx, struct tagRECT* _a4) {
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t37;
				intOrPtr _t40;
				long _t41;
				signed int _t43;
				void* _t52;
				void* _t53;
				void* _t56;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t68;
				void* _t69;
				long _t70;
				long _t71;
				struct tagRECT* _t72;
				void* _t73;
				signed int _t75;
				void* _t77;

				_t69 = __edx;
				_t72 = _a4;
				_t53 = __ecx;
				SetRectEmpty(_t72);
				_t32 =  *((intOrPtr*)(_t53 + 4));
				if(_t32 == 0 ||  *(_t32 + 0x20) == 0) {
					return _t32;
				} else {
					GetClientRect( *(_t32 + 0x20), _t72);
					_t34 = E011BCE42(0x1334b98,  *((intOrPtr*)(_t53 + 4)));
					_t56 = _t73;
					if(_t34 == 0) {
						if(E011BCE42(0x1334b70,  *((intOrPtr*)(_t53 + 4))) == 0) {
							L12:
							_t70 = _t72->left;
							_t37 = _t72->right - _t70;
							_t59 =  *((intOrPtr*)(_t53 + 8));
							if(_t59 <= _t37) {
								_t59 = _t37;
							}
							_t71 = _t72->top;
							_t72->right = _t70 + _t59;
							_t60 =  *((intOrPtr*)(_t53 + 0xc));
							_t40 = _t72->bottom - _t71;
							if(_t60 <= _t40) {
								_t60 = _t40;
							}
							_t41 = _t71 + _t60;
							_t72->bottom = _t41;
							return _t41;
						}
						_t75 = E011AB62D( *((intOrPtr*)(_t53 + 4)), 1);
						_t43 = E011AB62D( *((intOrPtr*)(_t53 + 4)), 0);
						_t72->bottom = _t72->bottom + _t75;
						_t72->right = _t72->right + _t43;
						_push( ~_t75);
						_push( ~_t43);
						L11:
						OffsetRect(_t72, ??, ??);
						goto L12;
					}
					_t77 = E011BCE42(0x1334b30, E011AB22F(_t56, _t69, GetParent( *( *((intOrPtr*)(_t53 + 4)) + 0x20))));
					if(_t77 != 0) {
						_t52 = E011C5441(_t77);
						_t68 =  *((intOrPtr*)(_t77 + 0x4dc0));
						if(_t68 > 0) {
							_t72->top = _t72->top + _t68;
							if( *((intOrPtr*)(_t77 + 0xe0)) != 0) {
								_t72->bottom = _t72->bottom - _t68;
							}
						}
						_t72->left = _t72->left + _t52;
					}
					_push( ~(_t72->top));
					_push( ~(_t72->left));
					goto L11;
				}
			}

0x011b27fa
0x011b27ff
0x011b2802
0x011b2805
0x011b280b
0x011b2810
0x011b28ff
0x011b2820
0x011b2825
0x011b2833
0x011b2839
0x011b283c
0x011b28a3
0x011b28ce
0x011b28d1
0x011b28d3
0x011b28d5
0x011b28db
0x011b28dd
0x011b28dd
0x011b28e2
0x011b28e5
0x011b28eb
0x011b28ee
0x011b28f2
0x011b28f4
0x011b28f4
0x011b28f6
0x011b28f9
0x00000000
0x011b28f9
0x011b28b2
0x011b28b6
0x011b28bb
0x011b28c0
0x011b28c5
0x011b28c6
0x011b28c7
0x011b28c8
0x00000000
0x011b28c8
0x011b285b
0x011b2861
0x011b2865
0x011b286a
0x011b2872
0x011b2874
0x011b287e
0x011b2880
0x011b2880
0x011b287e
0x011b2883
0x011b2883
0x011b288e
0x011b288f
0x00000000
0x011b288f

APIs

SetRectEmpty.USER32(00000000), ref: 011B2805
GetClientRect.USER32 ref: 011B2825
GetParent.USER32(00000000), ref: 011B2844
OffsetRect.USER32(00000000,00000000,00000000), ref: 011B28C8

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Rect$ClientEmptyOffsetParent
String ID:
API String ID: 3819956977-0
Opcode ID: 2a929484856fcf9e7e7653cfbe9499442a1da7401cebde806c9129f13a9716e8
Instruction ID: 6962643305c61000875f3c80ab9190bac8edea41e59236e41420d4d6b7b7b534
Opcode Fuzzy Hash: 2a929484856fcf9e7e7653cfbe9499442a1da7401cebde806c9129f13a9716e8
Instruction Fuzzy Hash: 98319475600612EFE71CDF69D894EA6FBA5FF44710B04822DE9098B644EB70F810CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011D7FCD Relevance: 6.1, APIs: 4, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E011D7FCD(void* __ecx, void* __edx) {
				intOrPtr* _t22;
				intOrPtr _t24;
				void* _t33;
				void* _t38;
				void* _t53;
				intOrPtr* _t54;
				LOGPALETTE* _t55;
				int _t56;
				void* _t60;

				_t53 = __edx;
				_push(0x18);
				E012EA0A3();
				_t38 = __ecx;
				_t54 =  *((intOrPtr*)(__ecx + 0x800));
				_t61 = _t54;
				if(_t54 != 0) {
					L012EA066();
					 *((intOrPtr*)( *((intOrPtr*)( *_t54 + 4))))(1);
				}
				_t22 = E011A6FE4(_t61, 8);
				 *((intOrPtr*)(_t60 - 0x10)) = _t22;
				if(_t22 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					 *(_t22 + 4) =  *(_t22 + 4) & 0x00000000;
					 *_t22 = 0x1336604;
				}
				_push(_t38);
				_t41 = _t60 - 0x24;
				 *((intOrPtr*)(_t38 + 0x800)) = _t22;
				E011B84A6(_t60 - 0x24, _t53);
				 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
				_t24 =  *((intOrPtr*)(_t60 + 8));
				_t63 = _t24;
				if(_t24 != 0) {
					_t56 = E011D76F9(_t24);
					_push(8 + _t56 * 4);
					_t55 = E011A701B(8 + _t56 * 4, __eflags);
					_t16 =  &(_t55->palPalEntry); // 0x4
					GetPaletteEntries( *( *((intOrPtr*)(_t60 + 8)) + 4), 0, _t56, _t16);
					_t55->palNumEntries = _t56;
					_t55->palVersion = 0x300;
				} else {
					_push(0x408);
					_t55 = E011A701B(_t41, _t63);
					_t11 =  &(_t55->palPalEntry); // 0x4
					GetSystemPaletteEntries( *(_t60 - 0x20), 0, 0x100, _t11);
					_t55->palVersion = 0x1000300;
				}
				E011B8E9D( *((intOrPtr*)(_t38 + 0x800)), _t53, _t55, CreatePalette(_t55));
				L011A7024(_t55);
				_t33 = E011B860A(_t60 - 0x24, _t53);
				E012EA06C();
				return _t33;
			}

0x011d7fcd
0x011d7fcd
0x011d7fd4
0x011d7fd9
0x011d7fdb
0x011d7fe1
0x011d7fe3
0x011d7fee
0x011d7ff5
0x011d7ff5
0x011d7ff9
0x011d7ffe
0x011d8004
0x011d8012
0x011d8012
0x011d8006
0x011d8006
0x011d800a
0x011d800a
0x011d8014
0x011d8015
0x011d8018
0x011d801e
0x011d8023
0x011d8027
0x011d802a
0x011d802c
0x011d805f
0x011d8068
0x011d806f
0x011d8074
0x011d807e
0x011d8089
0x011d808d
0x011d802e
0x011d802e
0x011d8039
0x011d8040
0x011d804a
0x011d8050
0x011d8050
0x011d80a0
0x011d80a6
0x011d80af
0x011d80b4
0x011d80b9

APIs

__EH_prolog3.LIBCMT ref: 011D7FD4
GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 011D804A
CreatePalette.GDI32(00000000), ref: 011D8097

Part of subcall function 011D76F9: GetObjectW.GDI32(00000007,00000002,00000000,?,?,011D805F,?,00000018,011D7829,00000000,?,?,00000000), ref: 011D7706

GetPaletteEntries.GDI32(00000007,00000000,00000000,00000004), ref: 011D807E

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Palette$Entries$CreateH_prolog3ObjectSystem
String ID:
API String ID: 374951733-0
Opcode ID: 2f86ee576b7b64780c5af57f70a17f776eb1d225fb27ef9403780abfb5f34c9c
Instruction ID: 630de4ae8e4a335ae4a024e12cf7939f4e3e2c56679b819a8a4cea06f6be5c60
Opcode Fuzzy Hash: 2f86ee576b7b64780c5af57f70a17f776eb1d225fb27ef9403780abfb5f34c9c
Instruction Fuzzy Hash: 3621D3766002129BDB1DAF64C854BAE7BE8BF54714F048069E5099B2C0EF359905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BFD98 Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E011BFD98(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				struct HWND__** _v28;
				struct HWND__* _v32;
				signed int _t22;
				struct HDWP__* _t25;
				struct HWND__** _t26;
				struct HWND__* _t27;
				signed int _t32;
				int _t37;
				struct HDWP__* _t40;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;
				signed int _t54;
				void* _t58;

				_t58 = __fp0;
				_t48 = __edx;
				_t22 =  *0x139eff4; // 0xdde28b47
				_v8 = _t22 ^ _t54;
				_t50 = __ecx;
				if( *(__ecx + 0x1c) == 0) {
					L7:
					return E012E980C(_v8 ^ _t54);
				} else {
					_push(__ebx);
					_push(__esi);
					_t25 = BeginDeferWindowPos( *(__ecx + 0x1c));
					_t52 =  *((intOrPtr*)(_t50 + 0x14));
					_t40 = _t25;
					while(_t52 != 0) {
						_t26 =  *(_t52 + 8);
						_t52 =  *_t52;
						_v28 = _t26;
						_t27 =  *_t26;
						_v32 = _t27;
						__eflags = IsWindow(_t27);
						if(__eflags != 0) {
							_v24 = 0;
							_v20 = 0;
							_v16 = 0;
							_v12 = 0;
							_t32 = E011BFE47(_t40, _t50, _t48, _t50, _t52, __eflags, _t58, _v28,  &_v24);
							__eflags = (_t32 & 0x00000003) - 3;
							if((_t32 & 0x00000003) != 3) {
								_t37 = _v16 - _v24;
								__eflags = _t37;
								DeferWindowPos(_t40, _v32, 0, _v24, _v20, _t37, _v12 - _v20, _t32 | 0x00000314);
							}
						}
					}
					EndDeferWindowPos(_t40);
					goto L7;
				}
			}

0x011bfd98
0x011bfd98
0x011bfd9e
0x011bfda5
0x011bfda9
0x011bfdaf
0x011bfe38
0x011bfe46
0x011bfdb5
0x011bfdb5
0x011bfdb6
0x011bfdba
0x011bfdc0
0x011bfdc3
0x011bfe2b
0x011bfdc7
0x011bfdca
0x011bfdcc
0x011bfdcf
0x011bfdd2
0x011bfddb
0x011bfddd
0x011bfde3
0x011bfde6
0x011bfde9
0x011bfdec
0x011bfdf6
0x011bfe00
0x011bfe03
0x011bfe15
0x011bfe15
0x011bfe25
0x011bfe25
0x011bfe03
0x011bfddd
0x011bfe30
0x00000000
0x011bfe37

APIs

BeginDeferWindowPos.USER32 ref: 011BFDBA
IsWindow.USER32(?), ref: 011BFDD5
DeferWindowPos.USER32(00000000,?,00000000,?,?,?,?,00000000), ref: 011BFE25
EndDeferWindowPos.USER32(00000000), ref: 011BFE30

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Window$Defer$Begin
String ID:
API String ID: 2880567340-0
Opcode ID: 74449b842322a9692de630749349f3a79a9a525b6b3883500f8b4277675d60c8
Instruction ID: 4923e3410bde44e4babf36f4e3d3780066eba8694640c2648f88019810f2c02a
Opcode Fuzzy Hash: 74449b842322a9692de630749349f3a79a9a525b6b3883500f8b4277675d60c8
Instruction Fuzzy Hash: DB211A71E0011AAFDB25DFA8DC85ABEBBF8EB08700F15456AE605E3251D734A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011C2D0B Relevance: 6.1, APIs: 4, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E011C2D0B(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t24;
				intOrPtr _t26;
				intOrPtr _t33;
				WCHAR* _t34;
				void* _t37;
				void* _t39;
				struct HRSRC__* _t41;
				void* _t42;
				WCHAR* _t43;
				intOrPtr _t46;

				_t39 = __edx;
				_t36 = __ecx;
				_push(__ecx);
				_t46 = _a4;
				_t33 = __ecx;
				_v8 = __ecx;
				if(( *(_t46 + 4) & 0x00000001) == 0) {
					_t41 = FindResourceW( *(_t46 + 8),  *(_t46 + 0xc), 5);
					__eflags = _t41;
					if(_t41 == 0) {
						E011B8E28(_t36, _t39);
					}
					_t42 = LoadResource( *(_t46 + 8), _t41);
					__eflags = _t42;
					if(_t42 == 0) {
						E011B8E28(_t36, _t39);
					}
					_t43 = LockResource(_t42);
					__eflags = _t43;
					if(_t43 == 0) {
						E011B8E28(_t36, _t39);
					}
				} else {
					_t43 =  *(_t46 + 0xc);
				}
				_t24 = E011B72B6(_t46);
				_t49 =  *((intOrPtr*)(_t24 + 0x3c));
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t43 = E011C239F(_t33, _t43);
				}
				_push(_a8);
				_push(_t43);
				_t34 = E011C2F57(_t33, _t43, _t49);
				_t26 = _v8;
				_t37 =  *(_t26 + 0x88);
				if(_t37 != 0) {
					GlobalFree(_t37);
					_t26 = _v8;
					 *(_t26 + 0x88) =  *(_t26 + 0x88) & 0x00000000;
				}
				if(_t34 != 0) {
					_t43 = _t34;
					 *(_t26 + 0x88) = _t34;
				}
				 *(_t46 + 4) =  *(_t46 + 4) | 0x00000001;
				 *(_t46 + 0xc) = _t43;
				return _t26;
			}

0x011c2d0b
0x011c2d0b
0x011c2d0e
0x011c2d11
0x011c2d14
0x011c2d17
0x011c2d1e
0x011c2d33
0x011c2d35
0x011c2d37
0x011c2d39
0x011c2d39
0x011c2d48
0x011c2d4a
0x011c2d4c
0x011c2d4e
0x011c2d4e
0x011c2d5a
0x011c2d5c
0x011c2d5e
0x011c2d60
0x011c2d60
0x011c2d20
0x011c2d20
0x011c2d20
0x011c2d65
0x011c2d6a
0x011c2d6e
0x011c2d78
0x011c2d78
0x011c2d7a
0x011c2d7d
0x011c2d83
0x011c2d85
0x011c2d88
0x011c2d90
0x011c2d93
0x011c2d99
0x011c2d9c
0x011c2d9c
0x011c2da5
0x011c2da7
0x011c2da9
0x011c2da9
0x011c2daf
0x011c2db3
0x011c2dbc

APIs

FindResourceW.KERNEL32(?,00000000,00000005,?,?,00000000,00000000,?,011C1BAC,?,?,?,?,?), ref: 011C2D2D
LoadResource.KERNEL32(?,00000000,?,?,00000000,00000000,?,011C1BAC,?,?,?,?,?), ref: 011C2D42
LockResource.KERNEL32(00000000,?,?,00000000,00000000,?,011C1BAC,?,?,?,?,?), ref: 011C2D54
GlobalFree.KERNEL32 ref: 011C2D93

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 5205620f2a6a6a123d19b7ff21d0d47efe2f33f59bdcfadcdb991f171d05fad4
Instruction ID: c4b9f729c48b44219a8ff47f354789d79672c4dd3e4c6b5759f5ec65b0b20a38
Opcode Fuzzy Hash: 5205620f2a6a6a123d19b7ff21d0d47efe2f33f59bdcfadcdb991f171d05fad4
Instruction Fuzzy Hash: 4211AF36100601AFD72AAF69C888F7ABBE9EFB4A25F15847CE94997250DB70D8009B10

Uniqueness

Uniqueness Score: -1.00%

Function 012F9575 Relevance: 6.1, APIs: 4, Instructions: 65
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012F9575(struct _FILETIME _a4, intOrPtr _a8, void* _a12, void* _a16) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				signed int _v44;
				signed int _t20;
				signed int _t46;
				signed int _t49;

				_t20 =  *0x139eff4; // 0xdde28b47
				_v8 = _t20 ^ _t49;
				if(_a4.dwLowDateTime != 0 || _a8 != 0) {
					if(FileTimeToSystemTime( &_a4,  &_v40) == 0 || SystemTimeToTzSpecificLocalTime(0,  &_v40,  &_v24) == 0) {
						E012F91E1(GetLastError());
						goto L8;
					} else {
						_v44 = _v44 | 0xffffffff;
						if((E012F961F( &_v24,  &(_v24.wMonth),  &(_v24.wDay),  &(_v24.wHour),  &(_v24.wMinute),  &(_v24.wSecond),  &_v44) & _t46) == 0xffffffff) {
							 *((intOrPtr*)(E012F9217())) = 0x84;
							L8:
						}
					}
				} else {
				}
				return E012E980C(_v8 ^ _t49);
			}

0x012f957d
0x012f9584
0x012f958b
0x012f95ab
0x012f9606
0x00000000
0x012f95c1
0x012f95c1
0x012f95f0
0x012f95f7
0x012f960c
0x012f960f
0x012f95f0
0x012f9593
0x012f9596
0x012f961e

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 012F95A3
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 012F95B7
GetLastError.KERNEL32 ref: 012F95FF
__dosmaperr.LIBCMT ref: 012F9606

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
String ID:
API String ID: 593088924-0
Opcode ID: 1b7fa584539e4f3f8eb0c2b2002111988d49d5c3e5239a75d67dbdf45e24b991
Instruction ID: 1443316a69b269d8f474623cc6a31b93abb5c410905ee1bb78428b8311d8bc36
Opcode Fuzzy Hash: 1b7fa584539e4f3f8eb0c2b2002111988d49d5c3e5239a75d67dbdf45e24b991
Instruction Fuzzy Hash: B821217291010DAFDF14EEA4D884BEEB7BCAF08324F10427AF616D7080DA34D684CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011D471B Relevance: 6.1, APIs: 4, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E011D471B(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				struct tagLOGFONTW _v100;
				void* _v104;
				short* _v108;
				signed int _v120;
				short _v524;
				int _v528;
				void* _v540;
				struct _FILETIME _v548;
				intOrPtr _v640;
				intOrPtr _v644;
				char _v648;
				void* __ebp;
				signed int _t28;
				void* _t42;
				signed int _t44;
				short* _t49;
				intOrPtr* _t62;
				intOrPtr _t78;
				struct HDC__* _t79;
				signed int _t83;
				void* _t85;
				signed int _t86;

				_t28 =  *0x139eff4; // 0xdde28b47
				_v8 = _t28 ^ _t83;
				_t78 = _a4;
				_v104 = 0;
				E012EE6E0(0,  &_v100, 0, 0x5c);
				_t86 = _t85 + 0xc;
				if(_t78 == 0) {
					L2:
					E01143F00(_t62, E012FF818( &(_v100.lfFaceName), 0x20, _t78));
					_v100.lfCharSet = 1;
					_v104 = 0;
					_t79 = GetDC(0);
					if(_t79 != 0) {
						EnumFontFamiliesExW(_t79,  &_v100, 0x11d4705,  &_v104, 0);
						ReleaseDC(0, _t79);
					}
					return E012E980C(_v8 ^ _t83);
				} else {
					_t42 = E013004F8(_t78);
					_pop(_t62);
					if(_t42 >= 0x20) {
						E011B1E69(_t62);
						asm("int3");
						_push(_t83);
						_t84 = _t86;
						_t44 =  *0x139eff4; // 0xdde28b47
						_v120 = _t44 ^ _t86;
						_t60 = _v108;
						_push(_t78);
						_push(0);
						_t75 = _t62;
						_v648 = 0;
						_v644 = 0;
						_v640 = 0;
						_t49 = E011C7922( &_v648,  *_t62, _v108,  *(_t62 + 4) | 0x0002001f);
						while(_t49 == 0) {
							_v528 = 0x100;
							if(RegEnumKeyExW(_v540, 0,  &_v524,  &_v528, 0, 0, 0,  &_v548) == 0) {
								_t49 =  &_v524;
								_push(_t49);
								L6();
								continue;
							} else {
								E011B5D1D( &_v540);
								E011C716E(_t75, _t60);
							}
							break;
						}
						E011B5D1D( &_v540);
						return E012E980C(_v12 ^ _t84);
					} else {
						goto L2;
					}
				}
			}

0x011d4721
0x011d4728
0x011d472c
0x011d4739
0x011d473c
0x011d4741
0x011d4746
0x011d4754
0x011d4761
0x011d4769
0x011d476d
0x011d4777
0x011d477b
0x011d478c
0x011d4794
0x011d4794
0x011d47ac
0x011d4748
0x011d4749
0x011d474e
0x011d4752
0x011d47ad
0x011d47b2
0x011d47b3
0x011d47b4
0x011d47bc
0x011d47c3
0x011d47c7
0x011d47cc
0x011d47cd
0x011d47ce
0x011d47d0
0x011d47d6
0x011d47e2
0x011d47f4
0x011d4807
0x011d480f
0x011d4846
0x011d47fb
0x011d4801
0x011d4802
0x00000000
0x011d4848
0x011d4848
0x011d4850
0x011d4855
0x00000000
0x011d4846
0x011d485d
0x011d4874
0x00000000
0x00000000
0x00000000
0x011d4752

APIs

_wcslen.LIBCMT ref: 011D4749
GetDC.USER32(00000000), ref: 011D4771
EnumFontFamiliesExW.GDI32(00000000,?,011D4705,?,00000000,?,?,?,?,?,?,00000000), ref: 011D478C
ReleaseDC.USER32 ref: 011D4794

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: EnumFamiliesFontRelease_wcslen
String ID:
API String ID: 3785621066-0
Opcode ID: d4f4a879ae96c5620eb9470cb65906fcabd250e137b4349f53c31010cf120fa3
Instruction ID: 16776097fad939e1e6cde3bea6aaa5537ed70020f3d89e44203e4e619e945446
Opcode Fuzzy Hash: d4f4a879ae96c5620eb9470cb65906fcabd250e137b4349f53c31010cf120fa3
Instruction Fuzzy Hash: 7811E072D01328ABDB20EBA89C49EBF7BBCEF56704F050029FD04AB104DB309A0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 01303515 Relevance: 6.1, APIs: 4, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01303515(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _v5;
				long _v12;
				long _t15;
				void* _t26;
				void* _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				if(_a4 != 0) {
					_push(_t26);
					_t30 = E013034CC(__ecx, __eflags, _a4, _a12);
					__eflags = _t30;
					if(_t30 == 0) {
						L5:
						_t27 = _t26 | 0xffffffff;
						__eflags = _t27;
						L6:
						E0130343E(_t30);
						return _t27;
					}
					_v12 = _v12 & 0x00000000;
					_t26 = CreateThread(0, _a8, 0x1303342, _t30, 4,  &_v12);
					__eflags = _t26;
					if(_t26 != 0) {
						 *(_t30 + 8) = _t26;
						_t15 = ResumeThread(_t26);
						__eflags = _t15 - 0xffffffff;
						if(_t15 == 0xffffffff) {
							goto L4;
						}
						_t30 = 0;
						goto L6;
					}
					L4:
					E012F91E1(GetLastError());
					goto L5;
				}
				 *((intOrPtr*)(E012F9217())) = 0x16;
				return E012F9CEA() | 0xffffffff;
			}

0x0130351a
0x0130351b
0x01303520
0x01303538
0x01303544
0x01303548
0x0130354a
0x0130357a
0x0130357a
0x0130357a
0x0130357d
0x01303581
0x00000000
0x01303589
0x0130354c
0x01303567
0x01303569
0x0130356b
0x0130358f
0x01303592
0x01303598
0x0130359b
0x00000000
0x00000000
0x0130359d
0x00000000
0x0130359d
0x0130356d
0x01303574
0x00000000
0x01303579
0x01303527
0x00000000

APIs

CreateThread.KERNEL32 ref: 01303561
GetLastError.KERNEL32(?,?,?,?,?,01290024,01290070,00000000), ref: 0130356D
__dosmaperr.LIBCMT ref: 01303574
ResumeThread.KERNEL32(00000000,?,?,?,?,?,01290024,01290070,00000000), ref: 01303592

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b61f792aebceeeef6c3ae4cd413e6c94699732a38a4955a26dab9ebfcaafd0f9
Instruction ID: f4edb30546933c650439c4f0948d1250d3ddef11835b2a1df14ca39a3734cd6f
Opcode Fuzzy Hash: b61f792aebceeeef6c3ae4cd413e6c94699732a38a4955a26dab9ebfcaafd0f9
Instruction Fuzzy Hash: 0B01C072510209BFDB226BA9DC14BAA7BACFF81739F10022DF925A61E0DB7198418761

Uniqueness

Uniqueness Score: -1.00%

Function 0130CB6B Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E0130CB6B(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x13ad2c8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x1360f60 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xdde28b48
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x0130cb70
0x0130cb74
0x0130cb7b
0x0130cb7f
0x0130cb8d
0x0130cba3
0x0130cba7
0x0130cbd0
0x0130cbd2
0x0130cbd6
0x0130cbd9
0x0130cbd9
0x0130cbdf
0x0130cbe1
0x00000000
0x0130cbe2
0x0130cba9
0x0130cbb2
0x0130cbc1
0x0130cbb4
0x0130cbb7
0x0130cbbd
0x0130cbbd
0x0130cbc5
0x00000000
0x0130cbc7
0x0130cbca
0x0130cbcc
0x00000000
0x0130cbcc
0x0130cbc5
0x0130cb81
0x0130cb86
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0130CB12,?,00000000,00000000,00000000,?,0130CE3E,00000006,FlsSetValue), ref: 0130CB9D
GetLastError.KERNEL32(?,0130CB12,?,00000000,00000000,00000000,?,0130CE3E,00000006,FlsSetValue,01361450,01361458,00000000,00000364,?,0130BBE6), ref: 0130CBA9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0130CB12,?,00000000,00000000,00000000,?,0130CE3E,00000006,FlsSetValue,01361450,01361458,00000000), ref: 0130CBB7

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 0371568254f3c8633f0c4334f562021c0c88ca3c2011ce03f17c97c754383e70
Instruction ID: a42fa4c0ef8ea1cd54d5823878c42dc0c9008ace27e8a5287220c45a5e6b1db5
Opcode Fuzzy Hash: 0371568254f3c8633f0c4334f562021c0c88ca3c2011ce03f17c97c754383e70
Instruction Fuzzy Hash: F001F7322456269BC7335D7CAC65E567BDCAF04BA9F100764FA06E7581D730D800CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 011ADF1B Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E011ADF1B(void* __ecx, void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				void* _t23;
				struct HWND__* _t24;

				_t23 = __edx;
				_t22 = __ecx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageW(_t24, _a8, _a12, _a16);
					} else {
						_t20 = E011AB259(_t22, _t24);
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E011A95D2(_t23);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E011ADF1B(_t22, _t23, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}

0x011adf1b
0x011adf1b
0x011adf22
0x011adf8d
0x011adf8d
0x011adf91
0x00000000
0x00000000
0x011adf2e
0x011adf58
0x011adf30
0x011adf31
0x011adf38
0x011adf3a
0x011adf3d
0x011adf40
0x011adf43
0x011adf46
0x011adf47
0x011adf47
0x011adf38
0x011adf62
0x011adf7f
0x011adf7f
0x011adf87
0x011adf87
0x011adf95

APIs

GetTopWindow.USER32(?), ref: 011ADF22
GetTopWindow.USER32(00000000), ref: 011ADF65
GetWindow.USER32(00000000,00000002), ref: 011ADF87

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: fed8fe8416cbc7e6839e3f60f34fcc31c1a28c2bc1fd9060c6e60f63f2a1049c
Instruction ID: 9a1e2f6927d959b4ab340dcc151d9b20974de1f256757b50434f4ded51c8f8f0
Opcode Fuzzy Hash: fed8fe8416cbc7e6839e3f60f34fcc31c1a28c2bc1fd9060c6e60f63f2a1049c
Instruction Fuzzy Hash: 9101083A00591ABBDF2B6FA4AD09EDF3F2EAF05760F844015FA1554460C736C572EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011BD6C7 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E011BD6C7(void** _a4) {
				void* _v4;
				void* __ebp;
				void* _t3;
				void* _t4;
				signed char _t5;
				int _t8;
				void* _t9;
				signed int _t11;
				void** _t13;
				void* _t14;

				_t13 = _a4;
				if(_t13 == 0) {
					_t4 = E011B1E69(_t9);
					asm("int3");
					_push(_t13);
					_t14 = _v4;
					if(_t14 != 0) {
						_t5 = GlobalFlags(_t14);
						_t11 = _t5 & 0x000000ff;
						if(_t5 == 0) {
							L8:
							return GlobalFree(_t14);
						} else {
							goto L7;
						}
						do {
							L7:
							GlobalUnlock(_t14);
							_t11 = _t11 - 1;
						} while (_t11 != 0);
						goto L8;
					}
					return _t4;
				} else {
					if( *_t13 != 0) {
						_t8 = DeleteObject( *_t13);
						 *_t13 =  *_t13 & 0x00000000;
						return _t8;
					}
					return _t3;
				}
			}

0x011bd6cb
0x011bd6d0
0x011bd6e7
0x011bd6ec
0x011bd6f0
0x011bd6f1
0x011bd6f6
0x011bd6fa
0x011bd700
0x011bd705
0x011bd713
0x00000000
0x00000000
0x00000000
0x00000000
0x011bd707
0x011bd707
0x011bd708
0x011bd70e
0x011bd70e
0x00000000
0x011bd707
0x011bd71d
0x011bd6d2
0x011bd6d5
0x011bd6d9
0x011bd6df
0x00000000
0x011bd6df
0x011bd6e4
0x011bd6e4

APIs

DeleteObject.GDI32(?), ref: 011BD6D9
GlobalFlags.KERNEL32(?), ref: 011BD6FA
GlobalUnlock.KERNEL32(?,?,?,?,011F155E,?,00000038,011F04A2,?,?,00000000,00000008,011BD066,?), ref: 011BD708
GlobalFree.KERNEL32 ref: 011BD714

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: Global$DeleteFlagsFreeObjectUnlock
String ID:
API String ID: 2517987852-0
Opcode ID: 4df8b9de788614523db125aa2c6ad6980ffa4b6f99cc4b538409360a1d0c0a81
Instruction ID: 18ef6bbf3192de8e12fbf0a92f9e51f3def39a297f52bb1490c77de3dc457f25
Opcode Fuzzy Hash: 4df8b9de788614523db125aa2c6ad6980ffa4b6f99cc4b538409360a1d0c0a81
Instruction Fuzzy Hash: FFF0B432501534ABCA3A2F99F489BDABB6DEF42756F04402AFA4456145C731544087E5

Uniqueness

Uniqueness Score: -1.00%

Function 011E5A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E011E5A78(void* __ebx, void* __edi, void* __esi, struct HDC__* _a4) {
				signed int _v8;
				void _v40;
				unsigned int _v98;
				char _v99;
				char _v100;
				unsigned int _v102;
				char _v103;
				char _v104;
				struct tagBITMAPINFOHEADER _v144;
				signed int _t24;
				unsigned int _t34;
				intOrPtr _t47;
				unsigned int _t48;
				signed int _t53;
				struct HDC__* _t58;
				signed int _t59;

				_t24 =  *0x139eff4; // 0xdde28b47
				_v8 = _t24 ^ _t59;
				_t58 = _a4;
				E012EE6E0(__edi,  &_v144, 0, 0x68);
				_t48 =  *0x13a923c; // 0xf0f0f0
				_v144.biCompression = _v144.biCompression & 0x00000000;
				_v144.biPlanes = 1;
				_v144.biBitCount = 1;
				_v104 = _t48 >> 0x10;
				_t47 = 8;
				_v144.biSize = 0x28;
				_v144.biWidth = _t47;
				_v144.biHeight = _t47;
				_v103 = _t48 >> 8;
				_v102 = _t48;
				_t34 = GetSysColor(0x14);
				_v98 = _t34;
				_v100 = _t34 >> 0x10;
				_v99 = _t34 >> 8;
				_t53 = 0;
				do {
					asm("sbb eax, eax");
					 *((intOrPtr*)(_t59 + _t53 * 4 - 0x24)) = ( ~(_t53 & 1) & 0x5554aaab) + 0x5555aaaa;
					_t53 = _t53 + 1;
				} while (_t53 < _t47);
				CreateDIBitmap(_t58,  &_v144, 4,  &_v40,  &_v144, 0);
				return E012E980C(_v8 ^ _t59);
			}

0x011e5a81
0x011e5a88
0x011e5a8d
0x011e5a9b
0x011e5aa0
0x011e5aa8
0x011e5aad
0x011e5ab4
0x011e5abd
0x011e5ac4
0x011e5aca
0x011e5ad4
0x011e5ada
0x011e5ae0
0x011e5ae3
0x011e5ae6
0x011e5aee
0x011e5af4
0x011e5afc
0x011e5aff
0x011e5b01
0x011e5b0a
0x011e5b16
0x011e5b1a
0x011e5b1b
0x011e5b36
0x011e5b4b

APIs

GetSysColor.USER32(00000014), ref: 011E5AE6
CreateDIBitmap.GDI32(011C5338,00000028,00000004,?,00000028,00000000), ref: 011E5B36

Strings

(, xrefs: 011E5ACA

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: BitmapColorCreate
String ID: (
API String ID: 2048008349-3887548279
Opcode ID: 27de9d031c3475adb8329a3bf4e73ae974d78e4e8c58623a2f422c5031fae43f
Instruction ID: 922d87d7f89fe4ee2604e09d8ceb20730fd3f0d461bdea8bc059f2130434691f
Opcode Fuzzy Hash: 27de9d031c3475adb8329a3bf4e73ae974d78e4e8c58623a2f422c5031fae43f
Instruction Fuzzy Hash: 5B21B031A5125CDBEF14DFA8CC46BEDB7F8EB14300F4040AEE545EB281DA355A08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C1532 Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E011C1532(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8) {
				signed short _v0;
				signed int _v8;
				signed int _v12;
				intOrPtr* _v24;
				signed int _t24;
				struct _CRITICAL_SECTION* _t39;
				struct _CRITICAL_SECTION* _t41;
				intOrPtr* _t48;
				void* _t54;
				intOrPtr* _t56;
				signed int _t60;
				void* _t63;
				void* _t67;

				_t54 = __edx;
				_t48 = __ecx;
				_t45 = __ebx;
				_t63 = _t67;
				_t60 = _a4;
				if(_t60 >= 0x11) {
					E011B1E69(__ecx);
					asm("int3");
					_push(_t63);
					_t24 = _v8;
					__eflags = _t24 - 0x11;
					if(_t24 >= 0x11) {
						E011B1E69(_t48);
						asm("int3");
						_push(4);
						E012EA0A3();
						_t56 = _t48;
						_v24 = _t56;
						E011A707E(_t48, __eflags);
						_t12 =  &_v12;
						 *_t12 = _v12 & 0x00000000;
						__eflags =  *_t12;
						 *_t56 = 0x133458c;
						E01143CD0(_t56 + 0xac, E011B2411());
						_v12 = 1;
						E01143CD0(_t56 + 0xb4, E011B2411());
						_v12 = 2;
						E01143CD0(_t56 + 0xb8, E011B2411());
						_v12 = 3;
						E011C1A82(_t56, _t54, _a8);
						E011C1C1E(__ebx, _t56, _v0 & 0x0000ffff, _a4);
						E012EA06C();
						return _t56;
					} else {
						_t39 = 0x13a8d38 + _t24 * 0x18;
						__eflags = _t39;
						LeaveCriticalSection(_t39);
						return _t39;
					}
				} else {
					if( *0x13a8d34 == 0) {
						E011C14C9();
					}
					if( *((intOrPtr*)(0x13a8ee8 + _t60 * 4)) == 0) {
						EnterCriticalSection(0x13a8ed0);
						if( *((intOrPtr*)(0x13a8ee8 + _t60 * 4)) == 0) {
							InitializeCriticalSection(0x13a8d38 + _t60 * 0x18);
							 *((intOrPtr*)(0x13a8ee8 + _t60 * 4)) =  *((intOrPtr*)(0x13a8ee8 + _t60 * 4)) + 1;
						}
						LeaveCriticalSection(0x13a8ed0);
					}
					_t41 = 0x13a8d38 + _t60 * 0x18;
					EnterCriticalSection(_t41);
					return _t41;
				}
			}

0x011c1532
0x011c1532
0x011c1532
0x011c1533
0x011c1536
0x011c153d
0x011c15a0
0x011c15a5
0x011c15a6
0x011c15a9
0x011c15ac
0x011c15af
0x011c15c4
0x011c15c9
0x011c15ca
0x011c15d1
0x011c15d6
0x011c15d8
0x011c15db
0x011c15e0
0x011c15e0
0x011c15e0
0x011c15e4
0x011c15f6
0x011c15fb
0x011c160b
0x011c1610
0x011c1620
0x011c162a
0x011c162e
0x011c163d
0x011c1644
0x011c1649
0x011c15b1
0x011c15b4
0x011c15b4
0x011c15ba
0x011c15c1
0x011c15c1
0x011c153f
0x011c1546
0x011c1548
0x011c1548
0x011c155a
0x011c1563
0x011c1571
0x011c1579
0x011c157f
0x011c157f
0x011c1587
0x011c158d
0x011c1591
0x011c1594
0x011c159d
0x011c159d

APIs

EnterCriticalSection.KERNEL32(013A8ED0,?,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011C1563
InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011C1579
LeaveCriticalSection.KERNEL32(013A8ED0,?,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011C1587
EnterCriticalSection.KERNEL32(00000000,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120), ref: 011C1594

Part of subcall function 011C14C9: InitializeCriticalSection.KERNEL32(013A8ED0,011C154D,?,?,?,011BEDBF,00000010,00000008,011B72E4,011B7322,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3), ref: 011C14E1

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: cff128223f9fd12a07016d4121a1911583ba9ca38f0d72b7fed1b09a4c6ef1cf
Instruction ID: 11e4c3e6138136554d5038d02760454d082bb396464cb6400306f6e64622db6e
Opcode Fuzzy Hash: cff128223f9fd12a07016d4121a1911583ba9ca38f0d72b7fed1b09a4c6ef1cf
Instruction Fuzzy Hash: 9BF0F673940228FBC6342F58EC49B567B6CEF76713FC81469F60692007CB30D5008B91

Uniqueness

Uniqueness Score: -1.00%

Function 011BEEB7 Relevance: 5.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E011BEEB7(long* __ecx, signed int _a4) {
				void* _t9;
				long* _t11;
				intOrPtr _t13;
				struct _CRITICAL_SECTION* _t14;
				signed int _t15;

				_t11 = __ecx;
				_t1 =  &(_t11[7]); // 0x1c
				_t14 = _t1;
				EnterCriticalSection(_t14);
				_t15 = _a4;
				if(_t15 <= 0 || _t15 >= _t11[3]) {
					L6:
					LeaveCriticalSection(_t14);
					return 0;
				} else {
					_t9 = TlsGetValue( *_t11);
					if(_t9 == 0) {
						goto L6;
					}
					_t13 =  *((intOrPtr*)(_t9 + 0xc));
					if(_t13 == 0 || _t15 >=  *((intOrPtr*)(_t9 + 8))) {
						goto L6;
					} else {
						LeaveCriticalSection(_t14);
						return  *((intOrPtr*)(_t13 + _t15 * 4));
					}
				}
			}

0x011beebb
0x011beebf
0x011beebf
0x011beec3
0x011beec9
0x011beece
0x011beefb
0x011beefc
0x00000000
0x011beed5
0x011beed7
0x011beedf
0x00000000
0x00000000
0x011beee1
0x011beee6
0x00000000
0x011beeed
0x011beef1
0x00000000
0x011beef7
0x011beee6

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,011BEE59,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120), ref: 011BEEC3
TlsGetValue.KERNEL32(00000000,?,?,?,011BEE59,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911), ref: 011BEED7
LeaveCriticalSection.KERNEL32(0000001C,?,?,?,011BEE59,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911), ref: 011BEEF1
LeaveCriticalSection.KERNEL32(0000001C,?,?,?,011BEE59,?,00000004,011B72C5,011AAD96,011B0DA3,?,011B2DC7,00000004,011B3AD3,00000120,0115D911), ref: 011BEEFC

Memory Dump Source

Source File: 00000000.00000002.333051825.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true

Associated: 00000000.00000002.333047850.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333240375.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333283309.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333288107.00000000013A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333293616.00000000013AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333308307.00000000013FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.333325376.000000000141C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Odin3_v3.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 7b791fa7abaffe32a93afac7a8796e4c5e2b0c0fe2206c8fc4e5db52d959626d
Instruction ID: 95d2c5524e1e216bcf95f8f61e95caa0600a8bd6e19b8be5d17961fdfe39e900
Opcode Fuzzy Hash: 7b791fa7abaffe32a93afac7a8796e4c5e2b0c0fe2206c8fc4e5db52d959626d
Instruction Fuzzy Hash: D0F0B432202134DFEB397F59D8C88EABB68FF55724B05406DED42AB505C720B802CBD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Odin3_v3.14.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Odin3_v3.14.4.exePID: 7164, Parent PID: 3520

General

File Activities

File Opened

File Read

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Windows Analysis Report
Odin3_v3.14.4.exe

Function 011AB1A7 Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Function 011A7E59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMONLIBRARYCODE

Function 01306D3B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 011E6474 Relevance: 70.4, APIs: 35, Strings: 5, Instructions: 373
stringCOMMON

Function 011E69AD Relevance: 64.8, APIs: 43, Instructions: 297
COMMON

Function 011AA8BC Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 184
windowCOMMON

Function 011AA714 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74
libraryloaderCOMMON

Function 011BEAF5 Relevance: 15.1, APIs: 10, Instructions: 106
memoryCOMMONLIBRARYCODE

Function 011A7F6B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112
libraryCOMMONLIBRARYCODE

Function 011ABC1F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72
COMMON

Function 011B6D9F Relevance: 10.6, APIs: 7, Instructions: 119
windowthreadCOMMON

Function 011A9A65 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
libraryloaderthreadCOMMON

Function 011C0EB1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29
libraryloaderCOMMON

Function 011A735D Relevance: 7.7, APIs: 5, Instructions: 155
COMMON